Users can be granted different levels of access to both Stax itself, and to the AWS accounts managed by Stax. The Stax Identity Service governs access to Stax and to Stax-managed AWS accounts.
This guidance assumes that your AWS accounts are Stax-managed. If you only have the Cost & Compliance module, review this article instead.
The Stax Identity Service is hosted in the security account. As such, it is recommended that only trusted administrators have access to this account.
IAM resources, including roles and identity providers, are deployed by Stax into all Stax-managed AWS accounts. These are used by the Identity Service to enable single sign-on into these accounts. It also allows Stax's automation to create and update resources.
The Identity Service also facilitates access for Stax engineers in the event that you require Stax's support team to access your accounts. This access, however, is only available upon receipt of written approval via a support case.
Stax can be accessed using either the Stax Console in a web browser, or the Stax API (either directly or via the SDK). Access to the Console is restricted to Users, and access to the API and SDK is permitted using API Tokens.
Management of Stax Console access is via the Users page in the customer menu. Users of your Stax tenancy are listed on the Users page and can be created, edited, and deactivated as required.
Stax provides four roles for governing access to the Stax Console and API:
- Admin: Provides unrestricted access to Stax
- User: Provides restricted access to Stax, most notably with regard to user management
- Read Only: Provides read-only access to Stax
- Cost & Compliance Admin: Provides read-only access to Stax, except for the Cost & Compliance module, where admin levels of access are granted. This role is available for Console users only
See Stax Permissions for more detail on these roles.
While Stax can be accessed using local credentials where Stax stores user credentials, the recommended practice is to enable Single Sign-On by federating Stax with your corporate identity provider (for example, Okta, Ping, or Azure AD). This allows integration of your existing user base, credentials, and security protections into Stax.
Federated users are automatically provisioned in Stax when they first access Stax using your corporate identity provider. These users will appear in the user list on the Users page in Stax (with a checkmark in the Corp. ID column), however their details are unable to be edited. Any changes to federated users must be edited in the corporate identity provider. Federated users can only be deactivated in the Stax Console, or deactivated/deleted via the API.
Accessing Stax-managed AWS accounts
Stax provides native single sign-on into Stax-managed AWS accounts. Users can sign in to AWS accounts via the Stax Console using any roles assigned to them by their group membership.
Groups are assigned a certain level of privilege to Account Types. Access must be granted at the group to Account Type level, it is not possible to assign users access to accounts directly.
There are built-in roles that map to AWS managed policies. If the built-in roles are insufficient, customized roles can be deployed using Permission Sets.
The built-in roles are:
- Admin: maps to the AWS AdministratorAccess managed policy, providing unrestricted access to the AWS account. This role shows in the AWS console and logs as staxid-admin-role
- Developer: maps to the AWS SystemAdministrator managed policy, providing restricted access to the AWS account. This role shows in the AWS console and logs as staxid-developer-role
- Read Only: maps to the AWS ReadOnlyAccess managed policy, providing read-only access to the AWS account. This role shows in the AWS console and logs as staxid-readonly-role
When users authenticate to Stax-managed AWS accounts using the Stax Identity Service, audit information is recorded in the logging account.