When creating User Groups in the Cloud Formation stack (for CloudFix), errors are seen and the creation process fails.
This issue occurs when there are governance policies/restrictions in your AWS environments around where the IAM users and groups can be created. You may have all users in one account, and user roles and assumptions to give permission in another account.
This is currently an open issue and there isn’t another way around the restriction that you have for not having IAM users/groups in resource accounts.
In order to resolve this, CloudFix is moving to use User Roles instead of User Groups so that it complies with the assumption of privilege that most customers prefer. CloudFix would then need only IAM users and groups in order for Change Template approval.