On Dec 20, 2019 AWS announced that you can now use Automation flows in remote regions and accounts allowing a centralised control for execution. “For example, you can centrally trigger Amazon Inspector runs across all your accounts in all Regions to discover potential security issues on your AWS resources. “
The link to the docs regarding setting it up is here: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-automation-multiple-accounts-and-regions.html
Note the use of the “master account” in the above diagram from the docs. This again is making use of the Hub and Spoke model that AWS is in love with. If you haven’t already I wrote a whitepaper about this a blog post here.
I’ll need to expand on the whitepaper soon as there is so much more to the hubs mentioned in it.
I would say that instead of using Master perhaps consider the place to centralise your document automation would be in an Ops account of some descript.
A key take away here is that the main effort is in setting up IAM roles for Multi-Region and Multi-Account Automation Executions. The docs explain this. This could be done using a stack set from your deployment account and / or master if you so wish.