Region and permission requirements for stack set operations - AWS CloudFormation

Region and permission requirements for stack set operations

Because stack sets perform stack operations across multiple accounts, before you can create your first stack set you need the necessary permissions defined in your AWS accounts.

To set up the required permissions for creating a stack set with self-managed permissions, see Performing stack set operations involving Regions that are disabled by default and Grant self-managed permissions.

To set up the required permissions for creating a stack set with service-managed permissions, see Performing stack set operations involving Regions that are disabled by default and Activate trusted access for stack sets with Organizations.

Note

Activating trusted access with AWS Organizations for AWS CloudFormation StackSets isn't currently supported in the China Beijing and Ningxia Regions.

Performing stack set operations involving Regions that are disabled by default

AWS Regions introduced after March 20, 2019, such as Asia Pacific (Hong Kong), are disabled by default. You must enable these Regions for your account(s) before you can use them. Because of this, consider the following before performing stack set operations involving accounts in Regions that are disabled by default:

  • To create a stack set from a stack set's administrator account (if using self-managed permissions) or organization's management account (if using service-managed permissions) in a Region that is disabled by default, you must first enable that Region for the administrator or management account.

  • For AWS CloudFormation to successfully create or update a stack instance:

    • The target account must reside in a Region that's currently enabled for that target account.

    • The stack set's administrator account or organization's management account must have the same Region enabled as the target account.

Important

Be aware that during stack set operations, administrator and target accounts exchange metadata regarding the accounts themselves, in addition to the stack set and stack set instances involved.

In addition, if you deactivate a Region that contains an account in which stack set instances reside, you are responsible for deleting any such instances or resources, if desired. In addition, be aware that metadata regarding the target account in the disabled Region will be retained in the administrator account.

For more information about enabling and disabling regions, see Managing AWS Regions in the AWS General Reference.