Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Create CloudFormation StackSets with self-managed permissions

RSS
Focus mode
Create CloudFormation StackSets with self-managed permissions - AWS CloudFormation
Create a stack set with self-managed permissions (console)Create a stack set with self-managed permissions (AWS CLI)

With self-managed permissions, you can deploy stacks to specific AWS accounts in specific Regions. To do this, you must first create the necessary IAM roles to establish a trusted relationship between the account you're administering the stack set from and the account you're deploying stacks to. For more information, see Grant self-managed permissions.

Note

Before you complete one of the following procedures, verify that the IAM roles AWSCloudFormationStackSetExecutionRole and AWSCloudFormationStackSetAdministrationRole exist in your administrator account. To launch stacks in accounts other than your administrator account, verify that the IAM role AWSCloudFormationStackSetExecutionRole exists in the target accounts. For more information, see Give all users of the administrator account permissions to manage stacks in all target accounts.

The template referenced in this topic enables AWS Config in a target account within the US West (Oregon) Region (us-west-2) and US East (N. Virginia) Region (us-east-1). The Enable AWS Config template is located in the following S3 bucket: https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/EnableAWSConfig.yml. You can also choose this sample template in the StackSets console.

Create a stack set with self-managed permissions (console)

  1. Sign in to the AWS Management Console and open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.

  2. On the navigation bar at the top of the screen, choose the AWS Region that you want to manage the stack set from.

  3. From the navigation pane, choose StackSets.

  4. From the top of the StackSets page, choose Create StackSet.

  5. Skip Permissions to use the IAM roles named AWSCloudFormationStackSetExecutionRole and AWSCloudFormationStackSetAdministrationRole that you created previously.

  6. Under Prerequisite - Prepare template, choose Use a sample template.

  7. Under Select a sample template, from the drop-down menu choose the Enable AWS Config template. Then, choose Next.

  8. On the Specify StackSet details page, for StackSet name, provide a name for the stack set. stack set names must begin with an alphabetical character, and contain only letters, numbers, and hyphens. In this walkthrough, use the name my-awsconfig-stackset.

  9. For StackSet description, provide a description for the stack set.

  10. Under Parameters, do the following:

    1. Configure the Recorder Configuration parameters that are used by AWS Config. For more information about these parameters, see Manual setup for AWS Config in the AWS Config Developer Guide.

      1. For Support all resource types, keep the default value, true, to record all supported resource types.

      2. For Include global resource types, keep the default value, false, to exclude global resources like IAM roles.

      3. Leave List of resource types if not all supported set to <All>. Only add specific resource types if you selected false for Support all resource types.

      4. For The region containing the Config service-linked role resource, replace <DeployToAnyRegion> with us-west-2. This means that the service-linked role named AWSServiceRoleForConfig will only be created if a stack is deployed to the US West (Oregon) Region. You'll choose the deployment Regions later in this procedure.

      5. For Configuration recorder recording frequency, choose between CONTINUOUS or DAILY recording.

    2. (Optional) Under Delivery Channel Configuration, configure the delivery channel for updates and notifications. For more information about the delivery channel in AWS Config, see Managing the delivery channel in the AWS Config Developer Guide.

    3. (Optional) Under Delivery Notifications, configure Amazon Simple Notification Service (SNS) notifications.

  11. Choose Next to continue.

  12. On the Configure StackSet options page, add a tag by specifying a key and value pair. In this walkthrough, we create a tag called Stage, with a value of Test. Tags that you apply to StackSets are applied to all resources that are created by your stacks. For more information about how tags are used in AWS, see Organizing and tracking costs using AWS cost allocation tags in the AWS Billing and Cost Management User Guide.

  13. For Execution configuration, choose Active so that StackSets performs non-conflicting operations concurrently and queues conflicting operations. After conflicting operations finish, StackSets starts queued operations in request order.

    Note

    When operations are running or queued, StackSets queues all incoming operations even if they're non-conflicting. You can't change execution settings during this time.

  14. If your template contains IAM resources, for Capabilities, choose I acknowledge that this template may create IAM resources to specify that you want to use IAM resources in the template. For more information, see Acknowledging IAM resources in CloudFormation templates.

  15. Choose Next.

  16. On the Set deployment options page, for Add stacks to stack set, choose Deploy new stacks.

  17. For Accounts, choose Deploy stacks in accounts. Paste your target AWS account numbers in the text box, separating multiple numbers with commas.

  18. For Specify regions, choose US East (N. Virginia) Region. Repeat for the US West (Oregon) Region. Select the up arrow next to US West (Oregon) Region to move it to be the first entry in the list. The order of the Regions under Specify regions determines their deployment order.

    By default, CloudFormation will deploy stacks in the specified accounts within the first Region, then moves on to the next, and so on, as long as a Region's deployment failures do not exceed a specified failure tolerance.

  19. For Deployment options:

    • For Maximum concurrent accounts, keep the defaults of Number and 1.

      This means that CloudFormation deploys your stack in only one account at one time.

    • For Failure tolerance, keep the defaults of Number and 0.

      This means that a maximum of one stack deployment can fail in one of your specified Regions before CloudFormation stops deployment in the current Region, and cancels deployment in remaining Regions.

    • For Region concurrency, choose Sequential (default) or Parallel to determine StackSets deployment order for specified Regions.

    • For Concurrency mode, update the Concurrency mode as needed, or skip to the next step.

  20. Choose Next.

  21. On the Review page, review your choices. To make changes, choose Edit on the related section.

  22. When you are ready to create your stack set, choose Submit.

    CloudFormation starts creating your stack set. View the progress and status of the creation of the stacks in your stack set in the stack set details page that opens when you choose Submit.

Create a stack set with self-managed permissions (AWS CLI)

When you create StackSets by using AWS CLI commands, you run two separate commands: create-stack-set to upload your template and create the stack set container, and create-stack-instances to create the stacks within your stack set.

  1. Start by running the following create-stack-set command to upload the sample template that enables AWS Config. For the --template-url option, provide the URL of the Amazon S3 bucket where your template is located. In this example, we use my-awsconfig-stackset as the value of the --stack-set-name option. The --parameters option is included to work with the EnableAWSConfig.yml template we include. If you use your own template, adjust the command to your needs. 

    aws cloudformation create-stack-set \
  --stack-set-name my-awsconfig-stackset \
  --template-url https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/EnableAWSConfig.yml \
  --parameters ParameterKey=ServiceLinkedRoleRegion,ParameterValue="us-west-2" ParameterKey=RecordingFrequency,ParameterValue="DAILY"

  2. After your create-stack-set command is finished, run the list-stack-sets command to see that your stack set has been created. You should see your new stack set in the results.

    aws cloudformation list-stack-sets

  3. Use the create-stack-instances command to add stacks to your stack set. In this walkthrough, we use us-west-2 and us-east-1 as the values of the --regions option.

    Set concurrent account processing and other deployment preferences using the --operation-preferences option. This example uses count-based settings. Note that MaxConcurrentCount must not exceed FailureToleranceCount + 1. For percentage-based settings, use FailureTolerancePercentage or MaxConcurrentPercentage instead. 

    aws cloudformation create-stack-instances \
  --stack-set-name my-awsconfig-stackset \
  --accounts account_ID_1 account_ID_2 \
  --regions us-west-2 us-east-1 \
  --operation-preferences MaxConcurrentCount=1,FailureToleranceCount=0

    For more information, see CreateStackInstances in the AWS CloudFormation API Reference.

  4. Using the operation-id that was returned as part of the create-stack-instances output, use the following describe-stack-set-operation command to verify that your stacks were created successfully.

    aws cloudformation describe-stack-set-operation \
  --stack-set-name my-awsconfig-stackset \
  --operation-id operation_ID

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.