Articles

CloudFormation Stack vs StackSet: Deploy Across Accounts and Regions (2026)

April 16, 2026 4 min read

CloudFormation StackSets let you deploy your stacks to multiple AWS accounts and regions simultaneously, but the real magic is how it manages drift and updates across that entire fleet.

Let’s see a StackSet in action. Imagine you have a standard VPC configuration you want to roll out to your development, staging, and production accounts, and you want it in us-east-1, us-west-2, and eu-central-1.

Here’s a simplified vpc.yaml CloudFormation template:

AWSTemplateFormatVersion: '2010-09-09'
Description: A basic VPC for shared services

Resources:
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      Tags:
        - Key: Name
          Value: SharedVPC

  InternetGateway:
    Type: AWS::EC2::InternetGateway
    Properties:
      Tags:
        - Key: Name
          Value: SharedIGW

  VPCGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !Ref VPC
      InternetGatewayId: !Ref InternetGateway

  PublicSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      CidrBlock: 10.0.1.0/24
      MapPublicIpOnLaunch: true
      Tags:
        - Key: Name
          Value: SharedPublicSubnet-01

  RouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: SharedPublicRouteTable

  Route:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref RouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway

  SubnetRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref PublicSubnet
      RouteTableId: !Ref RouteTable

Now, to deploy this across accounts and regions using a StackSet:

  1. Create the StackSet: You can do this via the AWS Management Console or the AWS CLI. Using the CLI:

    aws cloudformation create-stack-set \
    --stack-set-name "SharedVPCConfig" \
    --template-body "file://vpc.yaml" \
    --managed-execution-role-arn "arn:aws:iam::111122223333:role/OrganizationDeploymentRole" \
    --auto-deployment '{"Enabled": true, "RetainStacksOnAccountRemoval": false}'
    • --stack-set-name: A unique name for your StackSet.
    • --template-body: The path to your CloudFormation template.
    • --managed-execution-role-arn: This is crucial. It’s an IAM role that CloudFormation assumes in the target accounts to perform deployments. It must have permissions to create the resources defined in your template. The OrganizationDeploymentRole is a common naming convention for a role that trusts cloudformation.amazonaws.com and can be assumed by the AWS Organizations management account.
    • --auto-deployment: This Enabled: true setting means that if you add new accounts to your AWS Organization, this StackSet will automatically attempt to deploy to them. RetainStacksOnAccountRemoval: false means that if an account is removed from the organization, the deployed stacks in that account will be deleted.

  2. Specify Target Accounts and Regions: After creating the StackSet, you tell it where to deploy.

    aws cloudformation create-stack-instances \
    --stack-set-name "SharedVPCConfig" \
    --accounts "[\"111122223333\", \"444455556666\", \"777788889999\"]" \
    --regions "[\"us-east-1\", \"us-west-2\", \"eu-central-1\"]" \
    --operation-preferences "FailureTolerancePercentage=1,MaxConcurrentCount=5"
    • --accounts: A JSON array of AWS account IDs where you want to deploy.
    • --regions: A JSON array of AWS regions where you want to deploy.
    • --operation-preferences: Controls the deployment process. FailureTolerancePercentage=1 means the operation will continue even if up to 1% of deployments fail. MaxConcurrentCount=5 limits the number of concurrent deployments to 5.

How it works internally:

When you create a StackSet, CloudFormation stores your template and parameters. When you create StackInstances, it uses the managed-execution-role-arn to assume a role in each target account. This role then acts as a service-linked role (or a role you explicitly define with appropriate permissions) that allows CloudFormation to create the actual CloudFormation stacks within those target accounts and regions.

The "fleet management" aspect comes in with updates and drift detection. If you update the vpc.yaml template and then run aws cloudformation update-stack-set --stack-set-name "SharedVPCConfig" --template-body "file://vpc.yaml", CloudFormation will orchestrate the update across all deployed instances.

Crucially, StackSets also provide drift detection. You can run aws cloudformation detect-stack-set-drift --stack-set-name "SharedVPCConfig" to see if any of the deployed stacks have drifted from their intended state (e.g., someone manually changed a security group rule in one of the target accounts). You can then choose to either drift-detect and report, or drift-detect and remediate (revert the changes).

The real power here is the ability to maintain a consistent baseline across a large number of accounts and regions without manual intervention. Think of it as a declarative, automated way to enforce your organization’s infrastructure standards.

One of the most surprising aspects of StackSets is how they handle account and region availability during operations. If a region is experiencing an outage, StackSets will automatically pause deployments to that region and retry later, preventing cascading failures and ensuring that operations eventually complete when the region becomes available again, all without explicit configuration for each outage scenario.

The next step is often to integrate StackSets with AWS Organizations’ OUs (Organizational Units) for more granular control over which accounts receive specific StackSets.

Want structured learning?

Take the full Cloudformation course →