This chapter covers AWS CloudFormation StackSets, a feature for deploying and managing infrastructure across multiple AWS accounts and regions from a single template. For the DVA-C02 exam, StackSets appear in questions about multi-account deployments, governance, and automation—typically 5-10% of the Deployment domain. You must understand how StackSets work, their permissions model, and common exam scenarios like updating stacks or handling failures.
Jump to a section
Imagine you are a regional manager for a chain of 50 coffee shops, each with its own local manager. You need to ensure every shop has the exact same espresso machine, signage, and safety equipment. Instead of visiting each shop individually, you create a master blueprint (the CloudFormation template) and hand it to a central deployment team. The team makes copies of the blueprint and sends one to each shop manager. Each manager then builds exactly what the blueprint specifies, using their own local inventory (the target account's resources). If you later update the blueprint to add a new pastry display, the central team distributes the updated blueprint to all shops. However, some shops may have local restrictions (e.g., health code variations) that prevent the update; the central team reports which shops succeeded and which failed. Crucially, the central team does not manage the shops' daily operations—they only handle the initial setup and updates based on your blueprint. This mirrors how AWS CloudFormation StackSets work: a StackSet is a collection of stacks deployed across multiple accounts and regions from a single template. The administrator account (the regional manager) creates the StackSet, and the service deploys stack instances (the individual stacks) into target accounts. Updates flow from the StackSet to all stack instances, and the service reports success/failure per account/region. StackSets do not manage ongoing resources inside the stacks—they only ensure the stacks themselves are created, updated, and deleted according to the template. This centralized management saves time and ensures consistency across a multi-account environment.
What are CloudFormation StackSets?
AWS CloudFormation StackSets extend the capabilities of CloudFormation stacks by allowing you to deploy a single template across multiple accounts and regions in a single operation. A StackSet is a container that holds a template and a set of parameters. From that container, the service creates stack instances—individual stacks—in specified target accounts and regions. The StackSet ensures that all stack instances are consistent with the template. When you update the StackSet, the service automatically updates all stack instances. This eliminates the need to manually run CloudFormation in each account or region or to use custom automation scripts.
Why StackSets Exist
In a multi-account AWS environment (e.g., using AWS Organizations), you often need to deploy baseline infrastructure—like AWS Config rules, VPCs, or IAM roles—across all accounts. Doing this manually is error-prone and time-consuming. StackSets provide a native, auditable, and scalable solution. They integrate with AWS Organizations to automatically deploy to accounts as they are added or removed. The exam tests your understanding of this use case: governance and compliance deployments at scale.
How StackSets Work Internally
A StackSet operates through the following mechanism:
Administrator Account: You create the StackSet in a single AWS account, known as the administrator account. This account owns the StackSet and is responsible for initiating operations.
Target Accounts: You specify one or more target accounts where stack instances will be deployed. These accounts must have the necessary permissions to allow the administrator account to create stacks on their behalf.
Regions: You specify one or more AWS regions per target account. A stack instance is created for each combination of target account and region.
Stack Instances: Each stack instance is a CloudFormation stack in a specific target account and region. It is linked to the StackSet. If you delete a stack instance, the underlying stack and its resources are deleted (by default).
Permissions: The administrator account uses a service-linked role or an IAM role to assume a role in the target account. This cross-account role must have permissions to create, update, and delete stacks. You can either use AWS Organizations trusted access (which simplifies permissions) or manually create IAM roles.
Operations: Operations on a StackSet (create, update, delete) are performed asynchronously. Each operation has an operation ID. You can monitor the status of individual stack instances via the AWS Management Console, CLI, or API.
Key Components, Values, Defaults, and Timers
- Administrator Account: The account that owns the StackSet. Cannot be a target account unless you explicitly include it.
- Target Accounts: Account IDs where stacks are deployed. You can use AWS Organizations to automatically include all current and future accounts.
- Regions: A list of region names (e.g., us-east-1, eu-west-1). Stack instances are created in each region for each target account.
- StackSet Name: Must be unique in the administrator account. Can contain alphanumeric characters and hyphens.
- Template: A CloudFormation template (JSON or YAML) stored locally, in an S3 bucket, or as an Amazon S3 URL.
- Parameters: Template parameters specific to the StackSet. You can override parameters per target account or region using parameter overrides.
- Execution Role Name: The name of the IAM role in the target account that the administrator account assumes. Default is AWSCloudFormationStackSetExecutionRole.
- Administration Role Name: The IAM role in the administrator account that grants permissions to assume the execution role. Default is AWSCloudFormationStackSetAdministrationRole.
- Operation Preferences:
- Failure Tolerance: The number of stack instance failures (absolute or percentage) that can occur before the operation stops. Default: 0.
- Max Concurrent Accounts: The maximum number of target accounts in which the operation is performed simultaneously. Default: 1.
- Region Concurrency: Can be SEQUENTIAL or PARALLEL. Default: SEQUENTIAL.
- Retain Stacks: When deleting a stack instance, you can choose to retain the stack and its resources. Default: delete.
- Stack Instance Status: CURRENT, OUTDATED, INOPERABLE, FAILED, DELETED, SUSPENDED.
- StackSet Status: ACTIVE, DELETED.
Configuration and Verification Commands
To create a StackSet using the AWS CLI:
aws cloudformation create-stack-set \
--stack-set-name my-stackset \
--template-body file://template.yaml \
--parameters ParameterKey=KeyPair,ParameterValue=my-key \
--capabilities CAPABILITY_NAMED_IAM \
--administration-role-arn arn:aws:iam::111111111111:role/AWSCloudFormationStackSetAdministrationRole \
--execution-role-name AWSCloudFormationStackSetExecutionRoleTo create stack instances:
aws cloudformation create-stack-instances \
--stack-set-name my-stackset \
--accounts 222222222222 333333333333 \
--regions us-east-1 eu-west-1To update a StackSet:
aws cloudformation update-stack-set \
--stack-set-name my-stackset \
--template-body file://new-template.yaml \
--parameters ParameterKey=KeyPair,UsePreviousValue=trueTo list stack instances:
aws cloudformation list-stack-instances \
--stack-set-name my-stacksetTo describe a stack instance:
aws cloudformation describe-stack-instance \
--stack-set-name my-stackset \
--stack-instance-account 222222222222 \
--stack-instance-region us-east-1Interaction with Related Technologies
AWS Organizations: StackSets can be integrated with Organizations to automatically deploy to all accounts in an organizational unit (OU) or the entire organization. When new accounts are added, StackSets can automatically deploy stack instances to them if you enable trusted access and set automatic deployment.
AWS Config: StackSets are commonly used to deploy AWS Config rules across accounts for compliance.
AWS Service Catalog: StackSets can deploy Service Catalog portfolios and products across accounts.
AWS CloudFormation Guard: You can use Guard policies to validate templates before deploying via StackSets.
AWS CloudTrail: All StackSet operations are logged in CloudTrail for auditing.
Exam-Relevant Details
StackSets support both self-managed permissions and service-managed permissions (via AWS Organizations). Service-managed is preferred for large-scale deployments.
When using service-managed permissions, you do not need to manually create IAM roles; the service creates and manages them automatically.
StackSets can deploy stack instances to up to 500 accounts per operation (soft limit, can be increased).
The maximum number of stack instances per StackSet is 2000.
StackSets support nested stacks, but the nested stacks are deployed within the same account and region as the parent stack instance.
You cannot use Fn::ImportValue across accounts within a StackSet; each stack instance is independent.
StackSets do not support Transform macros that require account-specific resources (e.g., AWS::Include).
If a stack instance fails to create, the StackSet operation continues based on failure tolerance. You can troubleshoot by looking at the individual stack events in the target account.
Deleting a StackSet does not automatically delete stack instances; you must delete them first or choose to retain.
StackSets support drift detection on individual stack instances, but not on the StackSet as a whole.
Common Pitfalls
Permissions: The most common issue is incorrect IAM roles. Ensure the administration role has sts:AssumeRole permission to the execution role in target accounts.
Service Limits: Exceeding the stack instance limit causes failures.
Template Size: The template size limit for StackSets is 51,200 bytes (same as for stacks). Use S3 for larger templates.
Parameter Overrides: Overriding parameters per account/region can be tricky; ensure you specify the correct account and region.
Stack Drift: Stack instances can drift from the StackSet template if someone manually modifies the stack resources. StackSets do not automatically correct drift; you must update the StackSet to realign.
Step-by-Step: Deploying a StackSet with Service-Managed Permissions
Enable Trusted Access: In the administrator account, enable trusted access for CloudFormation StackSets in AWS Organizations.
Create StackSet: Use the CLI or console to create a StackSet with service-managed permissions. Specify the template, parameters, and target OUs or accounts.
Deploy Stack Instances: The StackSet automatically deploys stack instances to all specified accounts and regions.
Monitor Deployments: Check the StackSet console or CLI for operation status. Investigate any failed stack instances.
Update StackSet: Modify the template or parameters and call update-stack-set. The service updates all stack instances.
Handle Failures: If an update fails, the StackSet marks the instance as OUTDATED. You can retry the operation on that instance.
Delete StackSet: First delete all stack instances (or retain them), then delete the StackSet.
Create StackSet with template
The administrator account initiates the creation of a StackSet. The template is uploaded or referenced via S3. Parameters are defined at the StackSet level. The service validates the template and creates the StackSet resource in the administrator account. At this point, no stack instances exist. The StackSet is in ACTIVE status. The IAM roles (administration and execution) must be in place. For service-managed permissions, the service creates these roles automatically.
Add stack instances to target accounts
The administrator specifies target accounts and regions. For each account-region pair, the service attempts to create a stack instance. It first assumes the execution role in the target account using the administration role. Then it creates a CloudFormation stack in that account and region using the template and parameters. The stack instance is linked to the StackSet. The service reports status per instance: CURRENT if successful, FAILED if not.
Monitor operation progress
The create-stack-instances operation returns an operation ID. You can describe the operation to see overall status and per-instance details. Use list-stack-instances to see all instances. Each instance has a status (e.g., CURRENT, OUTDATED). The operation respects failure tolerance and max concurrency settings. If failure tolerance is exceeded, the operation stops and marks remaining instances as not attempted.
Update StackSet template or parameters
When you call update-stack-set, the service compares the new template/parameters with the existing StackSet. It then updates all stack instances that have a status of CURRENT or OUTDATED. The update is performed by calling UpdateStack on each target stack. If a stack instance fails to update, its status changes to OUTDATED. You can later update that specific instance using update-stack-instances.
Delete stack instances and StackSet
To delete a StackSet, you must first delete all stack instances. You can choose to retain the stacks (keep resources) or delete them. Use delete-stack-instances with the retain-stacks flag. After all instances are deleted, call delete-stack-set. The StackSet is then removed. If you try to delete a StackSet that still has instances, the API returns an error.
Enterprise Scenario 1: Baseline Security Governance
A financial services company uses AWS Organizations with over 200 accounts. They need to enforce AWS Config rules for mandatory encryption across all accounts. They create a StackSet with a template that includes AWS Config rules for S3 bucket encryption, EBS volume encryption, and RDS encryption. Using service-managed permissions, they target the root OU so that all current and future accounts automatically get the rules. The StackSet is updated quarterly to add new rules. The team monitors stack instance statuses via CloudWatch Events. A common issue is that some accounts have service control policies (SCPs) that block creation of certain resources, causing stack instance failures. The team must troubleshoot by checking CloudTrail logs in the target accounts.
Enterprise Scenario 2: Multi-Region VPC Deployment
A global e-commerce company needs to deploy a standardized VPC with subnets, NAT gateways, and route tables in three regions (us-east-1, eu-west-1, ap-southeast-1) across 10 accounts. They use a StackSet with a template that takes parameters like VPC CIDR and subnet CIDRs. They create stack instances per account and region. To handle regional differences (e.g., different AMI IDs), they use parameter overrides at the region level. The StackSet ensures all VPCs are identical except for CIDR ranges. A problem arises when a new region is added: they must update the StackSet to include the new region and then create stack instances for all accounts in that region. They use automatic deployment via Organizations to simplify this.
Enterprise Scenario 3: Cross-Account IAM Roles
A consulting firm manages multiple client accounts. They need to deploy a set of IAM roles that allow their engineers to access resources. They create a StackSet with a template that defines IAM roles and policies. They target each client account individually. Since the roles require a trust policy that references the administrator account, they must ensure the execution role has permissions to create IAM roles. They use self-managed permissions and manually create the execution role in each target account. A common misconfiguration is forgetting to update the trust policy in the execution role when the administrator account changes. The StackSet deployment fails with access denied errors.
What DVA-C02 Tests on StackSets
The DVA-C02 exam covers StackSets under Deployment Domain Objective 3.2: 'Deploy and manage infrastructure using AWS CloudFormation.' Specific focus areas:
Understanding the difference between self-managed and service-managed permissions.
Knowing how to integrate StackSets with AWS Organizations for automatic deployment.
Recognizing the IAM roles required (administration role and execution role).
Handling stack instance failures and using operation preferences (failure tolerance, max concurrent accounts).
Scenarios where StackSets are the correct solution vs. other deployment methods (e.g., AWS CodePipeline, Terraform).
Common Wrong Answers and Why
'StackSets can deploy resources across accounts but not across regions.' This is false. StackSets deploy to multiple accounts and multiple regions per account. The exam may present a scenario where you need to deploy to multiple regions; StackSets are a valid choice.
'You must use AWS Organizations to use StackSets.' False. StackSets work without Organizations (self-managed), but Organizations simplifies automatic deployment. The exam may ask which is required; the answer is 'not required.'
'When you update a StackSet, all stack instances are updated immediately in parallel.' False. The update is parallel only if you set max concurrency appropriately. The default is 1 account at a time. The exam may test the default values.
'StackSets automatically roll back failed stack instances.' False. If a stack instance fails, it is marked as FAILED or OUTDATED. You must manually investigate and retry. There is no automatic rollback.
Specific Numbers and Terms
Default failure tolerance: 0.
Default max concurrent accounts: 1.
Maximum stack instances per StackSet: 2000.
Maximum accounts per operation: 500 (soft limit).
StackSet name: unique within the administrator account.
Execution role name: default AWSCloudFormationStackSetExecutionRole.
Administration role name: default AWSCloudFormationStackSetAdministrationRole.
Stack instance statuses: CURRENT, OUTDATED, INOPERABLE, FAILED, DELETED, SUSPENDED.
Edge Cases and Exceptions
StackSet deletion: You must delete all stack instances before deleting the StackSet. If you forget, the API returns an error. The exam may present a scenario where the developer tries to delete the StackSet without deleting instances.
Parameter overrides: You can override parameters per account and per region. If you override a parameter for a specific account, that stack instance uses the override, not the StackSet default. The exam may test that overrides are optional and can be applied at creation or update.
Drift detection: StackSets support drift detection on individual stack instances, but not on the StackSet itself. The exam may ask how to detect drift in a StackSet deployment; the correct answer is to use drift detection on each stack instance.
Service-managed permissions: When using Organizations, the service creates the necessary roles automatically. However, you must enable trusted access in the administrator account. The exam may ask for the prerequisite step.
How to Eliminate Wrong Answers
Always consider the scope: StackSets are for multi-account, multi-region deployments. If the question involves only one account, a regular stack or change set is likely the answer. If the question mentions automatic deployment to new accounts, think StackSets with Organizations. If the question mentions manual account management, think self-managed StackSets. Eliminate answers that suggest using CloudFormation without StackSets for multi-account scenarios, as that would require custom scripting.
StackSets allow you to deploy a single CloudFormation template across multiple accounts and regions.
You must set up IAM roles: an administration role in the administrator account and an execution role in each target account.
Service-managed permissions with AWS Organizations automate role creation and account discovery.
Default failure tolerance is 0; default max concurrent accounts is 1.
Maximum stack instances per StackSet is 2000; maximum accounts per operation is 500 (soft limit).
Stack instances have statuses: CURRENT, OUTDATED, INOPERABLE, FAILED, DELETED, SUSPENDED.
You cannot delete a StackSet until all stack instances are deleted.
StackSets do not support cross-account Fn::ImportValue; each stack instance is independent.
Parameter overrides can be applied per account and per region.
Drift detection is available per stack instance, not on the StackSet as a whole.
These come up on the exam all the time. Here's how to tell them apart.
CloudFormation StackSets
Native CloudFormation feature; no additional setup beyond IAM roles.
Designed specifically for multi-account, multi-region deployments from a single template.
Integrates with AWS Organizations for automatic account discovery.
Supports failure tolerance and concurrency control per operation.
Best for static, infrequently updated infrastructure (e.g., baseline governance rules).
AWS CodePipeline with Cross-Account Deployments
Requires setting up pipelines, stages, and cross-account actions.
More flexible for complex CI/CD workflows with multiple source stages.
Can deploy using CloudFormation, but also supports other deployment tools.
Provides more granular control over deployment order and approvals.
Better for application deployments that change frequently and need testing gates.
Mistake
StackSets can deploy to any AWS account without any setup.
Correct
You must either set up IAM roles manually (self-managed) or enable trusted access with AWS Organizations (service-managed). Without proper permissions, deployment fails.
Mistake
Updating a StackSet automatically updates all stack instances in parallel.
Correct
By default, updates are performed sequentially (one account at a time). You must set max concurrent accounts to a higher value for parallel updates.
Mistake
StackSets support cross-account resource references using Fn::ImportValue.
Correct
Fn::ImportValue works only within the same account. Stack instances in different accounts cannot import values from each other. Use cross-account parameters or Systems Manager Parameter Store.
Mistake
Deleting a StackSet deletes all stack instances and their resources.
Correct
Deleting a StackSet fails if stack instances exist. You must first delete stack instances (with or without retaining resources). The StackSet itself is only a container.
Mistake
StackSets can be used to deploy resources in the administrator account.
Correct
Yes, you can include the administrator account as a target account. However, you must ensure the execution role exists in that account as well.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Self-managed permissions require you to manually create IAM roles (administration role in the administrator account and execution role in each target account). Service-managed permissions use AWS Organizations to automatically create and manage these roles. Service-managed is simpler and recommended when using Organizations, as it also enables automatic deployment to new accounts.
Yes, you can include the administrator account as a target account. However, you must ensure the execution role exists in that account. For service-managed permissions, the service creates the role automatically in the administrator account as well.
You can update specific stack instances using the update-stack-instances command. This allows you to target particular accounts and regions. Alternatively, you can update the StackSet and then use operation preferences to limit concurrency or failure tolerance.
The stack instance is marked as FAILED. The overall operation continues based on the failure tolerance setting. You can investigate the failure by looking at the stack events in the target account. After fixing the issue, you can retry the operation on that instance using create-stack-instances again (if not created) or update-stack-instances.
Yes, you can use Guard policies to validate templates before deploying them via StackSets. However, Guard policies are applied at the template level, not per stack instance. You must ensure the template passes Guard rules before creating or updating the StackSet.
First, delete all stack instances using delete-stack-instances. You can choose to retain the stacks (keep resources) or delete them. After all instances are deleted, call delete-stack-set. The StackSet is then removed.
The default execution role name is 'AWSCloudFormationStackSetExecutionRole'. The default administration role name is 'AWSCloudFormationStackSetAdministrationRole'. You can customize these names when creating the StackSet.
You've just covered CloudFormation StackSets for Multi-Account — now see how well it sticks with free DVA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?