Deploying the ProsperOps IAM role via AWS CloudFormation StackSets

In order for ProsperOps to collect real-time usage telemetry, a least-privilege ProsperOps IAM role is required on every AWS account in the organization. StackSets provide a simple way to automate rollout of the ProsperOps IAM role across all AWS accounts, including those that may get added in the future. This means once a StackSet is in place, it's "set-it-and-forget-it" and the StackSet will automatically ensure the ProsperOps platform has usage visibility across the entire organization. ProsperOps strongly encourages the use of StackSets to automate deployment of the ProsperOps IAM role.

For general information on AWS CloudFormation StackSets, please see

StackSets only deploy resources to AWS Member Accounts and do not apply to the Management Account. As such, the ProsperOps IAM role in the Management Account will need to be configured separately. Once ProsperOps IAM role access has been validated on the Management Account, the ProsperOps Console Onboarding flow will advance to the Additional AWS Account Access step. This is where a StackSet can be used to automate deployment of the ProsperOps role across all AWS Member Accounts.


  • Open a new browser tab, navigate to the AWS Console, and log in to your Management Account. Switch to the region where you want to deploy the StackSet (generally your primary region).

  • Make your way to the CloudFormation section of the AWS Console and select StackSets.
  • Click Create StackSet.
  • Switch to the ProsperOps Console. Click the Setup button for any Member Account, select CloudFormation, then click to copy the customized CloudFormation template as shown below. Open a text editor, paste in the CloudFormation template, and save the file as "prosperops-cloudformation.json".
  • Switch to the AWS Console. Select Upload a template file, click Choose file, and select the "prosperops-cloudformation.json" file that was created in the previous step. Click Next.
  • Enter the following StackSet name
  • Enter the following StackSet description
Used by ProsperOps - Must remain in place for ProsperOps to function correctly. Email for assistance.
  • Click Next.
  • Click Next.
  • The only StackSet resource being created is an IAM role, and IAM is a global service, however, a region must be specified. Select the region you are creating the StackSet in (specified in the top bar of the AWS Console as shown), then click Next.

  • Scroll to the bottom of the page. Check to acknowledge that IAM role resources are being created, then click Submit. Your StackSet will then deploy!
  • Once complete, return to the ProsperOps console and attempt to Validate Access for the first Member Account. If that succeeds, your StackSet is functioning properly. 🎉 Continue to Validate Access for all other Member Accounts. If you have a large number of Member Accounts, please email and we can validate your accounts en masse.