Activate trusted access for stack sets with Organizations - Amazon CloudFormation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Activate trusted access for stack sets with Organizations

This topic provides instructions on how to activate trusted access with Amazon Organizations, which is required by StackSets to deploy across accounts and Amazon Web Services Regions using service-managed permissions. To use self-managed permissions, see Grant self-managed permissions instead.

Before you create a stack set with service-managed permissions, you must first complete the following tasks:

  • Enable all features in Amazon Organizations. With only consolidated billing features enabled, you cannot create a stack set with service-managed permissions.

  • Activate trusted access with Amazon Organizations. After trusted access is activated, StackSets creates the necessary IAM roles in the organization's management account and target (member) accounts when you create stack sets with service-managed permissions.

    Note

    The IAM service-linked role created in the management account has the suffix CloudFormationStackSetsOrgAdmin. You can modify or delete this role only if trusted access with Amazon Organizations is deactivated. The IAM service-linked role created in each target account has the suffix CloudFormationStackSetsOrgMember. You can modify or delete this role only if trusted access with Amazon Organizations is deactivated, or if the account is removed from the target organization or organizational unit (OU).

Only an account administrator in the management account has permissions to activate trusted access. An administrator user is an IAM user with full permissions to your Amazon account. For more information, see IAM best practices and Creating your first IAM admin user and group in the IAM User Guide.

With trusted access activated, the management account and delegated administrator accounts can create and manage service-managed stack sets for their organization.

Note

Activating trusted access with Amazon Organizations for Amazon CloudFormation StackSets isn't currently supported in the China Beijing and Ningxia Regions.

To activate trusted access in the Create StackSet wizard

See Create a stack set with service-managed permissions.

To activate trusted access using the Amazon CloudFormation console

  1. Sign in to Amazon as an administrator of the management account and open the Amazon CloudFormation console at https://console.amazonaws.cn/.

  2. From the navigation pane, choose StackSets. If trusted access is deactivated, a banner displays that prompts you to activate trusted access.

    Activate trusted access banner.

  3. Choose Activate trusted access.

    Trusted access is successfully activated when the following banner displays.

    Trusted access is successfully activated banner.
    Note

    Activate Organizations Access is the same as Enable Organizations Access, and Deactivate Organizations Access is the same as Disable Organizations Access. These terms have been updated based on marketing guidelines.

To activate trusted access in the Trusted access for Amazon services page of the Amazon Organizations console

See Amazon CloudFormation StackSets and Amazon Organizations in the Amazon Organizations User Guide.

To deactivate trusted access

See Amazon CloudFormation StackSets and Amazon Organizations in the Amazon Organizations User Guide.

Before you can deactivate trusted access with Amazon Organizations, you must deregister all delegated administrators. For more information, see Register a delegated administrator.

For more information for managing trusted access with APIs, see: