Learn about Stax Policies
Stax Policies are AWS Service Control Policies that can be attached to a Stax Organization or an Account Type. Stax allows you to create and attach Policies to your Organization and Account Types.
Stax attaches a default Policy to your Organization in order to protect Stax resources and maintain the integrity of the platform. This policy cannot be removed. In addition, Stax provides a number of Stax-defined Policies that you can attach to your Organization or Account Types. It is important to note that only three policies can be attached to an Organization and only four policies can be attached to an Account Type.
Why Use Stax Policies?
Stax Policies allow you to utilize the AWS Organization Service Control Policy system, despite the fact that you do not have direct visibility or access to AWS Organizations.
Policies attached at the Stax Organization level will apply Policy permissions to all your Stax AWS Accounts.
Policies attached at the Account Type level will apply Policy permissions to all Stax AWS Accounts within that Account Type.
While Stax Policies utilizes AWS's Service Control Policies framework, Stax introduces some guardrails to help ensure ensure the application of your policies align with best practice. One of these is to take a "100% Deny" approach to writing Policies. What this means, in practise, is that you can only use the Deny Effect when crafting your Policies. Any use of the Allow Effect will cause the Policy to fail to deploy.
We highly recommend you familiarize yourself with Service Control Policies before beginning to write and apply your own. The incorrect application of a Service Control Policy could directly impact multiple AWS accounts and Stax Users.