AWS CloudFormation StackSets and AWS Organizations
AWS CloudFormation StackSets enables you to create, update, or delete stacks across multiple accounts and Regions with a single operation.
For more information about StackSets, see Working with AWS CloudFormation StackSets in the AWS CloudFormation User Guide.
Use the following information to help you to help you integrate AWS CloudFormation StackSets with AWS Organizations.
Topics
Service-linked roles created when you enable integration
The following service-linked roles are automatically created in your organization's accounts when you enable trusted access. These roles allow AWS CloudFormation Stacksets to perform supported operations within the accounts in your organization.
You can delete or modify these roles only if you disable trusted access between AWS CloudFormation Stacksets and Organizations or if the account is removed from the organization or target organizational unit.
-
Management account:
CloudFormationStackSetsOrgAdmin
-
Member accounts:
CloudFormationStackSetsOrgMember
Service principals used by the service-linked roles
The service-linked roles in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by AWS CloudFormation Stacksets grant access to the following service principals:
-
Management account:
stacksets.cloudformation.amazonaws.com
-
Member accounts:
member.org.stacksets.cloudformation.amazonaws.com
Enabling trusted access with AWS CloudFormation Stacksets
For information about the permissions needed to enable trusted access, see Permissions required to enable trusted access.
You can enable trusted access using either the AWS CloudFormation StackSets console or the AWS Organizations console.
We strongly recommend that you enable trusted access by using the AWS CloudFormation Stacksets console. This enables AWS CloudFormation Stacksets to perform required setup tasks.
To enable trusted access using the AWS CloudFormation Stacksets console
See Enable Trusted Access with AWS Organizations in the AWS CloudFormation User Guide.
On the Organizations side, you can enable trusted access by using the AWS Organizations console.
Disabling trusted access with AWS CloudFormation Stacksets
For information about the permissions needed to disable trusted access, see Permissions required to disable trusted access.
You can disable trusted access using the AWS Organizations console. If you disable trusted access with AWS Organizations while you are using AWS CloudFormation StackSets, all previously created stack instances are retained. However, stack sets deployed using the service-linked role's permissions can no longer perform deployments to accounts managed by AWS Organizations.
On the Organizations side, you can disable trusted access by using either the AWS Organizations console, by running a AWS CLI command, or by calling an API operation in one of the AWS SDKs.