CloudFormation, StackSets, and golden images: provisioning for SOA-C03
Provisioning and maintaining cloud resources is the practice of creating infrastructure from repeatable definitions — golden images built with EC2 Image Builder, stacks declared in CloudFormation templates, and fleets rolled out across accounts and Regions with StackSets — instead of hand-building it in the console. Task 3.1 sits inside Domain 3 (Deployment, Provisioning, and Automation), which carries 22% of your scored SOA-C03 content, and it produces some of the exam's most recognizable scenarios: a stack stuck in ROLLBACK_COMPLETE, a resource changed outside CloudFormation, a subnet that ran out of IP addresses mid-deployment. This lesson covers the full task: image management, CloudFormation template anatomy and stack lifecycle, change sets, drift detection, deployment troubleshooting, StackSets and AWS RAM for multi-account work, deployment strategies, and where Terraform and the CDK fit.
On this page8 sections
- Golden images: AMIs, EC2 Image Builder, and container images
- CloudFormation template anatomy for operators
- Stack lifecycle, change sets, and protecting stateful resources
- Drift detection and rollback states
- Troubleshooting a failed deployment: a walked-through scenario
- Multi-account and multi-Region provisioning: StackSets, AWS RAM, and Service Catalog
- Deployment strategies: in-place, blue/green, and instance refresh
- The AWS CDK, Terraform, and Git: the wider IaC landscape
- Build and maintain golden images with AMIs and EC2 Image Builder pipelines, including cross-Region copy, sharing, and deregistration hygiene
- Read a CloudFormation template's Parameters, Mappings, Conditions, Resources, and Outputs and predict how a stack update will behave
- Preview changes with change sets and protect stateful resources with stack policies and DeletionPolicy
- Diagnose failed deployments caused by subnet sizing, CloudFormation errors, and IAM permissions, and recover from rollback states
- Choose between StackSets, AWS RAM, and Service Catalog for multi-Region, multi-account provisioning
- Position the AWS CDK and Terraform relative to CloudFormation, including managed state versus a state file
Golden images: AMIs, EC2 Image Builder, and container images
Golden images bake your OS hardening, agents, and runtime dependencies into a reusable image so every instance launches identical and boots fast. On EC2 the unit is the AMI. You create one from a configured instance; by default EC2 reboots the instance first so the filesystem is captured in a consistent state (the no-reboot option skips this at the risk of an inconsistent image). AMIs are Regional resources: to launch the same image elsewhere you must copy the AMI to each target Region, and to let other accounts use it you share it with specific account IDs or across an organization. Deregistration hygiene matters operationally: deregistering an AMI does not delete its backing EBS snapshots — you keep paying for them until you delete the snapshots separately, so stale-image cleanup is a two-step job.
EC2 Image Builder turns image maintenance into a managed pipeline: a source image, build components that install and configure software, test components that validate the result, and a distribution configuration that copies the finished AMI to your chosen Regions and shares it with your chosen accounts. Put the pipeline on a schedule and your golden image is rebuilt automatically as new patches land — the exam's answer to keeping AMIs patch-current without manual rebuilds.
Container images follow the same idea: build the image, push it to Amazon ECR, and let ECS or EKS pull from there. Operationally, use ECR lifecycle policies to expire old and untagged images so repositories do not grow without bound. Whether AMI or container image, the goal is identical: a versioned, tested artifact you can roll out — and roll back — deliberately.
CloudFormation template anatomy for operators
A CloudFormation template is a declarative description of a stack, and for operations you mostly read five sections. Resources is the only required one: every resource has a logical ID, a type, and properties. Parameters make one template serve many environments — instance sizes, environment names, and CIDR ranges arrive at deploy time instead of being hard-coded. Mappings are static lookup tables, classically mapping each Region to its local AMI ID so one template deploys anywhere. Conditions switch resources on or off — create the expensive Multi-AZ database only when the environment parameter equals prod. Outputs surface values (a load balancer DNS name, a subnet ID) after deployment, and an output with an Export name can be consumed by other stacks through Fn::ImportValue.
That last mechanism has an operational sting the exam likes: you cannot delete a stack, or remove an exported output, while another stack imports it. Cross-stack references create real dependencies between stacks, so deletions have an order.
Read templates the way the engine does: CloudFormation works out dependencies (references between resources, plus explicit DependsOn) and creates resources in dependency order, in parallel where it can. When you can predict what a template will create, in what order, and which values are environment-specific, update behavior — and the failure modes covered in the rest of this lesson — become much easier to reason about under exam time pressure.
Stack lifecycle, change sets, and protecting stateful resources
A stack's lifecycle is create, update, delete — and the operational discipline lives in how you update. You can update directly, but the safer path is a change set: CloudFormation compares the new template and parameters against the running stack and shows you every planned Add, Modify, and Remove before anything happens. The critical detail is Replacement. Some property changes update a resource in place; others force CloudFormation to delete the resource and create a new one, because the property is immutable after creation. For a stateless web server a replacement is a non-event; for a database it destroys data. Review change sets specifically for replacements on stateful resources, then execute.
Two mechanisms protect stateful resources. A stack policy is a JSON document evaluated during stack updates that denies update actions against protected logical IDs — with a policy protecting the production database resource, an update that would modify or replace it fails instead of proceeding, until you explicitly override the policy. DeletionPolicy is a per-resource attribute controlling what happens when the resource is removed from the stack or the stack is deleted: Delete (the default for most resources), Retain (leave the resource running outside the stack), or Snapshot (take a final snapshot before deletion — supported for snapshot-capable resources such as EBS volumes, RDS instances, and ElastiCache clusters).
The exam pattern: 'preview exactly what an update will change before running it' points to a change set; 'prevent the database from being replaced or deleted' points to a stack policy plus DeletionPolicy: Retain or Snapshot. Stack-level termination protection adds one more guard, blocking deletion of the whole stack until it is turned off.
Drift detection and rollback states
Drift detection answers the ops classic: a resource was changed outside CloudFormation — someone edited a security group rule in the console — and now the template no longer matches reality. Run drift detection on the stack and CloudFormation compares the live configuration of each supported resource against the template's expected configuration, reporting each resource as IN_SYNC, MODIFIED, or DELETED, and the stack as DRIFTED when anything diverges. Drift detection reports; it does not revert. Fixing drift means updating the stack (or the resource) so template and reality agree again — and until you do, the next stack update can behave unpredictably, because CloudFormation assumes it owns the configuration.
Rollback behavior is the other state-machine topic. When a create fails, CloudFormation rolls back and deletes everything it created; the stack lands in ROLLBACK_COMPLETE. That state is terminal for the stack: you cannot update it — delete the stack and create it again once you have fixed the cause. When an update fails, CloudFormation automatically rolls back to the last known working configuration (UPDATE_ROLLBACK_COMPLETE), which is why updates are far less scary than creates. If the rollback itself fails — often because a resource was changed out of band or a dependency is gone — the stack enters UPDATE_ROLLBACK_FAILED. Recovery is continue update rollback after fixing the underlying problem, optionally skipping resources CloudFormation cannot reconcile.
Nested stacks package common patterns (a standard VPC, a standard load balancer tier) as child stacks created by a parent via AWS::CloudFormation::Stack. Remember that failures propagate: a child stack failure rolls back the parent, and you troubleshoot by finding the failed child's own events.
Troubleshooting a failed deployment: a walked-through scenario
Work one failure end to end. An update to a production stack grows an Auto Scaling group, adding instances to an existing subnet. The update fails and rolls back. Where do you look? The stack's event history, oldest failure first. CloudFormation cancels dependent operations after the first failure, so the event list fills with cascade noise; the first CREATE_FAILED or UPDATE_FAILED event names the real culprit and carries the underlying service's error message.
Here the first failure says the subnet has insufficient free addresses. That is a subnet sizing issue: the CIDR is exhausted. Remember that AWS reserves 5 IP addresses in every subnet (the first four and the last one), so a /28 offers 16 addresses minus 5 — only 11 usable. A subnet sized for steady state runs dry the first time scaling, a parallel environment, or an ENI-hungry service pushes past its ceiling. The fix is structural — a larger CIDR or additional subnets — not a retry.
Two other first-failure families dominate the exam. CloudFormation errors: 'resource already exists' means a name collision — an explicitly named resource (a bucket name, a role name) clashes with one already in the account, which is why letting CloudFormation generate names is safer; insufficient-capacity errors come from the underlying service, not the template. Permissions issues: CloudFormation calls each service's API as some principal. By default that is the deploying user's credentials; if a service role is attached to the stack, CloudFormation uses the role instead. An access-denied error therefore means the deployer lacks permissions or the service role does — check whichever identity actually performed the call.
Multi-account and multi-Region provisioning: StackSets, AWS RAM, and Service Catalog
Provisioning at organization scale is about pushing one definition everywhere — or sharing one resource instead of duplicating it. CloudFormation StackSets deploy a single template as stack instances across many accounts and Regions from one administrator account. With self-managed permissions you create the trust yourself: an administration role in the admin account and an execution role in every target account that the administration role assumes. With service-managed permissions, StackSets integrates with AWS Organizations, provisions those roles for you, and unlocks automatic deployment: target an organizational unit and any new account joining it automatically receives the stack — the exam's answer to 'every new account must get this baseline'.
AWS RAM solves a different problem: some resources should exist once and be used by many accounts. Share subnets so multiple accounts launch workloads into one centrally managed VPC, or share a Transit Gateway or Route 53 Resolver rules. The owner keeps control; consumers use the resource in place. That distinction is the exam trigger: StackSets copy infrastructure into each account, while RAM shares one resource across accounts.
Service Catalog is the curated middle path, needed at mention level: administrators publish approved, CloudFormation-backed products into portfolios, and end users launch them self-service without holding the underlying permissions.
| Service | What it does | Choose it when |
|---|---|---|
| CloudFormation StackSets | Deploys one template to many accounts and Regions; org integration auto-deploys to new accounts | The same stack must exist in every account |
| AWS RAM | Shares an existing resource (subnets, Transit Gateway) with other accounts | One resource should serve many accounts |
| Service Catalog | Curated self-service portfolio of approved products | Users should launch only vetted templates |
Deployment strategies: in-place, blue/green, and instance refresh
Deployment strategies at the infrastructure level trade speed against blast radius. An in-place deployment updates the instances you already have — fastest and cheapest, but the old version is gone once you start, so rollback means deploying backwards, and any failure lands on live capacity. A blue/green deployment builds a complete parallel environment (green) alongside production (blue), validates it, then shifts traffic — at the load balancer or DNS layer — and keeps blue running until you are confident. Rollback is nearly instant (shift traffic back), at the cost of temporarily doubled infrastructure.
For the fleet-rollout case the exam favors Auto Scaling group instance refresh. After you update the launch template with a new AMI version, instance refresh performs a rolling replacement of the group's instances, honoring a minimum healthy percentage so capacity never drops below your floor while old instances drain and new ones prove healthy. It is the operational bridge from the golden-image pipeline to the running fleet: Image Builder produces the new AMI, the launch template gets a new version, and instance refresh rolls it through the group without downtime. It also repairs configuration skew — if some instances are still running an older launch template version after manual interventions, a refresh brings the whole group back to the current definition. When a question asks how to roll a new AMI through an Auto Scaling group with minimal disruption and no parallel environment, instance refresh is the intended answer.
The AWS CDK, Terraform, and Git: the wider IaC landscape
The AWS CDK is not a second engine — it is a developer-friendly front end to the same one. You define infrastructure in a general-purpose language (TypeScript, Python, and others), and cdk synth synthesizes a CloudFormation template; cdk deploy creates or updates an ordinary CloudFormation stack. Everything in this lesson — change sets, rollback states, drift detection, stack events — applies unchanged to CDK-deployed stacks, which is exactly how the exam tests it.
Terraform is the third-party alternative named in the exam guide. It is multi-cloud, declares infrastructure in its own configuration language, and — the key operational contrast — tracks what it has built in a state file that you must store, secure, and lock (commonly in an S3 backend), whereas CloudFormation's state is managed by AWS inside the stack itself. A Terraform plan previews changes the way a change set does, and it refreshes state against reality to surface drift at plan time, where CloudFormation offers on-demand drift detection against its managed state.
| CloudFormation | Terraform | |
|---|---|---|
| State | Managed by AWS in the stack | State file you store and lock |
| Scope | AWS-native | Multi-cloud |
| Change preview | Change sets | Plan step |
| Drift | On-demand drift detection | State refresh during plan |
Underneath either tool, Git is the source of truth: infrastructure definitions live in a repository, changes arrive as reviewed commits, and the environment stays reproducible from a known revision. When a scenario wants template changes versioned, reviewed, and auditable, the answer is the repository workflow, not console edits.
Tip. Task 3.1 questions are scenario-first: a stack fails, a resource drifts, or infrastructure must reach every account, and you pick the mechanism. Map trigger phrases directly: 'deploy to every account in the organization' → StackSets with service-managed permissions and auto-deployment; 'changed outside CloudFormation' → drift detection; 'preview changes before updating' → change sets; 'prevent the database from being replaced or deleted' → stack policy plus DeletionPolicy. Expect the rollback states — ROLLBACK_COMPLETE means delete and recreate, UPDATE_ROLLBACK_FAILED means continue update rollback — and the troubleshooting trio of subnet sizing (5 reserved addresses per subnet), first-failure stack events, and deployer-versus-service-role permissions.
- Deregistering an AMI does not delete its EBS snapshots — delete them separately or storage costs continue.
- A change set previews every Add/Modify/Remove and flags Replacement — a replaced resource is deleted and recreated, so check stateful resources first.
- Stack policies protect resources during updates; DeletionPolicy Retain or Snapshot protects them at deletion and replacement time.
- A resource changed outside CloudFormation is the cue for drift detection — it reports drift but never reverts it.
- ROLLBACK_COMPLETE after a failed create means delete and recreate; UPDATE_ROLLBACK_FAILED is recovered with continue update rollback.
- Read the first failure event in the stack's event history — later failures are usually cascades.
- StackSets deploy one template to many accounts and Regions (org integration auto-deploys to new accounts); AWS RAM shares one existing resource instead of duplicating it.
- Every subnet loses 5 IP addresses to AWS reservations — size CIDRs for peak scale-out, not steady state.
Frequently asked questions
What is the difference between CloudFormation StackSets and AWS RAM?
StackSets deploy a copy of one CloudFormation template into many accounts and Regions, so each account gets its own stack of resources; with AWS Organizations integration, new accounts joining a targeted OU receive the stack automatically. AWS RAM instead shares a single existing resource — such as subnets or a Transit Gateway — so other accounts use the owner's resource in place rather than running duplicates. Use StackSets to replicate infrastructure and RAM to share it.
What does ROLLBACK_COMPLETE mean in CloudFormation?
The stack failed during creation, CloudFormation rolled back and deleted the resources it had created, and the stack is now in a terminal state. You cannot update a stack in ROLLBACK_COMPLETE — fix the cause of the failure, delete the stack, and create it again. Failed updates behave differently: CloudFormation rolls back to the previous working configuration and the stack remains usable.
How does CloudFormation drift detection work?
Drift detection compares the live configuration of a stack's supported resources against what the template expects and marks each resource IN_SYNC, MODIFIED, or DELETED; if anything diverges, the stack is reported as DRIFTED. It only reports — it never reverts changes. It is the tool to reach for whenever a resource was modified outside CloudFormation, such as a console edit to a security group rule.
How is Terraform different from CloudFormation?
Terraform is a multi-cloud infrastructure-as-code tool that records what it manages in a state file you must store, secure, and lock yourself, while CloudFormation is AWS-native and keeps its state managed inside the stack. Terraform previews changes with a plan step, similar to a CloudFormation change set, and surfaces drift by refreshing state at plan time, where CloudFormation runs on-demand drift detection. The AWS CDK is different again: it synthesizes CloudFormation templates, so it uses the same engine.
Does deleting a CloudFormation stack delete my data?
By default most resources are deleted along with the stack. The DeletionPolicy attribute changes that per resource: Retain keeps the resource running outside the stack, and Snapshot takes a final snapshot before deletion for snapshot-capable resources such as RDS instances and EBS volumes. Set these on stateful resources in advance — they only protect deletions that happen after the attribute is in the deployed template.
Do I need EC2 Image Builder if I can create AMIs manually?
Manual AMI creation works for a one-off image, but it leaves patching, testing, and distribution as recurring manual work. EC2 Image Builder defines the image as a pipeline — source image, build components, tests, and distribution to multiple Regions and accounts — and rebuilds it on a schedule, so your golden image stays current with patches automatically. On the exam, a requirement to keep AMIs patched and consistently distributed points to Image Builder.
Sign up free to mark lessons complete, bookmark topics and track your exam readiness.