Stax allows you to create and manage your AWS Application Accounts from within a single console. Learn more about the best practices.
You'll need to be familiar with a few terms. Some you may be aware of, some may be brand new to you.
- AWS Application Accounts (accounts) are your normal AWS accounts that hold your AWS resources you've provisioned
- Stax Tenancy is your unique Stax Console view you log into. It gives you the ability to provision AWS Application Accounts, as well as to deploy workloads and review your cost and compliance considerations
- Account Types are account groupings within the Stax platform. Account Types have zero or more AWS Application Accounts associated with them and are used as security and Stax Policy boundaries
- Policies are a Stax concept that allows you to apply controls to AWS Application Accounts associated with a particular Stax Account Type. Policies map very closely to AWS Service Control Policies in both syntax and functionality
AWS Application Accounts (accounts) are used to house applications, Workloads and resources. When your Stax Tenancy is created, you'll have two "default" accounts: Security and Logging. These accounts are used to provide security controls, threat detection, audit controls and log retention.
You can create new accounts at the click of a button. All accounts created via Stax include a default security hardening configuration, which helps you to achieve compliance with the CIS AWS Foundations Benchmark.
Accounts are centrally managed within Stax. The Stax Console and API provide a detailed overview of account information. Stax also provides Single Sign-On (SSO) access to the AWS Console/CLI using your Stax credentials.
Account Creation Process
Account creation can be performed via the Stax Console, or via the Stax API.
Note: Every AWS Application Account you create increases costs, due to their auditing and security requirements. While the cost is minimal on a per-account basis, be mindful of the number of accounts created.
Step One: Creation
Basic information is required before an account can be created:
- Account Name: refers to the display name of the account within Stax and
- This can be changed at a later stage
- The name chosen here is also used within AWS as the account alias
- Account Type: refers to the Stax Account Type this account will be a
- This will immediately apply all Stax Policies already applied to the selected Account Type
- Note: You will need to set specific Stax User Group permissions for AWS role-based access after creation, this is not retrospectively applied
- Tags: are tags within the Stax platform associated with this account.
These tags are not propagated into AWS
- Tags are visually represented in the Stax console
- Tags are represented in API responses for account information
Step Two: Account Assurance
As with any new AWS account, hardening must take place upon creation. Stax refers to this process as Account Assurance. This process takes a few minutes as Stax processes the new account and performs the required hardening steps. You can see this process occurring by reviewing _Account setup details in Stax.
- Log into the Stax Console and choose Accounts, then All accounts from the left hand navigation
- In the Accounts list, click the three vertical dots ( ⋮ ) to the right of the account being created. From the dropdown, choose View details. The Account details drawer will open from the right.
- At the top of the Account details drawer, click the three vertical dots ( ⋮ ) and under the View Associated heading, choose Account setup details. The Account setup details pane will display.
- Review each stage of the Account setup details pane and note the status of each stage. Once all stages are marked as Completed, the account will be considered active
Once the account status changes to Active, the hardening procedure is complete. Typically the entire hardening process takes no longer than 15 minutes.
Stax Account Types are groupings of AWS Application Accounts within Stax. Account types allow for:
- Grouping/categorizing of AWS Application Accounts
- Linking of Stax Policies to account types, which in turn applies the policy to all accounts that are a member of that Account Type
- Attaching of Stax User Groups to Account Types for the assignment of AWS Console/API permissions
To access Account Types, log into the Stax Console and choose Accounts, then Account Types from the left hand navigation