AWS CloudFormation StackSets now allows you to create multiple execution roles in target accounts. This allows you to control resource types users can create or update in their stack sets. For example, you can restrict a group to create or update only Amazon S3 related resources in StackSets, while another group can only access Amazon DynamoDB resources.