2.2.1.5. Applying CloudFormation StackSets Across Multiple Accounts and AWS Regions

2.2.1.5. Applying CloudFormation StackSets Across Multiple Accounts and Regions

StackSets deploy a single CloudFormation template to multiple AWS accounts and regions simultaneously — enforcing organizational standards at scale.

How StackSets work:

1. Administrator account creates a StackSet with a template
2. StackSet creates stack instances in target accounts/regions
3. Each stack instance is a normal CloudFormation stack in the target account
4. Updates to the StackSet propagate to all stack instances

Deployment options:

• Self-managed permissions: Create IAM roles manually in each account. More control, more setup.
• Service-managed permissions: Uses AWS Organizations. Supports automatic deployment to new accounts added to an OU.

# Deploy a security baseline to all accounts in the Security OU
aws cloudformation create-stack-set \
  --stack-set-name SecurityBaseline \
  --template-url https://s3.amazonaws.com/templates/security.yml \
  --permission-model SERVICE_MANAGED \
  --auto-deployment Enabled=true,RetainStacksOnAccountRemoval=false

Operational controls:

• MaxConcurrentPercentage: Percentage of accounts updated simultaneously (e.g., 25%)
• FailureTolerancePercentage: How many accounts can fail before the operation stops
• RegionConcurrencyType: SEQUENTIAL (one region at a time) or PARALLEL

Exam Trap: StackSets with service-managed permissions require EnableAllFeatures in Organizations — not just consolidated billing. Also, the management account itself is not automatically included as a target — you must explicitly add it.