The latest articles on DEV Community by Erlend Ekern (@erlendekern). https://dev.to/erlendekern https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3583942%2Fea102e26-19a2-4748-a751-5ea4097aa7ab.jpg https://dev.to/erlendekern en Erlend Ekern Mon, 27 Oct 2025 18:02:22 +0000 https://dev.to/aws-builders/coloring-your-aws-accounts-at-scale-5cl6 https://dev.to/aws-builders/coloring-your-aws-accounts-at-scale-5cl6 <p><a href="https://aws.amazon.com/about-aws/whats-new/2025/08/aws-management-console-assigning-color-aws-account/" rel="noopener noreferrer">Back in August AWS announced a new feature</a> that allows you to label your AWS accounts with a color that shows up when you're using the AWS Console. This is a tiny, but very welcome quality of life improvement that gives you a visual indicator of what type of account you're using (e.g., 🟩 for <code>dev</code> and 🟥 for <code>prod</code>) - reducing the chance of production accidents and giving each account a bit more pizzazz.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fknvvmr1m6vtblxsmezs4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fknvvmr1m6vtblxsmezs4.png" alt="A screenshot showing the color of an account in the AWS Console" width="800" height="102"></a></p> <p>The feature came with API support on launch (yay!), but without CloudFormation and, somewhat surprisingly, any SDK support<sup id="fnref1">1</sup>. So most people will probably end up manually configuring this through the AWS Console anyway (boo!)..</p> <p>But where there's <del>a will</del> <a href="https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/PutAccountColor.html" rel="noopener noreferrer">an endpoint</a> there's a way. In this article I'll use the account coloring feature as a practical example to demonstrate different approaches to programmatic infrastructure provisioning across AWS accounts. Even if you're not interested in account colors, you might pick up a useful thing or two along the way.</p> <p>Let's dive in!</p> <h2> The curl way </h2> <p>curl has for some time supported signing requests using AWS SigV4, so the most lo-fi, programmatic way to set the color for an account is something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> PUT <span class="se">\</span> <span class="s2">"https://uxc.us-east-1.api.aws/v1/account-color"</span> <span class="se">\</span> <span class="nt">--aws-sigv4</span> <span class="s2">"aws:amz:us-east-1:uxc"</span> <span class="se">\</span> <span class="nt">--user</span> <span class="s2">"</span><span class="nv">$AWS_ACCESS_KEY_ID</span><span class="s2">:</span><span class="nv">$AWS_SECRET_ACCESS_KEY</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"x-amz-security-token: </span><span class="nv">$AWS_SESSION_TOKEN</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"color":"green"}'</span> </code></pre> </div> <p>If you're using AWS Identity Center for managing access to your accounts, you can run the above command like this to spin up a subshell with credentials exposed through the expected environment variables:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">(</span> <span class="nb">eval</span> <span class="s2">"</span><span class="si">$(</span>aws <span class="nt">--profile</span> <span class="s2">"&lt;my-profile&gt;"</span> configure export-credentials <span class="nt">--format</span> <span class="s2">"env"</span><span class="si">)</span><span class="s2">"</span> <span class="se">\</span> <span class="o">&amp;&amp;</span> curl <span class="nt">-X</span> PUT ... <span class="p">;</span><span class="o">)</span> </code></pre> </div> <p>This works, but is not very IaC-y. Can we do better?</p> <h2> The CloudFormation way </h2> <p>Enter CloudFormation.</p> <p>Since there's no CloudFormation support yet we'll need to create a Lambda-backed <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudformation-customresource.html" rel="noopener noreferrer">custom resource</a> to fill in the gap. And since there's no SDK support either, we'll have to perform the request ourselves.</p> <p>Luckily we can leverage a lower-level module in <code>botocore</code> to help sign our request.</p> <p>For our custom resource we'll also be using the <code>ServiceTimeout</code> property <a href="https://aws.amazon.com/about-aws/whats-new/2024/06/aws-cloudformation-dev-test-cycle-timeouts-custom-resources/" rel="noopener noreferrer">introduced in 2024</a> to give us a saner developer experience, especially during development (goodbye 1-hour feedback loops - you won't be missed 🙃).</p> <p>Bringing it all together, we get the following CloudFormation template:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">AWSTemplateFormatVersion</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2010-09-09"</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Sets the color for an account in the AWS Console</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="na">Color</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s">none</span> <span class="na">AllowedValues</span><span class="pi">:</span> <span class="c1"># From https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/PutAccountColor.html#put-account-color-response-elements</span> <span class="pi">-</span> <span class="s">none</span> <span class="pi">-</span> <span class="s">pink</span> <span class="pi">-</span> <span class="s">purple</span> <span class="pi">-</span> <span class="s">darkBlue</span> <span class="pi">-</span> <span class="s">lightBlue</span> <span class="pi">-</span> <span class="s">teal</span> <span class="pi">-</span> <span class="s">green</span> <span class="pi">-</span> <span class="s">yellow</span> <span class="pi">-</span> <span class="s">orange</span> <span class="pi">-</span> <span class="s">red</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The color to apply for the account</span> <span class="na">Resources</span><span class="pi">:</span> <span class="na">Role</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::IAM::Role</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AssumeRolePolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2012-10-17"</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">Service</span><span class="pi">:</span> <span class="s">lambda.amazonaws.com</span> <span class="na">Action</span><span class="pi">:</span> <span class="s">sts:AssumeRole</span> <span class="na">ManagedPolicyArns</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole</span> <span class="na">Policies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">PolicyName</span><span class="pi">:</span> <span class="s">AllowPutAccountColor</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2012-10-17"</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="s">uxc:PutAccountColor</span> <span class="na">Resource</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*"</span> <span class="na">Function</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Lambda::Function</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Runtime</span><span class="pi">:</span> <span class="s">python3.13</span> <span class="na">Handler</span><span class="pi">:</span> <span class="s">index.lambda_handler</span> <span class="na">Role</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">Role.Arn</span> <span class="na">Timeout</span><span class="pi">:</span> <span class="m">10</span> <span class="na">Code</span><span class="pi">:</span> <span class="na">ZipFile</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">import json</span> <span class="s">import logging</span> <span class="s">import typing as t</span> <span class="s">import urllib.request</span> <span class="s">from dataclasses import asdict, dataclass, field</span> <span class="s">from botocore.auth import SigV4Auth</span> <span class="s">from botocore.awsrequest import AWSRequest</span> <span class="s">from botocore.session import Session</span> <span class="s">logger = logging.getLogger(__name__)</span> <span class="s">logger.setLevel(logging.INFO)</span> <span class="s">@dataclass</span> <span class="s">class CfnResponse:</span> <span class="s">PhysicalResourceId: str</span> <span class="s">StackId: str</span> <span class="s">RequestId: str</span> <span class="s">LogicalResourceId: str</span> <span class="s">Status: t.Literal["SUCCESS", "FAILED"]</span> <span class="s">Reason: t.Optional[str] = ""</span> <span class="s">Data: t.Optional[t.Dict] = field(default_factory=dict)</span> <span class="s">def send_cfn_response(url: str, cfn_response: CfnResponse):</span> <span class="s">"""Send minimal CloudFormation custom-resource response (pure stdlib)."""</span> <span class="s">payload = json.dumps(asdict(cfn_response)).encode("utf-8")</span> <span class="s">req = urllib.request.Request(</span> <span class="s">url,</span> <span class="s">data=payload,</span> <span class="s">method="PUT",</span> <span class="s">headers={</span> <span class="s">"content-length": str(len(payload)),</span> <span class="s">},</span> <span class="s">)</span> <span class="s">with urllib.request.urlopen(req) as f:</span> <span class="s">f.read()</span> <span class="s">def put_account_color(color: str):</span> <span class="s">"""Update the color of the current account"""</span> <span class="s">service = "uxc"</span> <span class="s"># There's currently only an endpoint for us-east-1</span> <span class="s">region = "us-east-1"</span> <span class="s">url = f"https://{service}.{region}.api.aws/v1/account-color"</span> <span class="s">payload = json.dumps({"color": color}).encode("utf-8")</span> <span class="s"># There's currently no SDK support for this endpoint, so we create and sign the request ourselves</span> <span class="s">credentials = Session().get_credentials().get_frozen_credentials()</span> <span class="s">aws_request = AWSRequest(</span> <span class="s">method="PUT",</span> <span class="s">url=url,</span> <span class="s">data=payload,</span> <span class="s">headers={"Content-Type": "application/json"},</span> <span class="s">)</span> <span class="s">SigV4Auth(credentials, service, region).add_auth(aws_request)</span> <span class="s">req = urllib.request.Request(</span> <span class="s">url=url, method="PUT", headers=dict(aws_request.headers), data=payload</span> <span class="s">)</span> <span class="s">with urllib.request.urlopen(req) as res:</span> <span class="s">status_code = res.status</span> <span class="s">res_body = res.read().decode("utf-8")</span> <span class="s">return status_code, res_body</span> <span class="s">def lambda_handler(event, context):</span> <span class="s">logger.info("Triggered with event: %s", json.dumps(event, indent=2))</span> <span class="s">color = event.get("ResourceProperties", {}).get("Color", "none")</span> <span class="s">cfn_response_url = event["ResponseURL"]</span> <span class="s">cfn_response = CfnResponse(</span> <span class="s">Status="SUCCESS",</span> <span class="s">PhysicalResourceId="AccountColor",</span> <span class="s">StackId=event["StackId"],</span> <span class="s">RequestId=event["RequestId"],</span> <span class="s">LogicalResourceId=event["LogicalResourceId"],</span> <span class="s">)</span> <span class="s">try:</span> <span class="s">if event["RequestType"] in ["Create", "Update"]:</span> <span class="s">status_code, res_body = put_account_color(color)</span> <span class="s">if status_code not in (200, 204):</span> <span class="s">cfn_response.Status = "FAILED"</span> <span class="s">cfn_response.Reason = (</span> <span class="s">f"Request failed with status {status_code}: {res_body}"</span> <span class="s">)</span> <span class="s">send_cfn_response(cfn_response_url, cfn_response)</span> <span class="s">except Exception as e:</span> <span class="s">logger.exception("An unexpected error occurred")</span> <span class="s">cfn_response.Status = "FAILED"</span> <span class="s">cfn_response.Reason = f"See logs for more details '{context.log_group_name}/{context.log_stream_name}':\n{str(e)}"</span> <span class="s">send_cfn_response(</span> <span class="s">cfn_response_url,</span> <span class="s">cfn_response,</span> <span class="s">)</span> <span class="na">LogGroup</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Logs::LogGroup</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">LogGroupName</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s">/aws/lambda/${Function}</span> <span class="na">RetentionInDays</span><span class="pi">:</span> <span class="m">7</span> <span class="na">AccountColor</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">Custom::AccountColor</span> <span class="na">DependsOn</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">LogGroup</span> <span class="na">DeletionPolicy</span><span class="pi">:</span> <span class="s">Retain</span> <span class="na">UpdateReplacePolicy</span><span class="pi">:</span> <span class="s">Retain</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ServiceTimeout</span><span class="pi">:</span> <span class="m">10</span> <span class="na">ServiceToken</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">Function.Arn</span> <span class="na">Color</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">Color</span> </code></pre> </div> <p>Let's store this template in <code>cfn-templates/account-color.yml</code>.</p> <p>Cool. Now we have a template we can easily deploy using the AWS CLI to set the color for an account:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws cloudformation deploy <span class="se">\</span> <span class="nt">--stack-name</span> <span class="s2">"example-cli-account-color"</span> <span class="se">\</span> <span class="nt">--template-file</span> <span class="s2">"cfn-templates/account-color.yml"</span> <span class="se">\</span> <span class="nt">--capabilities</span> <span class="s2">"CAPABILITY_IAM"</span> <span class="se">\</span> <span class="nt">--parameter-overrides</span> <span class="s2">"Color=green"</span> </code></pre> </div> <p>This works well for one account, but what about a handful? And what if we want to use a different color for each account?</p> <h2> The shell-scripted CloudFormation way </h2> <p>Let's bring in the lingua franca of the cloud: Bash.</p> <p>If we have a naming convention for our AWS CLI profiles, we could do something like this to provision our template across accounts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="nb">set</span> <span class="nt">-euo</span> pipefail main<span class="o">()</span> <span class="o">{</span> <span class="nb">local </span>color profile <span class="c"># Loop over a set of AWS CLI profiles</span> <span class="k">for </span>profile <span class="k">in</span> <span class="s2">"foo-dev"</span> <span class="s2">"bar-staging"</span> <span class="s2">"baz-prod"</span><span class="p">;</span> <span class="k">do</span> <span class="c"># Determine the color based on the suffix of the profile</span> <span class="k">case</span> <span class="s2">"</span><span class="nv">$profile</span><span class="s2">"</span> <span class="k">in</span> <span class="k">*</span><span class="nt">-dev</span><span class="p">)</span> <span class="nv">color</span><span class="o">=</span><span class="s2">"green"</span> <span class="p">;;</span> <span class="k">*</span><span class="nt">-staging</span><span class="p">)</span> <span class="nv">color</span><span class="o">=</span><span class="s2">"orange"</span> <span class="p">;;</span> <span class="k">*</span><span class="nt">-prod</span><span class="p">)</span> <span class="nv">color</span><span class="o">=</span><span class="s2">"red"</span> <span class="p">;;</span> <span class="k">*</span><span class="p">)</span> <span class="nv">color</span><span class="o">=</span><span class="s2">"none"</span> <span class="p">;;</span> <span class="k">esac</span> aws cloudformation deploy <span class="se">\</span> <span class="nt">--profile</span> <span class="s2">"</span><span class="nv">$profile</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--stack-name</span> <span class="s2">"example-cli-account-color"</span> <span class="se">\</span> <span class="nt">--template-file</span> <span class="s2">"cfn-templates/account-color.yml"</span> <span class="se">\</span> <span class="nt">--capabilities</span> <span class="s2">"CAPABILITY_IAM"</span> <span class="se">\</span> <span class="nt">--parameter-overrides</span> <span class="s2">"Color=</span><span class="nv">$color</span><span class="s2">"</span> <span class="se">\</span> <span class="k">done</span> <span class="o">}</span> main <span class="s2">"</span><span class="nv">$@</span><span class="s2">"</span> </code></pre> </div> <p>This is decent, but still not ideal. How do we manage permissions to all of these accounts? Where do we run this? How do we handle parallelism and errors?</p> <p>If only there was an AWS-native mechanism for managing infrastructure across accounts at scale..</p> <h2> ✨ The CloudFormation StackSets way ✨ </h2> <p>I've written about <a href="https://blog.ekern.me/2025/02/27/aws-cloudformation-stacksets.html" rel="noopener noreferrer">CloudFormation StackSets</a> before, and I think it's a useful and powerful tool, especially for managing baseline infrastructure across accounts and regions. As I mentioned in that post:</p> <blockquote> <p><em>If you need to deploy across AWS organizations, want to have granular control over which accounts are deployed to, or <strong>you think you’ll need account-specific parameter values in your stacks, you probably want to go with the self-managed model!</strong></em></p> </blockquote> <p>Since colors are more likely to be specific per account, not per Organizational Unit (OU), the self-managed permission model is probably the way to go here because it allows us to set different values of the <code>Color</code> parameter per account <sup id="fnref2">2</sup>.</p> <p>The main drawback of the self-managed permission model is - as the name implies - that <strong>you</strong> need to manage the permissions. This includes setting up an IAM role (the "administration role") in the StackSet administration account, and an IAM role (the "execution role") in each target account that you want StackSets to deploy to.</p> <h3> Getting started </h3> <p>Below is an example of how to provision our CloudFormation template and set the color for an account using CloudFormation StackSets. Here we're using Terraform to manage the stack set itself, but it should be fairly straight-forward to adapt this to your IaC tool of choice.</p> <p>To make it easy to try out yourself, everything is isolated to one AWS account - we use the current account as both the stack set administrator <strong>and</strong> the target account. While you normally wouldn't use StackSets like this (instead you'd just create the CloudFormation stack directly), it demonstrates the important bits and allows you to test in a non-critical account.</p> <p>⚠️ <strong>Note:</strong> We will be attaching the <code>AdministratorAccess</code> managed policy to the execution role in the following examples. While you could attempt to scope this down to only the specific permissions needed, doing so for a service like CloudFormation StackSets can be impractical - overly restrictive permissions can lead to deployment failures and debugging headaches. But at the very least, consider the implications of this before production use.</p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 6"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">required_version</span> <span class="p">=</span> <span class="s2">"&gt;= 1.0"</span> <span class="p">}</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-west-1"</span> <span class="p">}</span> <span class="k">data</span> <span class="s2">"aws_caller_identity"</span> <span class="s2">"this"</span> <span class="p">{}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">name_prefix</span> <span class="p">=</span> <span class="s2">"example-tf"</span> <span class="nx">stackset_execution_role_name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">local</span><span class="p">.</span><span class="nx">name_prefix</span><span class="k">}</span><span class="s2">-cfn-stackset-execution"</span> <span class="nx">current_account_id</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_caller_identity</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">account_id</span> <span class="p">}</span> <span class="c1"># The admin role is used by CloudFormation StackSets to assume execution roles</span> <span class="c1"># in target accounts.</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"stackset_admin"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">local</span><span class="p">.</span><span class="nx">name_prefix</span><span class="k">}</span><span class="s2">-cfn-stackset-admin"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"cloudformation.amazonaws.com"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"assume_to_stackset_admin"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">stackset_admin</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::*:role/</span><span class="k">${</span><span class="kd">local</span><span class="p">.</span><span class="nx">stackset_execution_role_name</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># The execution role is used by CloudFormation StackSets to create stack instances</span> <span class="c1"># (i.e. CloudFormation stacks) in target accounts.</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"stackset_execution"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">stackset_execution_role_name</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">AWS</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"arn:aws:iam::</span><span class="k">${</span><span class="kd">local</span><span class="p">.</span><span class="nx">current_account_id</span><span class="k">}</span><span class="s2">:root"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"stackset_execution"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">stackset_execution</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AdministratorAccess"</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">accounts</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">current_account_id</span> <span class="nx">environment</span> <span class="p">=</span> <span class="s2">"development"</span> <span class="p">},</span> <span class="c1"># NOTE: Add more accounts here</span> <span class="p">]</span> <span class="nx">environment_colors</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">development</span> <span class="p">=</span> <span class="s2">"green"</span> <span class="nx">staging</span> <span class="p">=</span> <span class="s2">"orange"</span> <span class="nx">production</span> <span class="p">=</span> <span class="s2">"red"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_cloudformation_stack_set"</span> <span class="s2">"account_color"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">local</span><span class="p">.</span><span class="nx">name_prefix</span><span class="k">}</span><span class="s2">-account-color"</span> <span class="nx">permission_model</span> <span class="p">=</span> <span class="s2">"SELF_MANAGED"</span> <span class="nx">administration_role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">stackset_admin</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">execution_role_name</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">stackset_execution</span><span class="p">.</span><span class="nx">name</span> <span class="nx">template_body</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="s2">"</span><span class="k">${</span><span class="nx">path</span><span class="p">.</span><span class="nx">root</span><span class="k">}</span><span class="s2">/cfn-templates/account-color.yml"</span><span class="p">)</span> <span class="nx">capabilities</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"CAPABILITY_IAM"</span><span class="p">]</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_iam_role_policy</span><span class="p">.</span><span class="nx">assume_to_stackset_admin</span><span class="p">,</span> <span class="nx">aws_iam_role_policy_attachment</span><span class="p">.</span><span class="nx">stackset_execution</span> <span class="p">]</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_cloudformation_stack_set_instance"</span> <span class="s2">"account_color"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">account</span> <span class="nx">in</span> <span class="kd">local</span><span class="p">.</span><span class="nx">accounts</span> <span class="err">:</span> <span class="nx">account</span><span class="p">.</span><span class="nx">id</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">account</span> <span class="p">}</span> <span class="nx">stack_set_name</span> <span class="p">=</span> <span class="nx">aws_cloudformation_stack_set</span><span class="p">.</span><span class="nx">account_color</span><span class="p">.</span><span class="nx">name</span> <span class="nx">account_id</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="nx">stack_set_instance_region</span> <span class="p">=</span> <span class="s2">"eu-west-1"</span> <span class="nx">parameter_overrides</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"Color"</span> <span class="p">=</span> <span class="nx">lookup</span><span class="p">(</span><span class="kd">local</span><span class="p">.</span><span class="nx">environment_colors</span><span class="p">,</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">environment</span><span class="p">,</span> <span class="s2">"none"</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Store this in a file <code>main.tf</code> alongside your <code>cfn-templates</code> directory, authenticate to AWS in an experimental account, and run <code>terraform init</code> and <code>terraform apply</code>.</p> <h3> Scaling up </h3> <p>For provisioning across accounts we can adapt the <a href="https://blog.ekern.me/2025/02/27/aws-cloudformation-stacksets.html#example" rel="noopener noreferrer">example</a> from my previous blog post that shows us how to create a service-managed stack set that auto-deploys an IAM role to all accounts in an organization. We can leverage this pattern to easily and automatically create an execution role in all target accounts.</p> <p>Our final code snippet will create two stack sets:</p> <ol> <li>A service-managed stack set that deploys an execution role to all accounts in a target OU.</li> <li>A self-managed stack set that deploys our CloudFormation template for account coloring to a set predefined accounts.</li> </ol> <p>Note that in order to use service-managed stack sets you need to:</p> <ol> <li>Use AWS Organizations.</li> <li>Enable <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-activate-trusted-access.html" rel="noopener noreferrer">trusted access for StackSets</a> in the organization.</li> <li>Create the stack set through the management account or through a <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-delegated-admin.html" rel="noopener noreferrer">delegated administrator</a>.</li> </ol> <p>The resulting Terraform code can look something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 6"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">required_version</span> <span class="p">=</span> <span class="s2">"&gt;= 1.0"</span> <span class="p">}</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-west-1"</span> <span class="p">}</span> <span class="k">data</span> <span class="s2">"aws_caller_identity"</span> <span class="s2">"this"</span> <span class="p">{}</span> <span class="k">data</span> <span class="s2">"aws_organizations_organization"</span> <span class="s2">"this"</span> <span class="p">{}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">name_prefix</span> <span class="p">=</span> <span class="s2">"example-tf"</span> <span class="nx">stackset_execution_role_name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">local</span><span class="p">.</span><span class="nx">name_prefix</span><span class="k">}</span><span class="s2">-cfn-stackset-execution"</span> <span class="nx">current_account_id</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_caller_identity</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">account_id</span> <span class="nx">stack_set_admin_account_id</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">current_account_id</span> <span class="nx">management_account_id</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_organizations_organization</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">master_account_id</span> <span class="nx">call_as</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">current_account_id</span> <span class="p">==</span> <span class="kd">local</span><span class="p">.</span><span class="nx">management_account_id</span> <span class="err">?</span> <span class="s2">"SELF"</span> <span class="err">:</span> <span class="s2">"DELEGATED_ADMIN"</span> <span class="nx">target_ou_id</span> <span class="p">=</span> <span class="s2">""</span> <span class="c1"># TODO: Add a non-critical OU here for initial testing</span> <span class="p">}</span> <span class="c1"># A service-managed stack set that creates the required execution role</span> <span class="c1"># for using self-managed stack sets</span> <span class="k">resource</span> <span class="s2">"aws_cloudformation_stack_set"</span> <span class="s2">"execution_role"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">local</span><span class="p">.</span><span class="nx">name_prefix</span><span class="k">}</span><span class="s2">-execution-role"</span> <span class="nx">permission_model</span> <span class="p">=</span> <span class="s2">"SERVICE_MANAGED"</span> <span class="nx">capabilities</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"CAPABILITY_NAMED_IAM"</span><span class="p">]</span> <span class="nx">call_as</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">call_as</span> <span class="nx">auto_deployment</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">parameters</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">TrustedAccountId</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">stack_set_admin_account_id</span> <span class="nx">RoleName</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">stackset_execution_role_name</span> <span class="p">}</span> <span class="nx">template_body</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOF</span><span class="sh"> AWSTemplateFormatVersion: "2010-09-09" Parameters: TrustedAccountId: Type: String RoleName: Type: String Resources: Role: Type: AWS::IAM::Role Properties: RoleName: !Ref RoleName AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: AWS: !Sub "arn:aws:iam::$${TrustedAccountId}:root" Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/AdministratorAccess </span><span class="no"> EOF </span><span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_cloudformation_stack_set_instance"</span> <span class="s2">"execution_role"</span> <span class="p">{</span> <span class="nx">stack_set_name</span> <span class="p">=</span> <span class="nx">aws_cloudformation_stack_set</span><span class="p">.</span><span class="nx">execution_role</span><span class="p">.</span><span class="nx">name</span> <span class="nx">call_as</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">call_as</span> <span class="nx">stack_set_instance_region</span> <span class="p">=</span> <span class="s2">"eu-west-1"</span> <span class="nx">deployment_targets</span> <span class="p">{</span> <span class="nx">organizational_unit_ids</span> <span class="p">=</span> <span class="p">[</span><span class="kd">local</span><span class="p">.</span><span class="nx">target_ou_id</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># The admin role is used by CloudFormation StackSets to assume execution roles</span> <span class="c1"># in target accounts when using self-managed stack sets.</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"stackset_admin"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">local</span><span class="p">.</span><span class="nx">name_prefix</span><span class="k">}</span><span class="s2">-cfn-stackset-admin"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"cloudformation.amazonaws.com"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"assume_to_stackset_admin"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">stackset_admin</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::*:role/</span><span class="k">${</span><span class="kd">local</span><span class="p">.</span><span class="nx">stackset_execution_role_name</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">accounts</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">=</span> <span class="s2">""</span> <span class="c1"># TODO: Add the ID of an account in the target OU here</span> <span class="nx">environment</span> <span class="p">=</span> <span class="s2">"development"</span> <span class="p">},</span> <span class="p">]</span> <span class="nx">environment_colors</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">development</span> <span class="p">=</span> <span class="s2">"green"</span> <span class="nx">staging</span> <span class="p">=</span> <span class="s2">"orange"</span> <span class="nx">production</span> <span class="p">=</span> <span class="s2">"red"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_cloudformation_stack_set"</span> <span class="s2">"account_color"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">local</span><span class="p">.</span><span class="nx">name_prefix</span><span class="k">}</span><span class="s2">-account-color"</span> <span class="nx">permission_model</span> <span class="p">=</span> <span class="s2">"SELF_MANAGED"</span> <span class="nx">administration_role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">stackset_admin</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">execution_role_name</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">stackset_execution_role_name</span> <span class="nx">template_body</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="s2">"</span><span class="k">${</span><span class="nx">path</span><span class="p">.</span><span class="nx">root</span><span class="k">}</span><span class="s2">/cfn-templates/account-color.yml"</span><span class="p">)</span> <span class="nx">capabilities</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"CAPABILITY_IAM"</span><span class="p">]</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_iam_role_policy</span><span class="p">.</span><span class="nx">assume_to_stackset_admin</span><span class="p">,</span> <span class="nx">aws_cloudformation_stack_set_instance</span><span class="p">.</span><span class="nx">execution_role</span><span class="p">,</span> <span class="p">]</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_cloudformation_stack_set_instance"</span> <span class="s2">"account_color"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">account</span> <span class="nx">in</span> <span class="kd">local</span><span class="p">.</span><span class="nx">accounts</span> <span class="err">:</span> <span class="nx">account</span><span class="p">.</span><span class="nx">id</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">account</span> <span class="p">}</span> <span class="nx">stack_set_name</span> <span class="p">=</span> <span class="nx">aws_cloudformation_stack_set</span><span class="p">.</span><span class="nx">account_color</span><span class="p">.</span><span class="nx">name</span> <span class="nx">account_id</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="nx">stack_set_instance_region</span> <span class="p">=</span> <span class="s2">"eu-west-1"</span> <span class="nx">parameter_overrides</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"Color"</span> <span class="p">=</span> <span class="nx">lookup</span><span class="p">(</span><span class="kd">local</span><span class="p">.</span><span class="nx">environment_colors</span><span class="p">,</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">environment</span><span class="p">,</span> <span class="s2">"none"</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>You can try it out by storing the snippet above in a file <code>main.tf</code>, fixing the <code>TODO</code>s, running it against <strong>a non-critical OU</strong>, and verifying that the Terraform plan looks good.</p> <p>Enjoy the colors 🌈</p> <h2> Summary </h2> <p>There you have it, folks. Colored AWS accounts. We're truly living in the future.</p> <p>While I do expect that we'll get both SDK and CloudFormation support in the near-ish future (and if we're lucky the possibility to configure this centrally from the management account), you can still get started with the CloudFormation approach laid out here. Once something better and more native shows up, you should be able to delete the custom resource and associated resources without issues and replace it with a new mechanism - the custom resource is configured to be a no-op on deletion.</p> <p>Note that managed policies typically used for read access (e.g., <a href="https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ViewOnlyAccess.html" rel="noopener noreferrer"><code>ViewOnlyAccess</code></a> and <a href="https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ReadOnlyAccess.html" rel="noopener noreferrer"><code>ReadOnlyAccess</code></a>) do not yet include permissions to fetch the color of an account. If you're using these and want your developers to experience the cloud in all its colorful glory, consider adding <code>uxc:GetAccountColor</code> to the relevant IAM roles.</p> <p>What we've done here might seem a teeny-tiny tad overkill for this specific use case, but the overall approach and the patterns described can be applied when provisioning any baseline infrastructure across accounts.</p> <p><strong>Update (31 Oct '25 🎃):</strong><br> <a href="https://www.linkedin.com/feed/update/urn:li:activity:7388640951671447552?commentUrn=urn%3Ali%3Acomment%3A%28activity%3A7388640951671447552%2C7389943229921619968%29&amp;dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287389943229921619968%2Curn%3Ali%3Aactivity%3A7388640951671447552%29" rel="noopener noreferrer">Anders Bjørnestad</a> was kind to point out that customers using Control Tower might have issues with account coloring as it currently only has an endpoint in us-east-1.</p> <p>If us-east-1 isn't a governed region in Control Tower <strong>and</strong> you have enabled region deny controls (i.e., <a href="https://docs.aws.amazon.com/controltower/latest/controlreference/primary-region-deny-policy.html" rel="noopener noreferrer"><code>GRREGIONDENY</code></a> or <a href="https://docs.aws.amazon.com/controltower/latest/controlreference/ou-region-deny.html" rel="noopener noreferrer"><code>CTMULTISERVICEPV1</code></a>), by default you won't be able to get or set an account color as it's not part of the default whitelist.. Unless colors are EXTREMELY IMPORTANT to you, your best course of action is likely to wait until the Control Tower service team fixes this on their end to avoid having to get your hands dirty with Control Tower, SCPs and the associated blast radius.</p> <p>But not one to shy away from a practical lesson, here's how you probably could wrestle Control Tower to give you colors if you so desired:</p> <ul> <li>If using <code>CTMULTISERVICEPV1</code>, you should be able to add <code>uxc:*</code> to the whitelist using the built-in exemptions feature for this control.</li> <li>If using <code>GRRREGIONDENY</code> you could add us-east-1 as a governed region, and introduce a custom SCP that denies unwanted actions there - perhaps just an extension of the <a href="https://docs.aws.amazon.com/controltower/latest/controlreference/primary-region-deny-policy.html" rel="noopener noreferrer">default SCP</a> that includes <code>uxc:*</code>. Note that this is fair amount of work and comes with quite the blast radius.</li> </ul> <p>But again, for this specific feature, you should probably just wait for official support in Control Tower to avoid any production incidents that can be tricky to explain to the management..</p> <ol> <li id="fn1"> <p><em>"<a href="https://github.com/boto/boto3/issues/4612#issuecomment-3276183508" rel="noopener noreferrer">[It] is something that would need to be implemented by the service team</a>"</em> ↩</p> </li> <li id="fn2"> <p>If you really wanted to use a service-managed stack set instead of a self-managed one you could do so by updating the custom resource to determine the color (e.g., by looking up account name or alias, and introducing some rules for mapping to colors). Generally speaking I favor more explicit behavior than this though. ↩</p> </li> </ol> aws cloudformation iac governance