CloudFormation StackSets for Multi-Account
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Infrastructure as Code Fundamentals: CloudFormation StackSets
Introduction: Managing Infrastructure at Scale
In the early days of cloud computing, managing infrastructure often meant manually clicking through consoles or running local scripts for every individual environment. As organizations grow, they rarely stay within the confines of a single AWS account. Instead, they adopt a multi-account strategy—using separate accounts for development, testing, staging, and production—to enforce security boundaries, manage billing, and isolate workloads. While this provides excellent security and organization, it introduces a significant operational challenge: how do you ensure that your network configurations, identity policies, and monitoring agents are consistent across dozens or hundreds of accounts?
This is where AWS CloudFormation StackSets come into play. A StackSet is an extension of standard CloudFormation functionality that allows you to create, update, or delete stacks across multiple accounts and AWS regions with a single operation. Instead of manually deploying a template to each account individually, you define your infrastructure once and use the StackSet service to orchestrate the rollout across your entire organization. Understanding StackSets is essential for any platform engineer or cloud architect who needs to maintain configuration drift control and operational consistency in a modern, multi-account AWS environment.
Understanding the Core Components of StackSets
To master StackSets, you must first understand the relationship between the various entities involved. Unlike a standard CloudFormation stack, which lives within a single account and region, a StackSet is a container that manages the lifecycle of multiple stacks.
The Administrator Account
The administrator account is where you create and manage your StackSets. This is the account from which you initiate deployments. When you perform an operation—such as creating a new stack or updating an existing one—the request originates here. You typically designate your central management account (often the "Shared Services" or "Management" account in an AWS Organization) as the administrator.
The Target Accounts
Target accounts are the individual AWS accounts where the resources defined in your template will actually be deployed. These accounts can be members of an AWS Organization, or they can be individual accounts that you have explicitly authorized. When you deploy a StackSet, the administrator account assumes an IAM role in the target account to perform the necessary API calls to create the resources.
The Stack Instances
A stack instance is the link between a StackSet and a specific account/region combination. If you have a StackSet that deploys a resource to three accounts across two regions, you will have six stack instances. Each stack instance represents a discrete deployment of your template. By managing these instances, you can perform phased rollouts, targeting only a subset of accounts before pushing changes to the rest of your fleet.
Callout: Stack vs. StackSet A standard CloudFormation stack is a collection of resources managed as a single unit within one account and region. A StackSet is a higher-level orchestration tool that manages multiple stacks across multiple accounts and regions. While a stack is the "what" (the infrastructure), a StackSet is the "how" (the distribution mechanism for that infrastructure across your organization).
Prerequisites for Multi-Account Deployment
Before you can successfully use StackSets, you must configure the necessary IAM permissions. AWS provides two primary models for this: the Service-Managed model and the Self-Managed model.
Service-Managed Permissions
This is the recommended approach if you are using AWS Organizations. When you enable trusted access for CloudFormation in your AWS Organization, AWS automatically creates the necessary service-linked roles. This removes the burden of manually creating and managing IAM roles in every single account. This model is much easier to maintain as it automatically handles new accounts added to your organization.
Self-Managed Permissions
In the self-managed model, you are responsible for the trust relationship. You must create an IAM role in every target account that trusts the administrator account. This role must have permissions to create the resources defined in your templates. This approach is useful if you are not using AWS Organizations or if you have highly specific security requirements that prevent you from using the service-managed model.
Warning: IAM Roles If you choose the self-managed model, ensure that the execution role in your target accounts follows the principle of least privilege. Granting administrative access to the role used by the StackSet creates a significant security risk if the administrator account is compromised.
Step-by-Step: Deploying a Service-Managed StackSet
Let’s walk through the process of deploying a simple resource—an Amazon SNS topic—across multiple accounts in an organization. This example assumes you have already enabled AWS Organizations and trusted access for CloudFormation.
Step 1: Create the Template
First, write a standard CloudFormation template. Since this template will be deployed in many accounts, keep it generic.
AWSTemplateFormatVersion: '2010-09-09'
Description: 'A simple SNS topic for organizational alerts'
Resources:
AlertTopic:
Type: 'AWS::SNS::Topic'
Properties:
TopicName: 'OrganizationAlertTopic'
Step 2: Create the StackSet
Navigate to the CloudFormation console in your administrator account. Select "StackSets" from the left-hand menu and click "Create StackSet."
- Choose Template: Upload the YAML file created above.
- Specify Details: Give your StackSet a descriptive name and define any input parameters.
- Configure StackSet Options: Choose "Service-managed permissions." This is where you tell CloudFormation to use the organizational structure.
- Set Deployment Targets: Here, you can choose to deploy to the entire organization, specific organizational units (OUs), or specific accounts.
- Specify Regions: Select the AWS regions where you want the SNS topic to exist.
Step 3: Deployment Options
One of the most powerful features of StackSets is the ability to configure deployment behavior. You can set the "Maximum concurrent accounts" and "Failure tolerance."
- Failure Tolerance: This determines how many account/region deployments can fail before the entire operation stops. Setting this to 0 means the deployment will halt if even one instance fails.
- Maximum Concurrent Accounts: This limits how many deployments happen at once. If you are deploying to 50 accounts, setting this to 5 ensures you don't hit API rate limits or overwhelm the accounts.
Advanced Strategies: Managing Configuration Drift
One of the biggest risks in a multi-account environment is "drift," where someone manually changes a setting in one account, causing it to deviate from your infrastructure-as-code baseline. CloudFormation StackSets includes features to help you detect and manage this.
Drift Detection
You can run a "Detect Drift" operation on a StackSet. This compares the current state of the actual resources in all target accounts against the template you defined. If a resource has been modified, deleted, or if a new resource has been added manually, the StackSet will flag it.
Remediation
Once drift is detected, you have two primary ways to fix it:
- Manual Correction: You can manually revert the changes in the target account to match the template.
- Template Update: If the manual change was actually a desired improvement, you can update your StackSet template to reflect the new state. Once you deploy the update, the StackSet will bring all account resources back into compliance.
Note: Drift Detection Limitations Drift detection is powerful, but it does not automatically fix resources. It only alerts you to the discrepancy. You must still initiate the remediation process, either by updating your template or manually correcting the resource configuration.
Comparing Deployment Models: Service-Managed vs. Self-Managed
When planning your infrastructure strategy, choosing between these two models is a critical decision.
| Feature | Service-Managed | Self-Managed |
|---|---|---|
| AWS Organizations | Required | Not required |
| IAM Role Setup | Automated (Service-linked) | Manual (Custom roles) |
| New Account Handling | Automatic deployment | Manual deployment required |
| Complexity | Low | High |
| Flexibility | Standardized | Highly customizable |
If you are using AWS Organizations, the Service-Managed model is almost always the better choice. It drastically reduces the operational overhead of managing IAM roles across dozens of accounts.
Best Practices for StackSet Success
Operating at scale requires discipline. When using StackSets, follow these best practices to maintain a clean and manageable environment.
Use Parameters and Mappings
Never hardcode values that might change between accounts. Instead, use CloudFormation Parameters to pass in account-specific configuration. For example, if you are deploying a monitoring agent, use a parameter for the "Environment" tag so that your logs clearly show whether the data is coming from "Prod" or "Dev."
Regional Staging
Never deploy to all regions at once. Even if you think a template is perfect, start by deploying to a single region (e.g., us-east-1) in a single test account. Once you verify that the resources are created correctly and the functionality is as expected, expand your deployment to include your other target regions.
Version Control Your Templates
Your StackSet templates should reside in a version control system like Git. Treat your infrastructure code exactly like application code. Use pull requests to review changes to your templates. When you update a StackSet, you should have a clear audit trail showing who changed the template and why.
Monitor Deployment Status
CloudFormation provides a detailed "Operations" tab within the StackSet view. Monitor this during your deployments. If you see a high number of failures, pause the deployment and investigate the logs. Often, failures are due to existing resource naming conflicts or missing permissions in specific sub-accounts.
Common Pitfalls and How to Avoid Them
Even experienced engineers run into issues with StackSets. Being aware of these pitfalls can save you hours of debugging.
Naming Conflicts
If your template creates a resource with a hardcoded name (e.g., an S3 bucket named my-company-logs), the deployment will fail after the first account. CloudFormation attempts to create that bucket in every target account, but S3 bucket names must be globally unique. Always use dynamic naming or allow CloudFormation to generate unique names for you.
IAM Permissions Gaps
When using the self-managed model, it is common to forget to update the IAM role in a new account. If you add a new account to your organization but haven't deployed the necessary CloudFormation execution role, your StackSet will fail to deploy to that specific account. Always include the role creation as part of your "account vending" process (the process of creating and setting up a new account).
Service Quotas
AWS has limits on how many stacks you can have in an account and how many StackSets you can create. While these limits are generally high, they can become a factor in very large organizations. Check your service quotas periodically to ensure you are not approaching these limits.
Tip: The "StackSet-Local" Pattern If you have a resource that needs to be unique per account (like an IAM role) but also some resources that are global, consider splitting your templates. Use one StackSet for global or cross-account resources and another for account-specific resources. This modularity makes debugging much easier.
Advanced Scenario: Orchestrating Cross-Account Networking
One of the most complex tasks in a multi-account environment is managing a Virtual Private Cloud (VPC) network. Imagine you need to ensure that every VPC across your organization has a specific set of security groups or a VPC endpoint for private communication with S3.
Instead of manually configuring these in every VPC, you can use a StackSet. By defining the VPC endpoints in a template and deploying it via a StackSet to all accounts, you ensure that every developer has the same private connectivity to AWS services. If you need to update the endpoint policy, you simply update the StackSet template. CloudFormation will update the resource in every account simultaneously, ensuring that your security posture is consistent across the entire organization.
Integrating StackSets into CI/CD Pipelines
To truly "automate" your infrastructure, you should move away from the console and trigger your StackSet operations from a CI/CD pipeline. You can use the AWS CLI or SDKs to initiate StackSet updates.
Example: Updating a StackSet via CLI
You can update your StackSet using the following command:
aws cloudformation update-stack-set \
--stack-set-name MyOrganizationStackSet \
--template-body file://template.yaml \
--deployment-targets OrganizationalUnitIds='["ou-12345678"]' \
--regions '["us-east-1", "us-west-2"]'
By putting this command inside a GitHub Action or a GitLab CI runner, you ensure that every change to your infrastructure is automatically tested and deployed. This approach removes human error from the deployment process and provides a clear, automated audit trail for every infrastructure change.
Handling Deletions Carefully
Deleting a StackSet is a destructive operation. When you delete a StackSet, you have the option to delete all the associated stacks in the target accounts. If you choose this, the resources created by those stacks will be destroyed.
Always verify your selection before clicking "Delete." If you want to stop managing a specific account but keep the resources, you should remove the account from the StackSet's target list rather than deleting the StackSet itself. This "removes the stack instance" but leaves the resources intact in the target account.
Summary: The Power of Consistency
CloudFormation StackSets represent a shift in how we think about infrastructure. Instead of treating each account as a silo, we treat our entire organization as a single, manageable fleet. By defining your infrastructure in code and using StackSets to push those definitions across your accounts, you gain several key advantages:
- Operational Consistency: Every account has the same security policies, monitoring tools, and network configurations, reducing the "snowflake" account problem where every environment is unique and hard to debug.
- Scalability: Whether you have five accounts or five hundred, the effort required to manage your infrastructure remains relatively constant. You define the change once, and the service handles the distribution.
- Security Compliance: You can ensure that security guardrails, such as CloudTrail logging or IAM role boundaries, are applied uniformly across the entire organization, closing potential gaps that might appear if configuration were done manually.
- Faster Time-to-Market: By automating the deployment of foundational infrastructure, developers can focus on building applications rather than configuring the environment.
- Reduced Human Error: Removing manual clicks from the deployment process eliminates the risk of typos or missed steps that often lead to configuration issues.
- Centralized Governance: You maintain full visibility into the state of your infrastructure from a single management account, making it easier to audit and report on your environment.
- Drift Awareness: With built-in drift detection, you gain the ability to identify when your real-world infrastructure deviates from your intended design, allowing for proactive remediation.
Final Thoughts
Mastering CloudFormation StackSets is a journey toward operational maturity. Start small—perhaps with a simple resource like an SNS topic or an IAM role—and observe how the orchestration behaves. As you become more comfortable, expand the scope to more complex infrastructure like VPCs and security groups. Remember that the goal is not just to automate, but to create a system that is predictable, secure, and easy to manage as your organization continues to grow.
By adhering to the principles of Infrastructure as Code, keeping your templates modular, and integrating your deployments into CI/CD pipelines, you will transform your infrastructure from a collection of manual tasks into a robust, automated platform that supports the speed and scale of modern cloud development.
FAQ: Common Questions About StackSets
Q: Can I use StackSets without AWS Organizations? A: Yes, you can use the "Self-Managed" permissions model. However, you must manually manage the trust relationship and IAM roles in every target account.
Q: What happens if a StackSet deployment fails in one account? A: You can define the "Failure Tolerance" in the StackSet options. If the number of failures exceeds your threshold, the operation will stop. You can then investigate the failure, fix the issue in the specific account, and retry the operation.
Q: Can I update a StackSet without affecting all accounts? A: Yes. You can target specific organizational units (OUs) or accounts when you perform an update. This allows you to perform "canary" deployments where you update a few accounts first to ensure the template is valid before rolling it out to the rest of the organization.
Q: Is there a cost associated with using StackSets? A: There is no additional cost for the StackSet service itself. You only pay for the underlying resources created by the stacks (e.g., EC2 instances, S3 buckets, etc.) and any standard CloudFormation usage.
Q: How do I handle resources that already exist in an account? A: If you are trying to "import" existing resources into a StackSet, you can use the "Import resources into stack" feature. This allows you to bring manually created resources under the management of a CloudFormation stack, which can then be part of a StackSet deployment.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons