Policies

Learn about Stax Policies

On This Page
Why Use Stax PoliciesLimitationsConsiderationsExamplesFurther InformationSee also

Stax Policies are AWS Service Control Policies that can be attached to a Stax Organization or an Account Type. Stax allows you to create and attach Policies to your Organization and Account Types.

Stax attaches a default Policy to your Organization in order to protect Stax resources and maintain the integrity of the platform. This policy cannot be removed. In addition, Stax provides a number of predefined Policies that you can attach to your Organization or Account Types.

Policies Overview

Why Use Stax Policies

Stax Policies allow you to utilize the AWS Organization Service Control Policy system to limit the maximum available permissions for accounts within your Stax Organization.

Policies attached at the Organization level will apply Policy permissions to all of your Stax AWS accounts.

Policies attached at the Account Type level will apply Policy permissions to all Stax AWS accounts within that specific Account Type.

Limitations

  • You can attach up to three policies to your Stax Organization
  • You can attach up to four policies to an Account Type

If you need to attach more policies to an Organization or Account Type, you should consider combining multiple policies where appropriate.

Considerations

While Stax Policies utilizes AWS's Service Control Policies framework, Stax introduces some guardrails to help ensure ensure the application of your policies align with best practice. One of these is to take a "100% Deny" approach to writing Policies. What this means, in practise, is that you can only use the Deny Effect when crafting your Policies. Any use of the Allow Effect will cause the Policy to fail to deploy.

Examples

Below are example Policies which can be adapted and deployed into Stax. Remember to validate the policies to ensure they meet your individual requirements before applying them to your organization.

Restrict AWS services a region

Using this policy, you can restrict AWS services to the ap-southeast-2 (Sydney) region.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyAllOutsideAU",
            "Effect": "Deny",
            "NotAction": [
                "a4b:*",
                "artifact:*",
                "aws-portal:*",
                "budgets:*",
                "ce:*",
                "chime:*",
                "cloudfront:*",
                "cur:*",
                "datapipeline:GetAccountLimits",
                "directconnect:",
                "globalaccelerator:*",
                "health:*",
                "iam:*",
                "importexport:*",
                "mobileanalytics:*",
                "organizations:*",
                "resource-groups:*",
                "route53:*",
                "route53domains:*",
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets",
                "shield:*",
                "sts:*",
                "support:*",
                "tag:*",
                "trustedadvisor:*",
                "waf:*",
                "wellarchitected:*"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:RequestedRegion": [
                        "ap-southeast-2",
                        "us-east-1"
                    ]
                }
            }
        }
    ]
}

Enforce encryption for all S3 buckets

Using this policy, you can prevent users from creating S3 buckets that are not encrypted.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyIncorrectEncryptionHeader",
            "Effect": "Deny",
            "Action": "s3:PutObject",
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "AES256"
                }
            }
        },
        {
            "Sid": "DenyUnEncryptedObjectUploads",
            "Effect": "Deny",
            "Action": "s3:PutObject",
            "Resource": "*",
            "Condition": {
                "Null": {
                    "s3:x-amz-server-side-encryption": true
                }
            }
        }
    ]
}

Further Information

You should familiarize yourself with Service Control Policies before beginning to write and apply your own. Test Policies against an Account Type with a limited scope before applying them broadly to your production Account Types or to your entire Organization. The incorrect application of a Service Control Policy could directly impact multiple AWS accounts and Stax Users.

See also