A company is using AWS Organizations with multiple accounts. The central IT team wants to deploy a set of common VPCs in each account using AWS CloudFormation StackSets. The StackSets must be managed from the management account. Which THREE permissions are required for the StackSets to successfully deploy stacks into member accounts?
Trap 1: The management account must have an AWS Organizations SCP that…
SCPs are not required for StackSets; the necessary permissions are handled by IAM.
Trap 2: Each member account must have a self-managed IAM role named…
Self-managed roles are not required; StackSets can use service-managed permissions with automatic role creation.
- A
The management account must have an IAM role (StackSetsAdminRole) with permissions to create stack instances in member accounts.
This is the admin role that assumes the execution role in member accounts.
- B
The management account must have an AWS Organizations SCP that allows CloudFormation StackSets operations.
Why wrong: SCPs are not required for StackSets; the necessary permissions are handled by IAM.
- C
The execution role in member accounts must have permissions to create the resources defined in the CloudFormation template (e.g., VPC, subnets).
The execution role needs permissions to actually create the resources.
- D
Each member account must have a self-managed IAM role named 'AWSCloudFormationStackSetExecutionRole' with a trust policy allowing the management account to assume it.
Why wrong: Self-managed roles are not required; StackSets can use service-managed permissions with automatic role creation.
- E
The management account must have permission to assume the execution role in member accounts (via IAM trust policy).
The admin role must be trusted by the execution role.