Stax on Stax
12 Mar 2020
Why Stax Account Automation Matters
Prior to the introduction of AWS Organizations back in 2016, creating multiple AWS accounts for use within your company or organization was a tedious endeavour. Along with the manual process of creating each AWS account, gaining a consolidated overview of these accounts was an extremely involved task, particularly if your organization had different sets of accounts per division. This process would generally require some third party tools or some manual "account keeping" processes to keep track.
Your Current Workflow (Probably)
With the introduction of AWS Organizations, AWS provided the ability for consumers to create a single AWS account through the normal sign-up process, and then enable AWS Account Organizations within the account, essentially marking it as the "master" AWS account for an organization.
This “master” account then had the ability to manage your other AWS member accounts, consolidate billing, as well as perform broader governance over all your accounts.
This then led to a streamlined and straightforward method for creating a new AWS account as a member or child account of your AWS Organization. This was a welcome change for those maintaining large AWS account sets for organizations. However, when a feature like this—one that streamlines and simplifies a previously complex process—becomes available, it can introduce further potential for risk and negative financial impacts. In this case, these impacts would arise if a new account was not adequately "set up" after creation.
Some organizations may have had a dedicated team or individuals whose sole purpose would be to set up and maintain each AWS account individually. In practice, this could involve manually creating the account within the AWS Organizations page, and then having to deploy required services to each new account to set up user access, security controls and any other requirements that needed to be handled when a new account is created.
I have no doubt a number of organizations are heavily utilizing this feature. More than likely they have this process automated, potentially to the point where one of their users can click a button and an AWS account is created with all the organization’s requirements and settings handled automatically. But that’s not every organization.
Reading this, you may be realizing that you’re not as automated as you may have thought. You may have staff going through a somewhat manual process, and it could take hours to days for a new AWS account to be ready for use.
Despite the premise of AWS, that it removes the shackles of physical hardware limitations giving users the ability to essentially begin working on a project immediately, some organizations still may be having a hard time making AWS accounts readily available, accessible, secure and compliant within a short period of time. This is where Stax, and Stax’s AWS account automation feature, really shines.
The AWS Accounts Stax Provides Immediately
As outlined in the initial section, your current experience with AWS account creation may be one of pure ease or more often, one of frustrating delay. You could have a ready-to-use AWS account with a click of a button, or after a delay of days while someone or something provisions an AWS account for you in a usable state.
The team at Stax are all too familiar with both ends of the spectrum, which is why we worked hard on making it easier.
When you first sign up as a Stax customer, you’re provided with three AWS accounts:
- A master AWS Organization account
- A Logging Account
- A Security Account
Each of these accounts has a specific purpose, which I’ll discuss below.
The Stax Master Account
When you first sign up to Stax, we allocate a pre-configured AWS master account, with AWS Organizations already enabled. This means you’re not directly sharing any of the capacity that AWS Organizations offers with other Stax customers.
This also gives Stax the ability to consolidate your billing and dedicated configuration for your journey with our platform.
Depending on the customer plan you choose, you may or may not have direct access to this AWS account. If you opt for the non-ownership plan, Stax can definitely investigate any requests that require interaction with the master billing account in regards to AWS Organizations.
Within this account, we do not provision or run any Stax managed services that would introduce costs, as we simply access the account when necessary to perform tasks you request via the Stax API or Console.
The Logging Account
When you sign up to the Stax platform, we also provision logging and security accounts for you. The Logging Account becomes a segregated AWS account for collating all activity within your Stax organization. For example, we enable AWS CloudTrail for all your AWS accounts. This data is populated and stored in an encrypted AWS S3 bucket. We also log SSM Session manager sessions, as well as provision an AWS S3 bucket containing an audit log of actions performed by your users against the Stax platform.
The Security Account
The Security Account is similar in purpose to the Logging Account. This account is your AWS GuardDuty master account, controls services like AWS CloudTrail, and also contains the identity provider service Stax uses to allow you and your users to log in.
These two accounts are created in line with the AWS Well Architected Framework, to provide a central, secure place to store all relevant logging information, as well as providing a centralized account for you to maintain any desired security tools, while again limiting access to this account.
Within these accounts, Stax does provision some resources that do incur small ongoing fees.
What About Automation For New Accounts?
Now I've provided an overview of the initial account creation, it's time to talk about how Stax automates and maintains your AWS Accounts for you in a clean, trouble-free manner.
The first, important thing to note: Stax provides the ability for you as a customer to create an AWS account and have it ready and available for your users in less than 10 minutes!
OK, 10 Minutes Is Great, but How Are You Doing This Better than We Could?
From the basic account creation perspective, all you need to provide is the name you wish to give the AWS account, the Account Type in which it needs to reside, and any tags you wish to attach to this AWS account. You can do this via the customer console or via the Stax API.
Once you select ‘create’, Stax will:
- Assign your AWS Account to the relevant Account Type.
- Apply any relevant Stax policies based on the selected account type.
- Set up AWS CloudTrail, which will immediately start providing an AWS audit log for actions taken within the account, which will also be logged to your Stax provided logging account.
- Set up AWS Config, which will immediately start recording configuration actions within the account for later assessment.
- Enable and setup GuardDuty, which will be linked to your GuardDuty master which resides in the Stax provided security account.
- Enable SSM Session Manager logging, which will keep records of which users are accessing your instances and when they do so.
- Enable immediate AWS user access to the account using the Stax identity service to users assigned to a correct group and the permissions set.against the Account Type you specified at creation
- Enable the Stax Event Bus. This allows us to keep an eye on information such as your service limits, maintaining the status of your AWS account and also providing us the ability to log auditable actions that are invoked by your users using the Stax platform.
- Automatically set up your new AWS account with our Compliance and Cost features, this means you will begin receiving compliance and cost information for the account straight away as part of the creation step.
- Finally, remove the default VPC from all AWS regions within the account, to keep in line with compliance rules.
All relevant tasks mentioned above are performed in each AWS region for the account where applicable
There will be a follow up blog post which will deep dive into the specifics of what is happening with each step mentioned above, so keep an eye out for it.
But Can’t We Do This Ourselves?
You may or may not be performing some or all of the above already—well done if you are—but using Stax can still help, in the following ways:
Again, let’s be real: having an AWS account fully provisioned, compliant, accessible and auditable within 10 minutes is nothing to sneeze at.
While enabling auditing tools like CloudTrail and GuardDuty immediately is great, Stax also provides immediate, easy-to-use user granularity and group settings to determine which of your users can access your newly created account.
Everything Stax does during that first AWS account creation process meets compliance standards and ensures you get the best possible start.
Ongoing Cost and Compliance Visibility
It’s one thing to be provided with a compliant AWS account on day one, it’s another to be given the tools and data to maintain compliance and minimize costs over time.
The Best Possible Start
The account is configured in other ways that provide you with the best possible start in cloud. For example, by ensuring the default VPC is removed, users can't immediately start exposing potentially secure data on the public internet.
The Stax team is constantly improving Account Assurance, so when changes are made or AWS makes adjustments that can potentially impact you, you can rest assured that Stax will make sure your AWS accounts are updated to match.
You may be in an organization that is following all of these steps. More likely, you're not. Maybe your organization only does the basics, or does them in an inconsistent way. Hand on heart, can you guarantee that every new AWS account is set up perfectly?
If you use Stax, the answer to that question is simple: new AWS accounts will always be created properly, nearly instantly, without you having to worry about properly configuring them. You and your team will spend less time waiting for new accounts, or tweaking the settings and maintaining them. You'll just use them.