Onboard an External Account
Onboarding AWS Accounts created outside of Stax.
Stax allows you to onboard existing AWS accounts that have been discovered from an AWS Organization created outside of Stax. Onboarding external accounts to Stax gives you the ability to manage all of your AWS Accounts centrally within Stax and fully leverage its benefits and features.
Prior to onboarding your accounts, you must complete Organization Onboarding. This will onboard your new or existing AWS Organization to the Stax Platform. Once this is complete, AWS accounts within your AWS Organization will appear in Stax as Discovered Accounts. Discovered Accounts can then be onboarded into Stax via the process further below. To get started with Organization Onboarding, please contact Stax via a Support Case.
As part of Stax Account Onboarding, Account Assurance will be run against your account to help minimize security risks and vulnerabilities and improve the compliance posture of the account. Existing implementations of services such as Amazon GuardDuty, AWS Config and AWS CloudTrail will be reconfigured by Stax in accordance with CIS AWS Foundation Benchmark and the AWS Well-Architected Framework. In order to reconfigure these services, you'll need to make changes to your current configuration for these services. Please follow the steps below.
Re-configure AWS Config
You must perform the following tasks in each AWS region for the accounts to be onboarded. The steps below describe performing these tasks using the AWS CLI, but you can also use the AWS API or SDK if preferred.
Use the delete-configuration-recorder command to delete your current configuration recorder:
$ aws configservice --region ap-southeast-2 delete-configuration-recorder --configuration-recorder-name default
Use the delete-delivery-channel command to delete the delivery channel
$ aws configservice --region ap-southeast-2 delete-delivery-channel --delivery-channel-name default
Re-configure Amazon GuardDuty
Access the AWS CLI, Amazon GuardDuty API or one of the AWS SDKs
Use the delete-members command to delete GuardDuty members:
AWS CLI: $ aws guardduty delete-members --detector-id <value> --account-ids <value>
Use the delete-detector command to delete the GuardDuty detector:
AWS CLI: $ aws guardduty delete-detector --detector-id <value>
For assistance running the above commands, please contact Stax via a Support Case.
Onboard an External Account
The following steps provide an overview on how to onboard a Discovered account in Stax.
Before You Begin
- Complete Organization Onboarding
- Reconfigure the services above
- Ensure you are an Admin of your Stax tenancy. See Stax Permissions for more details.
If you would like to assign a new Account Type for this account, you will need to create this before you onboard your account (see Managing Account Types)
- Estimated time to complete: 5 minutes
Get Started by Navigating to Your Discovered Account
- Log in to the Stax Console
- Select Accounts from the left hand nav. To see all accounts that have been discovered, filter by the status, Discovered
- Select the Account you would like to onboard to Stax. The Account details drawer will open
- Click Get Started
Confirm You Would Like to Onboard Your Account
You will be taken through the following stages.
As part of Stax Account Onboarding, Account Assurance will be run against your account. Existing implementations of management products such as AWS GuardDuty and AWS CloudTrail will be reconfigured by Stax in accordance with CIS AWS Foundation Benchmark and the AWS Well-Architected Framework.
- Click Continue to proceed
Review your account details.
- Update the Account Name or onboard it into Stax with its original name
- Select an Account Type
- Add tags to your account if you wish
- Click Continue
Ensure you understand what is changing as part of Stax Account Onboarding.
- Once you have read and understood the information provided, select the acknowledgment check box
- Select Submit
Track the Progress of the Onboarding of Your Account
Once you have confirmed, the account’s status will transition to Onboarding and Stax will begin the Account Onboarding process.
- Clicking on an account with a status of Onboarding will open the Account Details Drawer revealing the real-time progress of the onboarding and Account Assurance process.
Once the account has finished Onboarding, the status of the account will be Active and ready to use. You and your team can access it via the Stax Console or AWS Access CLI (if you are utilizing the Stax user management service).
Resolve Discovery & Onboarding Issues
Accounts that have failed Discovery or Onboarding may require action to be taken by either Stax or the account owner. These accounts will be shown in the Stax Console with a status of Error.
To enable fast resolution of Discovery and Onboarding issues, Stax provides the following functionality which is accessible in the details drawer of accounts in Error:
- Submit a Stax Support Case via the quick link which will pre-populate the Support Case with the error details.
- Select Retry for an account that has failed discovery to attempt this process again.
- Select Retry for an account that has failed onboarding to attempt this process again.