Deploy StackSets
This step deploys the Guardian Pro member role to all of your selected AWS accounts using CloudFormation StackSets. The member role grants Guardian Pro the permissions needed to discover resources, run security and cost scans, and optionally perform automated remediation.
What StackSets Do
CloudFormation StackSets allow you to deploy a standardised CloudFormation template across multiple AWS accounts and regions in a single operation. Guardian Pro uses StackSets to:
- Deploy the
GuardianProMemberRoleIAM role to each selected member account - Maintain consistency -- every account gets the same role with the same permissions
- Auto-deploy to new accounts -- when new accounts join your organisation, the role is deployed automatically
StackSets are an AWS-native feature. Guardian Pro uses them to ensure reliable, auditable, and repeatable role deployment across your entire organisation.
The Service-Managed Model
Guardian Pro uses the service-managed deployment model for StackSets. This is the AWS-recommended approach for organisations and provides significant advantages:
| Feature | Service-Managed | Self-Managed |
|---|---|---|
| Auto-deploy to new accounts | Yes | No |
| Requires admin role in each account | No | Yes |
| Managed by AWS Organisations | Yes | No |
| Supports OU-level targeting | Yes | No |
How Auto-Deployment Works
With the service-managed model:
- You deploy the StackSet once during onboarding
- When a new account is added to your organisation (or moved into a monitored OU), the member role is automatically deployed to that account
- When an account is removed from the organisation, the corresponding stack instance is automatically cleaned up
- No manual intervention is required for ongoing account management
Auto-deployment means your governance coverage grows with your organisation. New accounts are protected from the moment they are created, with no gaps in visibility.
What the Member Role Allows
The GuardianProMemberRole grants Guardian Pro two categories of access:
Read Access (Always Enabled)
Read-only permissions for resource discovery and security scanning:
- Describe and list operations across supported AWS services (EC2, RDS, S3, IAM, Lambda, and dozens more)
- Read configurations to evaluate security posture, cost efficiency, and architectural patterns
- Read tags and metadata for resource categorisation and compliance mapping
- Read CloudWatch metrics for utilisation analysis and rightsizing recommendations
- Read Cost and Usage data for cost intelligence features
Write Access (Remediation -- Optional)
Write permissions are only used when you explicitly trigger a remediation action:
- Modify resource configurations (e.g., enable encryption, restrict public access)
- Update security group rules (e.g., remove overly permissive ingress rules)
- Adjust instance types (e.g., rightsizing recommendations)
Write permissions are included in the member role but are never used without your explicit approval. Every remediation action requires you to review a preview, confirm the changes, and click Execute. Guardian Pro never modifies resources autonomously.
For the complete list of permissions, see IAM Permissions Reference.
Deploying StackSets
Step 1: Review the Deployment Scope
The onboarding wizard shows which accounts and OUs will receive the member role. This matches the selection you made in the Discover Organisation step.
Review the list and confirm:
- The correct accounts are included
- No accounts are unintentionally selected
- The target OUs match your monitoring scope
Step 2: Initiate Deployment
Click Deploy StackSets to begin. Guardian Pro creates the StackSet in your management account and starts deploying stack instances to each selected account.
StackSet deployment requires the management role you deployed in the first step. Guardian Pro assumes this role to create the StackSet in your management account.
Step 3: Monitor Deployment Progress
The wizard displays real-time deployment progress:
- Pending -- stack instance queued for deployment
- Running -- CloudFormation stack creation in progress
- Succeeded -- member role successfully deployed
- Failed -- deployment encountered an error (see troubleshooting below)
Deployment runs in parallel across accounts. For most organisations, all accounts complete within 3-5 minutes.
Step 4: Verify Completion
Once all stack instances show Succeeded, click Continue to proceed to the next step. Guardian Pro validates that it can assume the member role in at least one account before allowing you to proceed.
Deployment Regions
The member role is a global IAM resource, so it only needs to be deployed once per account regardless of how many regions you use. The StackSet targets a single region per account for the IAM role deployment.
Guardian Pro scans resources across all enabled regions in each account -- the single IAM role provides cross-region access.
Security Controls
Confused Deputy Protection
Like the management role, the member role uses External ID verification:
- Each member role includes a unique External ID tied to your Guardian Pro organisation
- Guardian Pro must present this External ID when assuming the role
- This prevents any other party from using the role, even if they obtain the role ARN
Least Privilege
The member role follows the principle of least privilege:
- No
*resource permissions -- permissions are scoped to specific service actions - No data-plane access -- Guardian Pro reads configurations, not your application data
- No IAM administrative access -- the role cannot create other roles, users, or policies
- Time-limited sessions -- role assumption sessions expire after one hour
Audit Trail
All role assumptions are logged in AWS CloudTrail in each member account. You can audit exactly when Guardian Pro accessed each account and what API calls were made.
Troubleshooting
Stack instance failed in one or more accounts
If deployment fails in specific accounts:
- Check the error message in the deployment progress view
- Common causes:
- SCP restrictions: A service control policy may prevent IAM role creation in certain accounts
- Suspended account: Deployment cannot proceed in suspended accounts
- Existing stack: A stack with the same name may already exist from a previous deployment
Failed stack instances do not block the rest of your onboarding. You can proceed with the successfully deployed accounts and troubleshoot failed accounts later from Settings > Accounts.
Deployment is taking longer than expected
StackSet deployments operate within AWS service limits:
- Max concurrent deployments: AWS limits how many stack instances can deploy simultaneously
- Retry behaviour: Failed instances may be retried automatically
- Large organisations: Deploying to 100+ accounts may take 10-15 minutes
If deployment appears stuck, check the CloudFormation StackSets console in your management account for detailed status.
Cannot proceed after deployment
If the Continue button remains disabled:
- Ensure at least one account shows Succeeded status
- Guardian Pro validates role assumption -- if validation fails, check that the role trust policy is correct
- Try clicking Verify to re-run the validation check
Removing deployed roles
If you need to remove the member role from specific accounts:
- Go to the CloudFormation StackSets console in your management account
- Select the Guardian Pro StackSet
- Delete the stack instances for the target accounts
Removing the member role from an account will stop Guardian Pro from monitoring that account. Resource discovery, scanning, and remediation will no longer function for that account.
Next Steps
With monitoring roles deployed across your accounts, proceed to Users & Permissions to configure who can access Guardian Pro and what they can do.
Related Pages
- Discover Organisation -- previous step
- Users & Permissions -- next step
- IAM Permissions Reference -- detailed permission breakdown
- Onboarding Overview -- full process summary