Stax implements Service Control Policies (SCPs) to protect critical Stax resources within AWS accounts. Working within the boundaries of these SCPs requires some basic consideration.
To protect critical resources required for the operation of Stax's features and functionality, a default SCP (either stax-protection-standard or stax-protection-partner) is attached to the root in your AWS Organization. This mandatory SCP can be reviewed in the Policies section of the Stax Console.
There are resource name prefixes reserved for use by Stax. Resources created with these prefixes will be either hidden, or access to them disabled by the SCP.
The reserved prefixes are:
Avoid creating resources that begin with any of these prefixes. In most cases AWS and Stax will prohibit you from creating resources using these prefixes. Stax is unable to provide support for editing/updating resources that are created using these prefixes. If you inadvertently create resources using these prefixes, please raise a support case to discuss options for regaining control of the resource.
Stax is unsupported in some AWS regions. This is due to the absence of mandatory AWS services. See Supported Regions for more detail on which regions are supported.
The stax-protection-unsupported-region SCP applies to organizations with an an account ownership model whereby the customer owns the management account. This SCP is attached to the root in your AWS Organization. For organizations with a reseller-owned management account, the stax-protection-unsupported-resell SCP is applied. This SCP is attached to the root in your AWS Organization and has additional controls in place to prevent the inaccurate display of some billing information in Stax-managed AWS accounts.
Stax Assurance applies hardening to minimize security risks and vulnerabilities within your AWS accounts. The Security and Logging accounts play a central role within the Stax Assurance process. To ensure that the hardening performed by Stax Assurance is not compromised, Stax applies the foundation SCP to the Security and Logging accounts.