AWS Service Catalog

Overview

AWS Service Catalog provides a framework for standardizing and controlling resource deployment across an organization, enabling centralized IT management while maintaining security and compliance standards.

Core Concepts

Portfolios and Products

Portfolios: Collections of standardized products
Products: Pre-configured CloudFormation templates
Version Control: Administrators can version and remove products without affecting existing deployments

Access Management

Granular control over product and portfolio access
Utilizes adopted IAM roles
Eliminates need for extensive individual IAM permissions
Enables self-service deployment while maintaining security

Constraint Types

1. Launch Constraints

Defines IAM role for product deployment
Enables user deployment without extensive permissions
Associates with specific products within portfolios

2. Notification Constraints

Specifies SNS topic for stack notifications
Enables automated monitoring of deployments
Facilitates operational awareness

3. Template Constraints

Creates guided deployment experiences
Implements conditional provisioning logic
Examples:
- PII data storage requirements
- Environment-specific instance sizing
- Compliance-driven configurations

Multi-Account Implementation

Master account can share service portfolios
Recipient accounts can import shared portfolios
Automatic synchronization of:
- Products
- Launch constraints
- Template constraints

Local Portfolio Management

Recipient administrators can create local portfolios
Ability to add additional constraints
Can make deployment criteria more restrictive
Products remain synchronized with master portfolio

IAM Configuration

IAM users/groups/roles not inherited
Recipient administrator must configure local IAM access
Launch roles can be:
- Inherited from shared portfolio (default)
- Overridden with local launch roles

Implementation Best Practices

Portfolio Design

Standardize deployment templates
Implement version control
Define clear access boundaries
Establish naming conventions

Security Configuration

Minimize direct IAM permissions
Use launch constraints effectively
Implement principle of least privilege
Regular access review

Multi-Account Strategy

Centralize portfolio management
Define sharing boundaries
Document local modifications
Maintain launch role clarity

Operational Considerations

Version Management

Regular template updates
Backward compatibility
Communication strategy
Deployment validation

Access Control

Regular access review
Role assignment audit
Permission boundaries
Cross-account access management

Monitoring and Compliance

Implementation of notification constraints
Audit trail maintenance
Compliance validation
Usage monitoring

Best Practices

Regular portfolio review
Template standardization
Clear documentation
Access control maintenance
Regular compliance checks
User training and support

This document provides a foundation for understanding and implementing AWS Service Catalog. Regular updates based on organizational needs and AWS service enhancements are recommended.

PreviousIDS and IPS NextMigrations

Last updated 1 year ago

hashtagOverview

hashtagCore Concepts

hashtagPortfolios and Products

hashtagAccess Management

hashtagConstraint Types

hashtag1. Launch Constraints

hashtag2. Notification Constraints

hashtag3. Template Constraints

hashtagMulti-Account Implementation

hashtagPortfolio Sharing

hashtagLocal Portfolio Management

hashtagIAM Configuration

hashtagImplementation Best Practices

hashtagPortfolio Design

hashtagSecurity Configuration

hashtagMulti-Account Strategy

hashtagOperational Considerations

hashtagVersion Management

hashtagAccess Control

hashtagMonitoring and Compliance

hashtagBest Practices