Before Stax can complete the onboarding operations for your AWS Organization, you must first perform some preparation tasks.
About Organization Onboarding
To enable Stax's onboarding operations to complete, you must first deploy a role that permits Stax's Control Plane to access your AWS Organization's management account. Once the role has been deployed, Stax's onboarding process will validate that the role is deployed successfully. Once validated, the first of the Stax Assurance tasks will take place:
- Enable any required AWS Organization features that are not yet enabled
- If any member accounts exist in the AWS Organization, access to them will be validated to ensure they are ready for discovery
- The Stax tenancy will be finalized and an invitation email will be dispatched to the nominated administrator
Individual AWS accounts will not be onboarded to Stax at this time, simply displayed in the console. Account onboarding can be performed per account when ready, rather than needing to onboard all accounts at once.
New AWS Organizations
If you're new to AWS, or are setting up a new AWS Organization, Stax can create the Organization on your behalf. For those organizations with a direct AWS billing relationship, you'll need to provide Stax with the details of the AWS account that will be the Organization management account. If it's not already set up as a management account, Stax will create the Organization on your behalf. For organizations under a resell agreement, Stax will work with your reseller to create the new Organization management account.
Preparing an AWS Organization for Onboarding
Deploy the Stax-Provisioning IAM Role
To prepare your AWS Organization for onboarding, you must first deploy an IAM Role granting Stax access to the management account. It is recommended that the stax-Provisioning role be deployed following the guidance in Deploy the Stax-Provisioning Role to Allow Stax Onboarding.
For every other AWS account in your AWS Organization, evaluate whether the OrganizationAccountAccessRole IAM Role exists. This role is created when AWS accounts are created using AWS Organizations. In some instances, such as when an AWS account is imported into an existing organization, this IAM role may not exist. In the case when the role is not present, deploy the Stax-Provisioning role in each of these accounts as well. This will ensure Stax is able to deploy the components it needs into each AWS account within the organization.
Configure Organization Services
When the Stax Assurance process runs against the management account, it will attempt to reconfigure some services. In order to reconfigure some of these services, please follow the guidance in Reconfigure Services to Prepare for Stax Onboarding for the management account.
Verify Organizational Account Access
If you have existing member accounts in your AWS Organization, ensure that the OrganizationAccountAccessRole role exists in each account. If the role does not exist, it may mean the account was invited to your AWS Organization, rather than being created within it. This role must be created in each invited account using the steps described here in order for Stax onboarding to complete.
Configure IAM Billing Access
Follow Step 1 in the AWS Delegate access to the billing console tutorial. This will enable non-root users to access appropriate billing information in the Stax console. This is a requirement for Stax to function.
Increase AWS Service Limits
Follow the guidance in Quotas for AWS Organizations to increase your AWS Organization's AWS account limit to 50. If prompted for a description, consider:
This Organization management account will be used by a SaaS platform that creates AWS accounts on our behalf. It requires the limit increased to achieve this.
The account limit increase must be completed before Stax provisioning can complete.
Commence AWS Organization Onboarding
When the tasks above have been completed, inform your Customer Success Manager or onboarding team member that you've completed them, and that you're ready to commence the onboarding process.
Once the Stax tenancy is created, member accounts within the AWS Organization, if they exist, will be in the DISCOVERED state. This means Stax can access the account and perform validation of its posture and status, but no changes will be made to the accounts.
When ready to onboard accounts, follow the procedure covered in Onboard an AWS Account to Stax.