CloudFormation Posts

Every multi-account AWS organization needs a baseline IAM role in every member account. Cross-account access for security tooling, centralized billing queries, incident response, compliance scanning: the use cases pile up fast. I have deployed this pattern across six enterprise organizations, each with 50 to 400 member accounts. The approach that survives at scale is Terraform managing a CloudFormation StackSet from the management account, with service-managed permissions and auto-deployment enabled. New accounts get the role automatically. No tickets. No manual steps. No drift.

Infrastructure as Code is one of those concepts that every cloud team claims to practice, yet the architectural differences between the tools they use (and the downstream implications for team velocity, operational safety, and organizational scaling) are rarely examined with the rigor they deserve. I have provisioned and managed infrastructure across hundreds of AWS accounts using all four major IaC tools over the past decade, from wrestling with early CloudFormation YAML to adopting CDK for its high-level abstractions to running Terraform at scale across multi-account landing zones. That experience has given me strong opinions about when each tool shines and where each one will hurt you in production.