# Amazon CloudFormation StackSets and Amazon Organizations
<a name="services-that-can-integrate-cloudformation"></a>

Amazon CloudFormation StackSets enables you to create, update, or delete stacks across multiple Amazon Web Services accounts and Amazon Web Services Regions with a single operation. StackSets integration with Amazon Organizations enables you to create stack sets with service-managed permissions, using a service-linked role that has the relevant permission in each member account. This lets you deploy stack instances to member accounts in your organization. You don't have to create the necessary Amazon Identity and Access Management roles; StackSets creates the IAM role in each member account on your behalf.

You can also choose to enable automatic deployments to accounts that are added to your organization in the future. With auto deployment enabled, roles and deployment of associated stack set instances are automatically added to all accounts added in the future to that OU.

With trusted access between StackSets and Organizations enabled, the management account has permissions to create and manage stack sets for your organization. The management account can register up to five member accounts as delegated administrators. With trusted access enabled, delegated administrators also have permissions to create and manage stack sets for your organization. Stack sets with service-managed permissions are created in the management account, including stack sets that are created by delegated administrators.

**Important**  
Delegated administrators have full permissions to deploy to accounts in your organization. The management account cannot limit delegated administrator permissions to deploy to specific OUs or to perform specific stack set operations.

 For more information about integrating StackSets with Organizations, see [Working with Amazon CloudFormation StackSets](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html) in the *Amazon CloudFormation User Guide*.

Use the following information to help you integrate Amazon CloudFormation StackSets with Amazon Organizations.



## Service-linked roles created when you enable integration
<a name="integrate-enable-slr-cloudformation"></a>

The following [service-linked role](https://docs.amazonaws.cn/IAM/latest/UserGuide/using-service-linked-roles.html) is automatically created in your organization's management account when you enable trusted access. This role allows Amazon CloudFormation Stacksets to perform supported operations within your organization's accounts in your organization.

You can delete or modify this role only if you disable trusted access between Amazon CloudFormation Stacksets and Organizations, or if you remove the member account from the organization.
+ Management account: `AWSServiceRoleForCloudFormationStackSetsOrgAdmin`

To create the service-linked role `AWSServiceRoleForCloudFormationStackSetsOrgMember` for the member accounts in your organization, you need to create a stack set in the management account first. This creates a stack set instance, which then creates the role in the member accounts.
+ Member accounts: `AWSServiceRoleForCloudFormationStackSetsOrgMember`

For more details about creating stack sets, see [Working with Amazon CloudFormation StackSets](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html) in the *Amazon CloudFormation User Guide*.

## Service principals used by the service-linked roles
<a name="integrate-enable-svcprin-cloudformation"></a>

The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Amazon CloudFormation Stacksets grant access to the following service principals:
+ Management account: `stacksets.cloudformation.amazonaws.com`

  You can modify or delete this role only if you disabled trusted access between StackSets and Organizations.
+ Member accounts: `member.org.stacksets.cloudformation.amazonaws.com`

  You can modify or delete this role from an account only if you first disable trusted access between StackSets and Organizations, or if you first remove the account from the target organization or organizational unit (OU).

## Enabling trusted access with Amazon CloudFormation Stacksets
<a name="integrate-enable-ta-cloudformation"></a>

For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).

Only an administrator in the Organizations management account has permissions to enable trusted access with another Amazon service. You can enable trusted access using either the Amazon CloudFormation console or the Organizations console.

You can only enable trusted access using Amazon CloudFormation StackSets.

To enable trusted access using the Amazon CloudFormation Stacksets console, see [Enable Trusted Access with Amazon Organizations](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/stacksets-orgs-enable-trusted-access.html) in the Amazon CloudFormation User Guide.

## Disabling trusted access with Amazon CloudFormation Stacksets
<a name="integrate-disable-ta-cloudformation"></a>

For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).

Only an administrator in an Organizations management account has permissions to disable trusted access with another Amazon service. You can disable trusted access only by using the Organizations console. If you disable trusted access with Organizations while you are using StackSets, all previously created stack instances are retained. However, stack sets deployed using the service-linked role's permissions can no longer perform deployments to accounts managed by Organizations. 

You can disable trusted access using either the Amazon CloudFormation console or the Organizations console.

**Important**  
If you disable trusted access programmatically (e.g with Amazon CLI or with an API), be aware that this will remove the permission. It is better to disable trusted access with the Amazon CloudFormation console. 

You can disable trusted access by using either the Amazon Organizations console, by running an Organizations Amazon CLI command, or by calling an Organizations API operation in one of the Amazon SDKs.

------
#### [ Amazon Web Services Management Console ]

**To disable trusted service access using the Organizations console**

1. Sign in to the [Amazon Organizations console](https://console.amazonaws.cn/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.amazonaws.cn/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.

1. In the navigation pane, choose **Services**.

1. Choose **Amazon CloudFormation StackSets** in the list of services.

1. Choose **Disable trusted access**.

1. In the **Disable trusted access for Amazon CloudFormation StackSets** dialog box, type **disable** to confirm, and then choose **Disable trusted access**.

1. If you are the administrator of only Amazon Organizations, tell the administrator of Amazon CloudFormation StackSets that they can now disable that service from working with Amazon Organizations using the service console or tools .

------
#### [ Amazon CLI, Amazon API ]

**To disable trusted service access using the Organizations CLI/SDK**  
You can use the following Amazon CLI commands or API operations to disable trusted service access:
+ Amazon CLI: [disable-aws-service-access](https://docs.amazonaws.cn/cli/latest/reference/organizations/disable-aws-service-access.html)

  Run the following command to disable Amazon CloudFormation StackSets as a trusted service with Organizations.

  ```
  $ aws organizations disable-aws-service-access \
      --service-principal stacksets.cloudformation.amazonaws.com
  ```

  This command produces no output when successful.
+ Amazon API: [DisableAWSServiceAccess](https://docs.amazonaws.cn/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)

------

## Enabling a delegated administrator account for Amazon CloudFormation Stacksets
<a name="integrate-enable-da-cloudformation"></a>

When you designate a member account as a delegated administrator for the organization, users and roles from that account can perform administrative actions for Amazon CloudFormation Stacksets that otherwise can be performed only by users or roles in the organization's management account. This helps you to separate management of the organization from management of Amazon CloudFormation Stacksets.

For instructions on how to designate a member account as a delegated administrator of Amazon CloudFormation Stacksets in the organization, see [Register a delegated administrator](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/stacksets-orgs-delegated-admin.html) in the *Amazon CloudFormation User Guide*.