Learn about Stax Accounts.
The Stax Accounts feature allows you to securely and easily create, view and centrally manage your AWS Accounts and get started deploying applications, workloads and resources. You can create and manage accounts within the Stax console or via the Stax API to gather detailed information about your accounts, onboard any existing accounts living outside of Stax, and apply security control policies to groups of accounts called Account Types. You have SSO access to the AWS Console/CLI for these accounts through Stax if you wish to natively utilize the AWS services.
About Stax-Managed AWS Accounts
All AWS Accounts created via Stax are hardened with security configurations that help you to achieve compliance with the CIS AWS Foundations Benchmark. This hardening is applied via the Account Assurance process. You are provided with two AWS Accounts upon activation of your Stax Customer — a Security Account and a Logging Account. These accounts are referred to as the Foundation Accounts and are used for security controls, threat detection, audit controls, and log retention.
The Security and Logging Accounts are each allocated to their own individual Foundation Account Types — the foundation-security Account Type and the foundation-logging Account Type, respectively. Both are protected by a mandatory Policy called the foundation Policy. This Policy protects resources within the Foundation accounts that provide your critical Stax services.
Foundation Stax AWS Accounts
Below is an overview of the Foundation Accounts that are provided as part of your Stax instance.
The Stax Logging Account holds log records for Stax and AWS activity that occurs in your Stax environment and Stax AWS Accounts. As part of Account Assurance, Stax enables AWS Config, AWS CloudTrail, and AWS Systems Manager Agent logging on each of your Stax-managed AWS accounts. The logs generated by these services are sent to individual S3 buckets in your Logging account. Furthermore, if you have enabled VPC flow logs for VPCs created by Stax Networks, these logs will also be sent to your Logging account. Only users within your Stax instance can be granted access to these logs.
The main purpose of the Logging Account is to store logging records of activity occurring in all of your Stax managed AWS Accounts, and to retain audit information pertaining to the Stax user management service provided when you are first set up.
We recommend you also utilize this account for similar purposes for any of your workloads, so that the central Logging Account becomes the source of truth for all audit and log information that, if desired, would only be available to a select few users.
The Security account is used to manage security-related controls and services. As part of Account Assurance, Stax hardens all the accounts you create with security controls. Amazon GuardDuty is one of these controls and the Security account functions as your Amazon GuardDuty master.
The Security account also hosts the Stax Identity Broker. This service is responsible for managing all access to the Stax console and Stax API, as well as single sign-on (SSO) into your Stax accounts.
The main purpose of the Security Account is to keep security controls centralized. It is recommended that you utilize this account for similar purposes with any of your security-related workloads. All security-related controls should reside in a central Security Account.
Account Compliance Score
Within the Stax Console, customers can view each account's compliance score. Representing the risk and compliance posture of each account, the score is evaluated against the Stax Foundation Compliance Rule Bundle which is based on the CIS AWS Foundations Benchmark, the AWS Well-Architected Framework and Stax security and best practice guidelines.
An External Account is any AWS Account that has been discovered by Stax as part of onboarding an AWS Organization with existing application accounts. These accounts have not been created within Stax using the Create Account feature but can be optionally onboarded and managed alongside your other accounts in Stax. External Accounts can be identified by their origin.
An account can have an origin of Stax or External.
- Accounts with an origin of Stax were created within Stax.
- Accounts with an origin of External were not created in Stax but have been discovered or onboarded into Stax. Regardless of their status, External Accounts can always be identified by their origin value.
The status of an account in Stax represents its lifecycle or stage. Valid account statuses include:
INITIALIZING: An account has been created within Stax and Account Assurance is in progress.
DISCOVERED: An External Account has been linked to your Stax Organization and is visible in the Stax Console.
- Discovered Accounts have the following attributes:
- The account has an IAM role called stax-provisioning, allowing Stax to access the account
- The account is ready to be onboarded into Stax
- The account has not been run through Account Assurance
- The account's compliance score is available
- Discovered Accounts have the following attributes:
ERROR: Issues have occurred during discovery or onboarding of the External Account. A detailed message will be shown.
ONBOARDING: The External Account is being run through Account Assurance and applying security controls.
ACTIVE: Account Assurance has successfully completed and the account is ready for use.
- Both Stax and External Accounts are active after Account Assurance has been run against the account.
SUSPENDED: Stax have marked the account as suspended, preventing users from logging into the account.
MAINTENANCE: The account is undergoing maintenance and is unavailable.
CLOSED: The account has been closed in AWS.
Stax AWS Account Features
Stax allows you to:
- Create an account
- Apply a name to an account (this also operates as an AWS Account Alias value)
- Tag an account
- Mark accounts as favorites
- Filter accounts by status
- Sort accounts by column
- Group accounts using Stax Account Types
- Apply policies to an Account Type using Stax Policies
- Discover and onboard External Accounts to Stax