A company is using AWS Organizations to manage multiple AWS accounts. For security purposes, the company requires the creation of an Amazon Simple Notification Service (Amazon SNS) topic that enables integration with a third-party alerting system in all the Organizations member accounts. A solutions architect used an AWS CloudFormation template to create the SNS topic and stack sets to automate the deployment of CloudFormation stacks. Trusted access has been enabled in Organizations. What should the solutions architect do to deploy the CloudFormation StackSets in all AWS accounts?

A. Create a stack set in the Organizations member accounts. Use service-managed permissions. Set deployment options to deploy to an organization. Use CloudFormation StackSets drift detection. B. Create stacks in the Organizations member accounts. Use self-service permissions. Set deployment options to deploy to an organization. Enable the CloudFormation StackSets automatic deployment. C. Create a stack set in the Organizations management account. Use service-managed permissions. Set deployment options to deploy to the organization. Enable CloudFormation StackSets automatic deployment. D. Create stacks in the Organizations management account. Use service-managed permissions. Set deployment options to deploy to the organization. Enable CloudFormation StackSets drift detection.

생각들

stack 은 익숙한데 stack set은 익숙하지 않아서 틀렸다 ㅜ

조직 내에 있는 계정에 한번에 리소스 배포하고 싶은 상황이 있을 수 있는데, 그런 경우에 알아두면 좋을 만한 내용이다.

풀이 및 공부

stack vs stack set

• stack : A stack is a collection of AWS resources that you can manage as a single unit. In other words, you can create, update, or delete a collection of resources by creating, updating, or deleting stacks.
• stack set : A stack set lets you create stacks in AWS accounts across regions by using a single CloudFormation template. A stack set’s CloudFormation template defines all the resources in each stack

Service-managed permissions vs Self-service permissions

• Service-managed permissions : StackSets automatically configures the permissions required to deploy to target accounts managed by AWS Organizations. With this option, you can enable automatic deployment to accounts in your organization.
• Self-service permissions : You create the IAM roles required to deploy to target accounts. If you don’t choose a role, CloudFormation uses permissions based on your user credentials.

deploy하면

multi accounts, multi region에 배포할 수 있다.

참고

• https://www.youtube.com/watch?v=KVDt4559cTs