# Activate trusted access for StackSets with AWS Organizations Activate trusted access This topic provides instructions on how to activate trusted access with AWS Organizations, which is required by StackSets to deploy across accounts and AWS Regions using *service-managed* permissions. To use *self-managed* permissions, see [Grant self-managed permissions](stacksets-prereqs-self-managed.md) instead. Before you create a StackSet with service-managed permissions, you must first complete the following tasks: + [Enable all features](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html) in AWS Organizations. With only consolidated billing features enabled, you can't create a StackSet with service-managed permissions. + Activate trusted access with AWS Organizations. This action allows CloudFormation to create a service-linked role in the management account. After trusted access is activated, when you create a StackSet with service-managed permissions, CloudFormation creates both the necessary service-linked role and a service role named `stacksets-exec-*` in the target (member) accounts. With trusted access activated, the management account and delegated administrator accounts can create and manage service-managed StackSets for their organization. To activate trusted access, you must be an administrator user in the management account. An *administrator user* is a user with full permissions to your AWS account. For more information, [Create an administrator user](https://docs.aws.amazon.com/accounts/latest/reference/getting-started-step4.html) in the *AWS Account Management Reference Guide*. For recommendations for protecting the security of the management account, see [Best practices for the management account](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices_mgmt-acct.html) in the *AWS Organizations User Guide*. **To activate trusted access** 1. Sign in to AWS as an administrator of the management account and open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation). 1. From the navigation pane, choose **StackSets**. If trusted access is deactivated, a banner displays that prompts you to activate trusted access. ![\[Activate trusted access banner.\]](http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/images/console-stacksets-enable-trusted-access-from-stacksets-list-new.png) 1. Choose **Activate trusted access**. Trusted access is successfully activated when the following banner displays. ![\[Trusted access is successfully activated banner.\]](http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/images/console-stackset-trusted-access-enabled-banner-new.png) **Note** Activate Organizations Access is the same as Enable Organizations Access, and Deactivate Organizations Access is the same as Disable Organizations Access. These terms have been updated based on marketing guidelines. **To deactivate trusted access** See [CloudFormation StackSets and AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-cloudformation.html) in the *AWS Organizations User Guide*. Before you can deactivate trusted access with AWS Organizations, you must deregister all delegated administrators. For more information, see [Register a delegated administrator](stacksets-orgs-delegated-admin.md). **Note** For information about using API operations instead of the console to activate or deactivate trusted access, see: [https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_ActivateOrganizationsAccess.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_ActivateOrganizationsAccess.html) [https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_DeactivateOrganizationsAccess.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_DeactivateOrganizationsAccess.html) [https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_DescribeOrganizationsAccess.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_DescribeOrganizationsAccess.html) ## Service-linked roles The management account uses the **AWSServiceRoleForCloudFormationStackSetsOrgAdmin** service-linked role. You can modify or delete this role only if trusted access with AWS Organizations is deactivated. Each target account uses a **AWSServiceRoleForCloudFormationStackSetsOrgMember** service-linked role. You can modify or delete this role only under two conditions: if trusted access with AWS Organizations is deactivated, or if the account is removed from the target organization or organizational unit (OU). For more information, see [CloudFormation StackSets and AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-cloudformation.html) in the *AWS Organizations User Guide*. # Register a delegated administrator member account Register a delegated administrator In addition to your organization's management account, member accounts with delegated administrator permissions can create and manage StackSets with service-managed permissions for the organization. StackSets with service-managed permissions are created in the management account, including StackSets created by delegated administrators. To be registered as a delegated administrator for your organization, your member account must be in the organization. For more information about joining an organization, see [Inviting an AWS account to join your organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_invites.html). Your organization can have up to five registered delegated administrators at one time. Delegated administrators can choose to deploy to all accounts in your organization or specific OUs. Trusted access with AWS Organizations must be activated before delegated administrators can deploy to accounts managed by Organizations. For more information, see [Activate trusted access for StackSets with AWS Organizations](stacksets-orgs-activate-trusted-access.md). **Important** Please be aware of the following: Delegated administrators have full permissions to deploy to accounts in your organization. The management account can't limit delegated administrator permissions to deploy to specific OUs or to perform specific StackSet operations. Make sure your delegated administrators have `organizations:ListDelegatedAdministrators` permissions to avoid any potential errors. You can register delegated administrators for your organization in the following Regions: US East (Ohio), US East (N. Virginia), US West (N. California), US West (Oregon), Asia Pacific (Mumbai), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Paris), Europe (Stockholm), Israel (Tel Aviv), South America (São Paulo), AWS GovCloud (US-East), and AWS GovCloud (US-West). You can register and deregister delegated administrators using the [CloudFormation console](https://console.aws.amazon.com/cloudformation/), [AWS CLI](https://aws.amazon.com/cli/), or [AWS SDKs](https://aws.amazon.com/developer/tools/). ## To register a delegated administrator (console) 1. Sign in to AWS as an administrator of the management account and open the CloudFormation console at [https://console.aws.amazon.com/cloudformation/](https://console.aws.amazon.com/cloudformation/). 1. From the navigation pane, choose **StackSets**. 1. Under **Delegated administrators**, choose **Register delegated administrator**. 1. In the **Register delegated administrator** dialog box, choose **Register delegated administrator**. The success message indicates that the member account has successfully been registered as a delegated administrator. ## To deregister a delegated administrator (console) 1. Sign in to AWS as an administrator of the management account and open the CloudFormation console at [https://console.aws.amazon.com/](https://console.aws.amazon.com/). 1. From the navigation pane, choose **StackSets**. 1. Under **Delegated administrators**, select the account that you want to deregister, and then choose **Deregister**. The success message indicates that the member account has successfully been deregistered as a delegated administrator. You can register this account again at any time. ## To register a delegated administrator (AWS CLI) 1. Open the AWS CLI. 1. Run the `register-delegated-administrator` command. ``` $ aws organizations register-delegated-administrator \ --service-principal=member.org.stacksets.cloudformation.amazonaws.com \ --account-id="memberAccountId" ``` 1. Run the `list-delegated-administrators` command to verify that the specified member account is successfully registered as a delegated administrator. ``` $ aws organizations list-delegated-administrators \ --service-principal=member.org.stacksets.cloudformation.amazonaws.com ``` ## To deregister a delegated administrator (AWS CLI) 1. Open the AWS CLI. 1. Run the `deregister-delegated-administrator` command. ``` $ aws organizations deregister-delegated-administrator \ --service-principal=member.org.stacksets.cloudformation.amazonaws.com \ --account-id="memberAccountId" ``` 1. Run the `list-delegated-administrators` command to verify that the specified member account is successfully deregistered as a delegated administrator. ``` $ aws organizations list-delegated-administrators \ --service-principal=member.org.stacksets.cloudformation.amazonaws.com ``` You can register this account again at any time.