StackSet management is done from an administrator account, and stacks within the StackSet are created in target accounts. The target account, as in this recipe, can be the same as the administrator account. A trust relationship must exist between these accounts, since the administrator account needs the right to create resources in the target accounts. CloudFormation assumes the AWSCloudFormationStackSetAdministrationRole role, which gives it permissions to assume the AWSCloudFormationStackSetExecutionRole role in the target accounts. By default, that role allows all administrative actions, so, in a production setting, you should scope the execution role down to only those actions that are needed in order to create your stack instances. In order to make sure only the administrator account can assume the execution role, an explicit trust relationship is established back to the administrative account.