This guidance assumes you're subscribed to only the Stax Cost & Compliance module. If your AWS accounts are Stax-managed, Stax takes care of this for you.
Stax accesses your AWS metadata using AWS best practices, as described here. This access is provisioned using a CloudFormation template that creates the IAM Role Stax needs.
To deploy this stack, your identity in AWS needs permission to create this stack in AWS. Specifically:
If your IAM credential has the AdministratorAccess managed policy attached, then these are included.