Resource Orchestration Service - ROS - Supports the Service-Managed Permissions Model
Target customers: all users. Features released: ROS allows users to create stack groups that have self-managed permissions or service-managed permissions. Before the service-managed permissions model is released, only the self-managed permissions model is available. With the self-managed permissions model, users must manually create RAM roles within the administrator and execution accounts to establish a trust relationship between the accounts before a stack group that has self-managed permissions can be created. Then, users can deploy stacks within the execution account. With the service-managed permissions model, users need only to enable the trusted access feature to create a stack group that has service-managed permissions. ROS automatically creates service-linked roles within the administrator and execution accounts. The administrator account then uses the service-linked roles to deploy stacks within the execution account. With the service-managed permissions model, users do not need to manually create RAM roles that are required by stack groups. ROS automatically creates and manages the RAM roles. Users can deploy the stacks in a stack group that has the service-managed permissions to the member accounts in the folders of Resource Directory. If changes are applied to the member accounts in the folders, the changes are synchronized to the instances that correspond to the stacks in the accounts.