You can create Organization Units and add accounts to them which only have access to the resources within those OU’s. It’s hierarchical, so your root account will have access to everything, so on and so forth.
Organization -> OU1 -> OU2 -> OU3
There, unfortunately, is no CloudFormation for Organizations, but the CLI is pretty straightforward.
If you wanted to automate this, I would do something along the lines of:
- Create Org Unit/s under root/parent OU
- Create Account (created in root)
- Move account from root to OU
- Generate an access key for account / create IAM and generate access key (unfortunately a ‘one-off’ manual task)
- Use the AWS credentials to deploy the CloudFormation stacks you wish to keep within that org unit
CLICK HERE to find out more related problems solutions.