capabilities
In some cases, you must explicitly acknowledge that your stack template contains certain capabilities in order for CloudFormation to update the stack set and its associated stack instances.
CAPABILITY_IAMandCAPABILITY_NAMED_IAMSome stack templates might include resources that can affect permissions in your Amazon Web Services account, for example, by creating new IAM users. For those stacks sets, you must explicitly acknowledge this by specifying one of these capabilities.The following IAM resources require you to specify either theCAPABILITY_IAMorCAPABILITY_NAMED_IAMcapability.If you have IAM resources, you can specify either capability.
If you have IAM resources with custom names, you must specify
CAPABILITY_NAMED_IAM.If you don't specify either of these capabilities, CloudFormation returns an
InsufficientCapabilitieserror. If your stack template contains these resources, we recommend that you review all permissions associated with them and edit their permissions if necessary.AWS::IAM::UserToGroupAddition For more information, see Acknowledging IAM resources in CloudFormation templates.
CAPABILITY_AUTO_EXPANDSome templates reference macros. If your stack set template references one or more macros, you must update the stack set directly from the processed template, without first reviewing the resulting changes in a change set. To update the stack set directly, you must acknowledge this capability. For more information, see Perform custom processing on CloudFormation templates with template macros.Stack sets with service-managed permissions do not currently support the use of macros in templates. (This includes the AWS::Include and AWS::Serverless transforms, which are macros hosted by CloudFormation.) Even if you specify this capability for a stack set with service-managed permissions, if you reference a macro in your template the stack set operation will fail.