"AWS CloudFormation StackSets update to permission model"

Is your feature request related to a problem? Please describe. It's more of a question, apologies in advance if this is not the right place to ask this.

Recently I received an email from AWS regarding the change in the required permissions to maintain "self-managed AWS CloudFormation StackSets". I'm not fully sure if this is relevant to CfCT or not.

As far as I can tell, there's no such role in my stack. The main part of the email reads:

We have updated our back-end permissions policy to simplify on-boarding to self-managed AWS CloudFormation StackSets. Starting October 31, 2022, AWS CloudFormation StackSets no longer requires sns* permissions in AWSCloudFormationStackSetExecutionRole as a prerequisite for getting started with self-managed StackSets.

Customers not planning to use any SNS resources can safely remove their existing sns* permissions from their AWSCloudFormationStackSetExecutionRole. These are only required when provisioning Amazon SNS resources.

StackSets requires you to create a service role named AWSCloudFormationStackSetExecutionRole that trusts the customized administration role for each target account. Previously, you needed to provide sns:, s3:, and cloudformation: permissions to AWSCloudFormationStackSetExecutionRole as prerequisites to allow StackSets to manage and provision resources on your behalf. Now, StackSets has removed the explicit need for sns: permissions as prerequisites in AWSCloudFormationStackSetExecutionRole. Please note, you will still need to provide s3: and cloudformation: permissions in AWSCloudFormationStackSetExecutionRole.

Would you please comment if this is relevant to CfCT or if we need to take any action on this. Thanks.

aws-solutions / aws-control-tower-customizations

"AWS CloudFormation StackSets update to permission model" #143