Whenever you create, update, or delete a stack with an embedded custom resource, CloudFormation uses the ARN that you supply as a parameter to communicate with your lambda function. This ARN is referred to as the service token. The execution of the stack waits for a response from your code, but that response is asynchronous, so CloudFormation needs a way to poll for the result of the operation.

This is where S3 comes into the picture.

In your custom lambda code, when you have determined that the operation has succeeded or failed, you must report the status back to CloudFormation via a signed S3 URL, or your stack will be stuck with a CREATE_IN_PROGRESS status:

When CloudFormation receives the response status back from Lambda, it can then continue with the stack creation if your operation succeeded, or start a rollback if your operation failed. Note that the S3 bucket in the previous diagram is the bucket that is managed by CloudFormation, not a bucket that we created ourselves. The CloudFormation management bucket serves as an inter-process communication (IPC) mechanism.