I was managing a CloudFormation StackSet to deploy security policies across 50 AWS accounts in our organization. Everything worked smoothly for the first few accounts, but then several accounts showed OUTDATED status, and new deployments were failing silently. After investigating, I discovered a mix of IAM role trust issues, opt-in region problems, and service access misconfigurations. In this post, I’ll walk through exactly what causes this and how to fix it.
The Problem
CloudFormation StackSet deployments fail or show incomplete status across accounts and regions. Common scenarios:
Operation OUTDATED for account 123456789012 in region us-east-1
StackSet operation failed with reason: FAILED
Stack instances in OUTDATED or FAILED status for some accounts/regions
Stack instances may show various statuses:
| Error Type | Description |
|---|---|
| OUTDATED | Stack instance exists but template differs from StackSet definition |
| FAILED | Deployment failed, likely due to IAM or permissions |
| INPROGRESS | Deployment is running but taking longer than expected |
| CURRENT | Stack instance is in sync with StackSet template |
| QUEUE | Deployment is queued but hasn’t started |
Why Does This Happen?
- Missing execution role in target accounts — The
AWSCloudFormationStackSetExecutionRoledoesn’t exist in the target account, or the CloudFormation service can’t assume it. - Trust relationship misconfigured — The execution role’s trust policy doesn’t allow the admin account to assume it, or the admin account isn’t listed correctly.
- Service-managed StackSets: AWS Config or CloudFormation access not enabled — Organizations need explicit permission to use service-managed StackSets.
- Target region is opt-in and not enabled — The target account hasn’t enabled opt-in regions (like
eu-south-1,ap-south-2) in their region preferences. - Resource quotas exceeded — The target account hit an AWS service limit (EC2, VPC, IAM) preventing resource creation.
- Permissions insufficient — Even with the execution role, it lacks permissions to create specific resources (e.g.,
ec2:CreateSecurityGroup).
The Fix
Option 1: Fix Self-Managed StackSet IAM Roles
For self-managed StackSets, ensure both the admin and target account roles are configured correctly.
In your admin account, create the administration role:
# Create administration role (run in admin account)
aws iam create-role \
--role-name AWSCloudFormationStackSetAdministrationRole \
--assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"Service": "cloudformation.amazonaws.com"},
"Action": "sts:AssumeRole"
}]
}'
# Attach the required policy
aws iam attach-role-policy \
--role-name AWSCloudFormationStackSetAdministrationRole \
--policy-arn arn:aws:iam::aws:policy/AdministratorAccess
In each target account, create the execution role:
# Create execution role (run in target account)
# Replace 111111111111 with your admin account ID
aws iam create-role \
--role-name AWSCloudFormationStackSetExecutionRole \
--assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111111111111:root"},
"Action": "sts:AssumeRole"
}]
}'
# Attach permissions policy
aws iam attach-role-policy \
--role-name AWSCloudFormationStackSetExecutionRole \
--policy-arn arn:aws:iam::aws:policy/AdministratorAccess
Option 2: Enable Service-Managed StackSets in Organizations
For service-managed StackSets, enable AWS CloudFormation service access in your organization:
# Enable CloudFormation StackSets access (run in org management account)
aws organizations enable-aws-service-access \
--service-principal cloudformation.stacksets.amazonaws.com
# Register delegated administrator (optional)
aws organizations register-delegated-administrator \
--account-id 123456789012 \
--service-principal cloudformation.stacksets.amazonaws.com
Option 3: Enable Opt-In Regions in Target Accounts
If deploying to opt-in regions, enable them in each target account:
# Check which opt-in regions are available
aws ec2 describe-regions --all-regions --filters "Name=opt-in-status,Values=opt-in-not-required,opted-in" --query "Regions[].RegionName"
# Enable a specific opt-in region (run in target account)
aws ec2 modify-account-attribute \
--region-name eu-south-1
Option 4: Debug and Verify Stack Operations
Check detailed operation status:
# List all stack instances and their status
aws cloudformation list-stack-instances \
--stack-set-name my-stackset \
--query "Summaries[?Status!='CURRENT']" \
--output table
# Get detailed operation information
aws cloudformation describe-stack-set-operation \
--stack-set-name my-stackset \
--operation-id 1234abcd-1234-abcd-1234-abcd1234abcd \
--query "StackSetOperation.[OperationId,Status,StatusReason]"
How to Run This
- For self-managed StackSets: Create the administration role in the admin account and execution role in each target account with proper trust relationships
- For service-managed StackSets: Enable CloudFormation service access in Organizations
- Verify target account region status: check that opt-in regions are enabled if needed
- Create or update the StackSet:
aws cloudformation create-stack-set --stack-set-name my-set --template-body file://template.yaml - Deploy instances:
aws cloudformation create-stack-instances --stack-set-name my-set --accounts 123456789012 --regions us-east-1 - Monitor:
aws cloudformation list-stack-instances --stack-set-name my-set
Is This Safe?
Yes. Following AWS best practices for StackSet role configuration ensures secure cross-account deployments. Using service-managed StackSets with Organizations is actually safer than manually managing accounts.
Key Takeaway
StackSet deployment failures typically stem from missing IAM roles, incorrect trust relationships, or disabled opt-in regions. Ensure the execution role exists in every target account with proper permissions, enable Organizations service access for service-managed StackSets, and verify region status for opt-in regions.
Have questions or ran into a different CloudFormation issue? Connect with me on LinkedIn or X.