Summary of AWS CloudFormation StackSets Training

• Introduction to StackSets
  • StackSets is a feature that allows deployment of CloudFormation stacks across multiple AWS accounts and regions in a single operation.
  • Stack instances can be deployed to various regions and accounts.

• Administration and Target Accounts
  • An administrator account creates StackSets.
  • Target accounts are used for creating, updating, and deleting stack instances derived from StackSets.
  • StackSets updates in the administrator account propagate to all target accounts across regions.
  • Target accounts and administrative accounts can be defined within an AWS Organization.
• Permission Model
  • IAM roles with trust relationships are set up in both administrator and target accounts.
  • The administrator account has an AWS CloudFormation StackSet administration role that trusts the AWS CloudFormation StackSet execution roles in target accounts.
  • Roles must be manually created if not using AWS Organizations (self-managed permissions).
  • With service-managed permissions (using AWS Organizations), IAM roles are automatically created.

• Service-Managed Permissions with AWS Organizations
  • Trusted access must be enabled within AWS Organizations.
  • New accounts automatically receive deployments if set up.
  • Management or delegated administrator accounts deploy to target accounts without manual IAM role setup.

• Automatic Deployment to New Accounts
  • StackSets can be configured to automatically deploy stack instances to new accounts within the organization.
  • This ensures consistent deployment across all accounts upon their creation.
• Delegated Administration
  • StackSet administration can be delegated to specific member accounts for better security and governance.
  • Trusted access must be enabled for the delegated administrator to deploy to Organization-managed accounts.
• Example Scenario
  • A delegated administrator account deploys StackSets to manage stack instances in all target member accounts across different Organizational Units (OUs), such as Prod OU and Dev OU.
  • New accounts in an OU automatically receive stack instances.
• Advantages of Using StackSets with AWS Organization
  • Streamlined management and deployment of stacks across an entire organization.
  • Automatic and consistent policy enforcement and resource provisioning for new accounts.
  • Simplified permissions management with service-managed permissions.

Conclusion

• StackSets with AWS Organization provides a powerful tool for managing resources consistently across multiple accounts and regions.
• The integration with AWS Organizations simplifies the permissions model and automates the deployment process, especially for new accounts.

you can use AWS CloudFormation StackSets to create resources and modify IAM roles across all accounts within an AWS Organization. CloudFormation StackSets extend the functionality of CloudFormation to enable you to deploy CloudFormation stacks across multiple AWS accounts and regions with a single operation.