How to onboard any number of AWS member accounts with CloudFormation StackSet

CloudYali Team
February 10, 2024
5 min read

loudYali provides a secure and seamless connection to customer AWS accounts, for getting cloud resource and cost information. Our onboarding process utilizes the power of CloudFormation stack, ensuring a streamlined and secure experience for our users. Leveraging multiple AWS accounts is a recommended practice by AWS for several reasons, such as minimizing potential impact (blast radius) and easy cost attribution, etc. Many medium to large companies adopt a per-team or per-product AWS account approach, resulting in numerous accounts. To effectively manage these accounts, AWS Organizations is an excellent solution. It enables companies to establish multiple organizations with a large number of member accounts.

At CloudYali, we prioritize efficiency and understand the need for swift onboarding. Our account onboarding process typically takes no more than 3 minutes, utilizing the CloudFormation-based workflow. Within just 10 minutes, users gain access to crucial resource, security compliance, and cost information, all conveniently available through the CloudYali console. As soon as resource information is accessible, CloudYali initiates various security compliance checks, including AWS Foundational Security Best Practices and CIS AWS Foundations Benchmark v1.5.0 and v2.0.0. Additionally, our platform generates a comprehensive cost savings report, identifying any unused AWS resources.

We recognize that many of our customers manage hundreds of AWS accounts under their organizations. Onboarding each member account individually can be time-consuming and cumbersome. To address this challenge, based on valuable feedback, we have introduced a new CloudFormation StackSet-based onboarding workflow for member accounts. This workflow simplifies the process with a single-click onboarding, mirroring our existing single account onboarding functionality. Moreover, this approach offers the advantage of automatically onboarding any new member account added to the organization, eliminating the need for manual intervention. This ensures seamless connectivity between the new member AWS account and CloudYali.

Utilizing CloudFormation StackSet, CloudYali can efficiently execute the same CloudFormation Stack across all member AWS accounts. The process requires the Organization root ID and access to the organization root AWS account to create stack sets. By leveraging this capability, CloudYali ensures a consistent and streamlined onboarding experience for all member accounts.

get AWS Organization root id
AWS Organization root id

After obtaining the AWS Organization root ID, the CloudYali onboarding workflow can be initiated. CloudYali generates two AWS CLI commands that need to be executed in the organization root account. These commands are crucial for creating the CloudFormation StackSet with the necessary parameters, including a unique external ID and StackSet-specific configuration parameters.

CloudYali organization onboarding
CloudYali Organization Onboarding

One of the essential configuration parameters is auto-deployment Enabled=true, which ensures that any newly added member account is automatically onboarded. Another important parameter is RetainStacksOnAccountRemoval=true, which guarantees that the stack removes any created resources if the account is removed from the Organization.

CloudFormation Stackset CLI Commands
StackSet CLI Commands

The first command is responsible for creating the StackSet with the provided parameters and prepares it for execution in member accounts. The second command initiates the execution of the Stacks for the StackSet, targeting the specified deployment-targets. By default, CloudYali employs the organization root ID to deploy the StackSet to all member accounts. However, if necessary, this can be modified to target specific AWS accounts.

CloudFormation StackSet CLI execution
StackSet CLI Execution

Upon executing the second command, an operation ID is generated, enabling users to track the stack creation process. Once an AWS account is successfully onboarded, users gain complete visibility into cloud resource inventory, cost, and security compliance across all member accounts and regions. It is important to note that the organization root account needs to be onboarded separately, as per the design of AWS StackSet.

CloudYali Dashboard
CloudYali Onboarding Success

Overall, the utilization of StackSet allows for automated onboarding of any number of member accounts, while also providing an exceptional user experience. By leveraging this technology, CloudYali ensures efficient and seamless account management for our valued users.

CloudYali Team

Stay Informed

Get the latest updates, news, and exclusive offers delivered to your inbox.

By clicking Sign Up, you agree to our Terms and Conditions.
Thank you! Your submission has been received!
Oops! Something went wrong. Please try again.

Discover Our Featured Blogs

Stay up to date with our informative blog posts.


[Part 1] The Least Privilege Principle and IAM in AWS

The principle of least privilege (PoLP) is easier to understand until you put it into practice. In this series, we will discuss PoLP, how to set up accounts and guardrails, what tools to use, what process to follow, what technical and managerial challenges you may encounter, how to tackle them, and so on.
Nishant Thorat
April 16, 2024
5 min read
User Access Management

Streamlining AWS Access for Growing Startups

As your startup scales on AWS, managing access control becomes crucial. This blog post provides a roadmap for securing your cloud environment. You'll learn about the limitations of basic IAM users, the benefits of centralized identity management, and the capabilities of AWS IAM Identity Center with Just-In-Time access. By the end, you'll have a clear strategy to secure your AWS environment while maintaining agility.
Nishant Thorat
April 15, 2024
5 min read
AWS Cloud

Understanding Instance MetaData Service (IMDS)

Instance metadata service (IMDS) provides sensitive information. Understand IMDSv1 weakness and how IMDSv2 improves security. Identify IMDSv1 enabled instances across your cloud.
Nishant Thorat
February 11, 2024
5 min read