☁️
AWS Solutions Architect Associate SAA-C03 Study Notes/
🔶
AWS CloudFormation/
🔷
AWS CloudFormation StackSets
🔷

AWS CloudFormation StackSets

Overview

  • StackSets extend CloudFormation by enabling you to deploy the same stack across multiple AWS accounts and regions from a single template.
  • Ideal for organizations using AWS Organizations or multi-account strategies.
  • Supports centralized management of infrastructure at scale.

How It Works

  • You create a StackSet in a management account.
  • The StackSet contains:
    • A CloudFormation template.
    • Deployment targets (accounts and regions).
    • Operation preferences (parallelism, failure tolerance).
  • CloudFormation automatically creates, updates, or deletes stacks in each target account and region.

Key Features

  • Multi-Account, Multi-Region deployments from a single operation.
  • Automatic account targeting when integrated with AWS Organizations (new accounts get the stack automatically).
  • Centralized auditing and control — changes are applied consistently everywhere.
  • Parallel execution to speed up large-scale deployments.

Common Use Cases

  • Governance & Compliance:
    • Deploy the same IAM roles, logging configurations, or security guardrails to all accounts.
  • Networking:
    • Distribute VPCs, subnets, or Route 53 configurations across accounts and regions.
  • Service Enablement:
    • Automatically deploy CloudTrail, Config rules, or GuardDuty across the organization.

Permissions

  • Administrator account (where StackSet is created) needs permissions to manage CloudFormation and target resources.
  • Target accounts must trust the management account (via AWSCloudFormationStackSetAdministrationRole and AWSCloudFormationStackSetExecutionRole).

Operation Modes

  1. Self-Managed Permissions:
      • Manually create execution roles in each target account.
  1. Service-Managed Permissions (recommended with AWS Organizations):
      • AWS automatically creates and manages execution roles in all member accounts.

StackSet Management Operations

  • Create StackSet → define template, parameters, targets, and preferences.
  • Update StackSet → changes are propagated to all stacks.
  • Delete StackSet → removes stacks from all accounts/regions.
  • Drift Detection → check if any target stacks differ from the template.