Stax Access

Learn how access to Stax is managed.

Article Tags
On This Page
Managing Stax Console AccessManaging Stax API AccessManaging Stax Cost & Compliance Module AccessAuditingWeb Application Firewall (WAF)See also

Access within Stax is governed by the Stax Identity Broker. This is hosted in your Security account, and as such, it is recommended that only a select group of users have access to this account.

Stax deploys AWS IAM resources, including IAM Roles and Identity Providers, into all of your accounts in order to manage your Stax access. These are utilized by the Stax Identity Broker to enable you to SSO into your accounts and allow Stax automation services to create and update Stax resources. They also allow Stax Engineers access to your account, however, accounts will only be accessed upon receipt of your written approval.

If you have an external identity provider, such as Okta, Ping or Azure AD, Stax allows you to integrate your identity provider with the Stax Identity Broker so that you can federate your own user base into Stax.

There are two methods for accessing Stax resources - the Stax Console and the Stax API. Further information about managing access is provided below.

Managing Stax Console Access

Managing Stax Console access is done through the Users section in the customer menu. All users of your Stax instance are listed on the Users page and can be created and deactivated as required.

Three roles exist for governing Stax Console access:

  • Admin: Provides unrestricted access to Stax
  • User: Provides restricted access, particularly in regard to user management
  • Read Only: Provides read access only for Stax

See Stax Permissions for more detail on these roles.

Federated Users

Federated users are users that have been granted access to Stax by your external Identity Provider. These users will show up in the Users list, however, their details cannot be edited. These must be edited in your Identity Provider. Stax only allows the below actions to be made against a Federated user:

  • Deactivate user
    • Available via the Console
    • Available via the API (PUT /20190206/idam/user/{user_id})
  • Delete user
    • Available via the API (DELETE /20190206/users/{user_id})

Managing Stax API Access

Stax provides two types of credentials for authenticating to the Stax API - Stax API Tokens and Session Credentials. The credentials serve different purposes and your use case will dictate which type of credentials you will use.

As per the roles provided for Stax Console access, three roles exist for both sets of credentials:

  • Admin: Provides unrestricted access to Stax
  • User: Provides restricted access, particularly in regard to user management
  • Read Only: Provides read only access for Stax

Further information about authenticating to the Stax API, see the documentation.

Managing Stax Cost & Compliance Module Access

If you're subscribed only to the Stax Cost & Compliance module, you have access to two levels of user permissions: Admin and User.

  • User
    • Provides access to cost and compliance components
  • Admin
    • All access of Standard, plus;
    • View and edit cost allocation settings
    • Create, view, and edit Views
    • Create, view, and edit Rules
    • Add and remove Rule Bundles

You can manage membership of these roles either on the User Admin page, or using Single Sign-On.


Stax audits every single login action that occurs within your Stax Instance. This includes successful logins, incorrect passwords and user detail updates.

Web Application Firewall (WAF)

The Stax Identity Service is protected by AWS WAF, which is a security control that helps ensure that your access to Stax remains secure, reliable and highly available. Logs from the WAF protecting your Identity Service are sent to an S3 bucket in your Security account labelled stax-idam-waflogs-<security_account_aws_account_id>.

See also