Linking your AWS accounts to Stax Cost & Compliance

Securely link with IAM to see your AWS metadata in Stax

Article Tags
On This Page
Before You BeginLink your AWS accounts to Stax Cost & ComplianceTroubleshootingSee also

The Stax Cost & Compliance module accesses your AWS data securely using an AWS IAM role. This role is read-only, and does not provide access to customer data.

The role is created when you deploy a CloudFormation template we provide.

This guidance assumes you're subscribed to only the Stax Cost & Compliance module. If you're a Stax Platform customer, Stax takes care of this for you.

Before You Begin

  • Estimated time to complete: 5 minutes
  • You'll need access to deploy CloudFormation templates into your AWS accounts
  1. To start, click the "Let's get started" button shown here:

  1. Click through "Yes, I have access" to proceed:

  1. AWS stores your billing information in an S3 bucket which you choose. Put the name of that S3 bucket in this page:

  1. Click "Open AWS Console" to go to AWS and run CloudFormation:

  1. Once in AWS, there are a couple of steps:
  • Log in to the AWS account that has your billing. (If you're in a Consolidated Billing Family then this is the root account.)

  • This takes you to CloudFormation. Scroll down the page and check the box next to "I acknowledge that AWS CloudFormation might create IAM resources."

  • Click the Create button.

  1. Close the tab and return to the Stax window. You’ll see we’re listening for your IAM role to be created. Once this happens, your accounts are linked!

We pull a lot of data from AWS. For an average sized account, there will be tens of gigabytes ingested at this point. It takes some time for us to process all of this, usually between 2 to 48 hours. We'll let you know by email when it's all done.

Troubleshooting

What if I Have More Than One Account?

Stax works seamlessly with as many accounts as you want.

How Do I Know the IAM Role Is Secure?

Stax uses AWS best practices for enabling third-party access to accounts, as described on the AWS website.

What Does the IAM Role Allow Stax To Do?

We intend for the IAM role to give us read-only access to the metadata about how you use AWS. There is no access at all to your company or customer data.

If you want to review the security content of the IAM roles themselves, they're given here:

What If I Change My Mind About Using Stax?

This is entirely within your control. Just delete the CloudFormation stack which contains the IAM role. This removes Stax's access to your account.

I Have No Access to Run CloudFormation

Click the Invite Colleagues button to send a quick invite to someone who has the right access.

Not a Technical Person?

You might still be able to go through the process, it's not complicated. If you're not comfortable doing so, click Invite Colleagues to invite the person who usually does your technical work.

See also