AWS Service Catalog

code for article pfeilbr/aws-service-catalog-playground

Concepts

products are cloudformation templates
portfolio is collection of products
- access to portfolios is via IAM users, groups, roles
IT administrator creates products and portfolios and grants access
End user accesses products and deploys them
example use cases: approved self-service products from Solution Factory
- e.g. static web site. S3 + CloudFormation + WAF + ACM (certificate) + Route 53 (hosted zone, domain)
- e.g. Oracle RDS DB with all security, tags, etc. in place
Service Actions - enable end users to perform operational tasks, troubleshoot issues, run approved commands, or request permissions in AWS Service Catalog via SSM docs.
can include/reference existing product(s) in your product cloudformation template. This enables modular composition and nesting.

Example Use Case | Static Website

The following is a simple example of a “Static Website” product for the service catalog. It’s an S3 bucket with website enabled for it. This product is purposely kept simple to keep the focus on Service Catalog, but a product can be make up of anything that can be expressed via a CloudFormation template.

Define Launch Constraint

the IAM role the cloudformation stack provisioning runs under

Allows you to assign an IAM role that is used to provision the resources at launch, so you can restrict user permissions without impacting users' ability to provision products from the catalog.

Launch constraint for a product must be added at Portfolio level

see AWS Service Catalog Launch Constraints