Learn how access to AWS is managed using Stax
Using Groups within Stax allows you to manage a user's AWS access. It allows you to allocate members to a Group and assign AWS account roles to this Group on a per Stax Account Type basis. Groups has no governance over Stax based permissions, only AWS role based permissions which are determined by the policy attached to each role.
Within a Group, a list of all the Account Types within your Organization is displayed. For each Account Type, an AWS role can be assigned. In doing so, the Group inherits the assigned role's permissions for all the Accounts within the selected Account Type. A Group can inherit roles from multiple Account Types.
Three roles exist for governing AWS access:
- The AdministratorAccess managed policy is used
- The role name in AWS is staxid-admin-role
- It provides unrestricted access to AWS
- The SystemAdministrator managed policy is used
- The role name in AWS is staxid-developer-role
- It provides restricted access, particularly in regard to user management
- Read Only
- The ReadOnlyAccess managed policy is used
- The role name in AWS is staxid-readonly-role
- It provides read access for AWS only
See AWS Permissions for more detail on these roles.
Stax records and logs all AWS Identity and Access Management (IAM) events within your AWS accounts, to ensure a complete audit trail exists for user access.