AWS Cloud Operations Blog

CloudFormation StackSets delegated administration

If you are using AWS CloudFormation StackSets, you are having to manage your stacks from the AWS Organizations management account. According to best practice, the management account should be used only for tasks that require it. Until today, you had to use the management account to manage your AWS CloudFormation stack sets. To help limit the use of the management account, the CloudFormation team is excited to announce that you can now delegate StackSets administration to member accounts in your organization created in AWS Organizations.

When you delegate StackSets administration to a member account in the organization, that account can manage and deploy stack sets for the entire organization or organizational unit (OU).

In this blog post, I will describe the process of delegating StackSets administration to an account in your organization. We will configure a member account in our organization to administer StackSets for the organization.

Prerequisites

To use the delegated administration feature, you need credentials for the management account for your organization (created in AWS Organizations) and the member account you are delegating administration to.

Follow the steps in the AWS CloudFormation User Guide to enable trusted access with AWS Organizations.

Delegate to an account

In your organizational management account, browse to the CloudFormation StackSets page. You should see the following details:

Shows a portion of the delegated administrators web page

Figure 1: Delegated administrators

To register a delegated administrator, enter the account ID that you want to delegate to. This account must be in your organization. Currently, you can delegate administration to up to five member accounts. In Figure 2, you’ll see that the account you are delegating to can administer StackSets for the entire organization or for a specific OU.

Shows the page to register a delegated administrator

Figure 2: Register delegated administrator

Now when you sign in to the member account that you delegated to, you should see a section for service-managed StackSets, which are stack sets that use the service-managed permission model to deploy to an entire organization or OU. You can manage StackSets from this view as you would from the management account. Because you can see all other service-managed StackSets inside the entire organization, you can easily move from the management account to a member account.

Shows what service-managed StackSets look like from the new administrator

Figure 3: Service-managed StackSets

Conclusion

StackSets delegated administration makes it possible for you to transition StackSets management to a member account inside your organization. This allows you to follow the best practice of granting least privilege, which limits the exposure of your AWS Organizations management account. For more information about the delegated administration feature, see the AWS CloudFormation User Guide.

About the author

Kevin DeJong

Kevin DeJong

Kevin DeJong is a Sr. Specialist for CloudFormation. He is passionate about infrastructure as code and DevOps. He enjoys spending time with the family, playing computer games, sports, and hiking.