Prerequisites for stack set operations - Amazon CloudFormation
Performing stack set operations involving regions that are disabled by default
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Prerequisites for stack set operations

Because stack sets perform stack operations across multiple accounts, before you can create your first stack set you need the necessary permissions defined in your Amazon accounts.

To set up the required permissions for creating a stack set with self-managed permissions, see Performing stack set operations involving regions that are disabled by default and Grant self-managed permissions.

To set up the required permissions for creating a stack set with service-managed permissions, see Performing stack set operations involving regions that are disabled by default and Activate trusted access with Amazon Organizations.

Note

Activating trusted access with Amazon Organizations for Amazon CloudFormation StackSets isn't currently supported in the China Beijing and Ningxia Regions.

Performing stack set operations involving regions that are disabled by default

Amazon Web Services Regions introduced after March 20, 2019, such as Asia Pacific (Hong Kong), are disabled by default. You must enable these Regions for your account(s) before you can use them. Because of this, consider the following before performing stack set operations involving accounts in Regions that are disabled by default:

  • To create a stack set from a stack set's administrator account (if using self-managed permissions) or organization's management account (if using service-managed permissions) in a Region that is disabled by default, you must first enable that Region for the administrator or management account.

  • For Amazon CloudFormation to successfully create or update a stack instance:

    • The target account must reside in a Region that's currently enabled for that target account.

    • The stack set's administrator account or organization's management account must have the same Region enabled as the target account.

Important

Be aware that during stack set operations, administrator and target accounts exchange metadata regarding the accounts themselves, in addition to the stack set and stack set instances involved.

In addition, if you deactivate a Region that contains an account in which stack set instances reside, you are responsible for deleting any such instances or resources, if desired. In addition, be aware that metadata regarding the target account in the disabled Region will be retained in the administrator account.

For more information about enabling and disabling regions, see Managing Amazon Regions in the Amazon General Reference.

Topics