A
Arun's Blog
← Back to all posts

Leveraging the Power of AWS CloudFormation StackSets

CloudFormationInfrastructure as CodeMulti-Account
TL;DR

CloudFormation StackSets deploy resources across multiple AWS accounts and regions from a central management account. Use service-managed permissions with AWS Organizations to automatically deploy to current AND future accounts. Great for deploying IAM roles, security baselines, and compliance configurations organization-wide.

Introduction

Whether you're a startup or a large corporation, managing infrastructure at scale across multiple AWS accounts and regions can become a complex task. Enter AWS CloudFormation StackSets - a solution designed to ease this complexity. This post covers how to create a StackSet that deploys an AWS role across your entire AWS Organization, including future accounts automatically.

Note

One of the silent benefits of StackSets is that with automatic deployment enabled, this service not only configures current accounts but also future accounts without any further inputs.

Benefits

Centralized Multi-Account, Multi-Region Deployment

StackSets offers a seamless way to deploy CloudFormation stacks across different accounts and regions from a central account. Maintain centralized control while deploying resources in decentralized accounts.

Consistent and Repeatable Deployments

StackSets ensures the same resources are deployed consistently across all selected accounts and regions, reducing errors and ensuring environments are mirror images.

Simplified Governance and Compliance

By leveraging StackSets with AWS Organizations' Service Control Policies (SCPs), you can enforce specific configurations across all accounts, ensuring compliance with governance frameworks.

Built-in Rollback Mechanisms

If a StackSet deployment fails in one or more target accounts, AWS can automatically roll back changes in all affected accounts.

Granular Control

Target specific Organizational Units (OUs), accounts, and regions - resources are deployed only where needed.

How-To: Deploy Cross-Account Role

Goal

Create a StackSet that deploys an IAM role to all AWS accounts in your Organization. This role can be assumed from your management account for centralized administration.

Important

The example uses AdministratorAccess policy for demonstration. In production, follow the principle of least privilege and use a custom policy with only the permissions needed.

CloudFormation Template

Create a YAML file with the following content:

AWSTemplateFormatVersion: '2010-09-09'
Description: Cross-Account Role with AdministratorAccess policy
Resources:
  CrossAccountRole:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: 'CrossAccountAdminRole'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                - 'arn:aws:iam::123456789012:root'
            Action: 'sts:AssumeRole'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/AdministratorAccess'
Pro Tip

Update the Principal AWS account to your management account ID. Update RoleName and ManagedPolicyArns to match your business requirements.

Steps

  1. Log into your management/payer account
  2. Navigate to CloudFormation console > StackSets
  3. Click Create StackSet
  4. Choose a template
    • Permissions: Service-managed permissions
    • Prepare template: Template is ready
    • Upload the YAML file created above
  5. Specify StackSet details
    • Enter a name and description
  6. Configure StackSet options
    • Add tags as needed
    • Execution configuration: Inactive
  7. Set deployment options
    • Deploy to organization OR specific OUs
    • Automatic deployment: Activated
    • Account removal behavior: Delete stacks
    • Select target region(s)
  8. Review and check the acknowledge box, then Submit
  9. Monitor progress in Stack instances and Operations tabs

Troubleshooting

  • StackSet creation fails with permission error - Ensure you're using service-managed permissions and your management account has the AWSCloudFormationStackSetAdministrationRole.
  • Stack instance stuck in OUTDATED - Check the Operations tab for error details. Common issues include IAM permission limits or naming conflicts.
  • Role not appearing in member accounts - Verify the StackSet operation completed successfully. Check CloudFormation in the member account for stack errors.
  • Automatic deployment not working for new accounts - Ensure "Automatic deployment" is set to Activated. New accounts must be in a targeted OU.
  • Cannot assume the created role - Verify the Principal in the trust policy matches your management account ID exactly.
  • Region not available error - Some regions may not be enabled in all accounts. Enable the region in member accounts or exclude it from deployment.

Conclusion

AWS CloudFormation StackSets fills a critical need for businesses operating in a multi-account, multi-region AWS environment. By providing centralized management, consistency, governance, and reducing both operational overheads and errors, StackSets proves itself as an indispensable tool for cloud practitioners managing AWS at scale.