Service-linked roles Service principals Enable trusted access Disable trusted access

AWS CloudFormation StackSets and AWS Organizations

AWS CloudFormation StackSets enables you to create, update, or delete stacks across multiple accounts and Regions with a single operation.

For more information about StackSets, see Working with AWS CloudFormation StackSets in the AWS CloudFormation User Guide.

Use the following information to help you to help you integrate AWS CloudFormation StackSets with AWS Organizations.

Topics

Service-linked roles created when you enable integration
Service principals used by the service-linked roles
Enabling trusted access with AWS CloudFormation Stacksets
Disabling trusted access with AWS CloudFormation Stacksets

Service-linked roles created when you enable integration

The following service-linked roles are automatically created in your organization's accounts when you enable trusted access. These roles allow AWS CloudFormation Stacksets to perform supported operations within the accounts in your organization.

You can delete or modify these roles only if you disable trusted access between AWS CloudFormation Stacksets and Organizations or if the account is removed from the organization or target organizational unit.

Management account: CloudFormationStackSetsOrgAdmin
Member accounts: CloudFormationStackSetsOrgMember

Service principals used by the service-linked roles

The service-linked roles in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by AWS CloudFormation Stacksets grant access to the following service principals:

Management account: stacksets.cloudformation.amazonaws.com
Member accounts: member.org.stacksets.cloudformation.amazonaws.com

Enabling trusted access with AWS CloudFormation Stacksets

For information about the permissions needed to enable trusted access, see Permissions required to enable trusted access.

You can enable trusted access using either the AWS CloudFormation StackSets console or the AWS Organizations console.

Important

We strongly recommend that you enable trusted access by using the AWS CloudFormation Stacksets console. This enables AWS CloudFormation Stacksets to perform required setup tasks.

To enable trusted access using the AWS CloudFormation Stacksets console

See Enable Trusted Access with AWS Organizations in the AWS CloudFormation User Guide.

On the Organizations side, you can enable trusted access by using the AWS Organizations console.

AWS Management Console

To enable trusted service access using the Organizations console

Sign in to the AWS Organizations console at https://console.aws.amazon.com/organizations/. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization's management account.
In the upper-right corner, choose Settings.
In the Trusted access for AWS services section, find the row for AWS CloudFormation StackSets and then choose Enable access.
If you are the administrator of only AWS Organizations, tell the administrator of AWS CloudFormation StackSets that they can now enable that service to work with AWS Organizations.

Disabling trusted access with AWS CloudFormation Stacksets

For information about the permissions needed to disable trusted access, see Permissions required to disable trusted access.

You can disable trusted access using the AWS Organizations console. If you disable trusted access with AWS Organizations while you are using AWS CloudFormation StackSets, all previously created stack instances are retained. However, stack sets deployed using the service-linked role's permissions can no longer perform deployments to accounts managed by AWS Organizations.

On the Organizations side, you can disable trusted access by using either the AWS Organizations console, by running a AWS CLI command, or by calling an API operation in one of the AWS SDKs.

AWS Management Console

To disable trusted service access using the Organizations console

Sign in to the AWS Organizations console at https://console.aws.amazon.com/organizations/. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization's management account.
In the upper-right corner, choose Settings.
If you are the administrator of only AWS Organizations and not AWS CloudFormation StackSets, wait until the administrator of AWS CloudFormation StackSets tells you that they disabled integration with that service's console or tools, and that any resources have been cleaned up.
In the Trusted access for AWS services section, find the entry for AWS CloudFormation StackSets, and then choose Disable access.

AWS CLI, AWS API

To disable trusted service access using an Organizations AWS CLI command or API

You can use the following AWS CLI commands or API operations to disable trusted service access:

AWS CLI: aws organizations disable-aws-service-access

You can run the following commands to disable AWS CloudFormation StackSets as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
    --service-principle stacksets.cloudformation.amazonaws.com
$ aws organizations disable-aws-service-access \
    --service-principle member.org.stacksets.cloudformation.amazonaws.com
```
These commands produce no output when successful.
AWS API: DisableAWSServiceAccess

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS Backup

AWS CloudTrail