AWS Service Catalog
Chapter 45: AWS Service Catalog & Provisioning
Section titled “Chapter 45: AWS Service Catalog & Provisioning”Governed IT Service Provisioning
Section titled “Governed IT Service Provisioning”45.1 Overview
Section titled “45.1 Overview”AWS Service Catalog enables organizations to create and manage catalogs of IT services that are approved for use on AWS, ensuring governance and compliance while enabling self-service provisioning.
AWS Service Catalog Overview+------------------------------------------------------------------+| || +------------------------+ || | AWS Service Catalog | || +------------------------+ || | || +---------------------+---------------------+ || | | | | || v v v v || +----------+ +----------+ +----------+ +----------+ || | Products | | Portfolios| | Constraints| | Provisioning| || | | | | | | | Products | || | - CFN | | - Groups | | - Launch | | - Accounts| || | - Templates| | - Users | | - Tagging| | - Access | || | - Versions| | - Share | | - Template| | - Roles | || +----------+ +----------+ +----------+ +----------+ || |+------------------------------------------------------------------+Key Features
Section titled “Key Features”| Feature | Description |
|---|---|
| Products | CloudFormation templates as deployable services |
| Portfolios | Collections of products for specific user groups |
| Constraints | Governance rules for product deployment |
| Provisioning | Self-service deployment with approval workflows |
45.2 Architecture
Section titled “45.2 Architecture”Service Catalog Components
Section titled “Service Catalog Components” Service Catalog Architecture+------------------------------------------------------------------+| || Organization || +----------------------------------------------------------+ || | | || | Admin Account | || | +------------------------------------------------------+ | || | | Service Catalog Admin | | || | | +--------------------------------------------------+ | | || | | | Portfolio Management | | | || | | | - Create portfolios | | | || | | | - Add products | | | || | | | - Define constraints | | | || | | +--------------------------------------------------+ | | || | +------------------------------------------------------+ | || | | || +--------------------------+-------------------------------+ || | || +------------------+------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Account A| | Account B| | Account C| || | Dev Team | | QA Team | | Prod Team| || +----------+ +----------+ +----------+ || | | | || v v v || +----------------------------------------------------------+ || | Shared Portfolio | || | +----------+ +----------+ +----------+ +----------+ | || | | Product 1| | Product 2| | Product 3| | Product N| | || | | EC2 | | RDS | | S3 | | Lambda | | || | +----------+ +----------+ +----------+ +----------+ | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Provisioning Workflow
Section titled “Provisioning Workflow” Provisioning Workflow+------------------------------------------------------------------+| || 1. User Requests Product || +----------------------------------------------------------+ || | User selects product from portfolio | || +----------------------------------------------------------+ || | || v || 2. Constraints Applied || +----------------------------------------------------------+ || | - Launch constraints checked | || | - Tagging requirements validated | || | - Template constraints applied | || +----------------------------------------------------------+ || | || v || 3. CloudFormation Stack Created || +----------------------------------------------------------+ || | - Template deployed | || | - Parameters applied | || | - Resources created | || +----------------------------------------------------------+ || | || v || 4. Provisioned Product Available || +----------------------------------------------------------+ || | - Stack outputs available | || | - Resources tagged | || | - Audit trail recorded | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+45.3 Products and Portfolios
Section titled “45.3 Products and Portfolios”Product Structure
Section titled “Product Structure” Service Catalog Product+------------------------------------------------------------------+| || Product || +----------------------------------------------------------+ || | | || | +----------+ +----------+ +----------+ +----------+ | || | | Version 1| | Version 2| | Version 3| | Version N| | || | | v1.0.0 | | v1.1.0 | | v2.0.0 | | v2.1.0 | | || | +----------+ +----------+ +----------+ +----------+ | || | | || | Each version points to: | || | - CloudFormation template URL | || | - Template description | || | - Parameter definitions | || | | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Create Portfolio
Section titled “Create Portfolio”# Create portfolioaws servicecatalog create-portfolio \ --accept-language en \ --display-name "Standard Infrastructure" \ --description "Standard infrastructure products for all teams" \ --provider-name "Platform Team" \ --tags Key=Environment,Value=Shared
# Output:{ "PortfolioDetail": { "Id": "port-1234567890abcdef0", "ARN": "arn:aws:catalog:us-east-1:123456789012:portfolio/port-1234567890abcdef0", "DisplayName": "Standard Infrastructure", "Description": "Standard infrastructure products for all teams", "ProviderName": "Platform Team" }}Create Product
Section titled “Create Product”# Create product from CloudFormation templateaws servicecatalog create-product \ --name "EC2 Web Server" \ --description "Standard EC2 web server with auto-scaling" \ --owner "Platform Team" \ --product-type CLOUD_FORMATION_TEMPLATE \ --provisioning-artifact-parameters \ '{ "Name": "v1.0.0", "Description": "Initial version", "Info": { "LoadTemplateFromURL": "https://s3.amazonaws.com/my-bucket/templates/ec2-web-server.yaml" }, "Type": "CLOUD_FORMATION_TEMPLATE" }' \ --tags Key=Environment,Value=Shared
# Output:{ "ProductViewDetail": { "ProductViewSummary": { "Id": "prod-1234567890abcdef0", "ProductId": "prod-1234567890abcdef0", "Name": "EC2 Web Server", "Owner": "Platform Team" } }, "ProvisioningArtifact": { "Id": "pa-1234567890abcdef0", "Name": "v1.0.0" }}Add Product to Portfolio
Section titled “Add Product to Portfolio”# Associate product with portfolioaws servicecatalog associate-product-with-portfolio \ --product-id prod-1234567890abcdef0 \ --portfolio-id port-1234567890abcdef0CloudFormation Template for Product
Section titled “CloudFormation Template for Product”AWSTemplateFormatVersion: '2010-09-09'Description: EC2 Web Server with Auto Scaling
Parameters: InstanceType: Type: String Default: t3.medium AllowedValues: - t3.micro - t3.small - t3.medium - t3.large Description: EC2 instance type
VpcId: Type: AWS::EC2::VPC::Id Description: VPC ID
SubnetIds: Type: List<AWS::EC2::Subnet::Id> Description: Subnet IDs
Environment: Type: String Default: development AllowedValues: - development - staging - production Description: Environment name
KeyName: Type: AWS::EC2::KeyPair::KeyName Description: SSH key pair name
Resources: WebServerSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Web server security group VpcId: !Ref VpcId SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: 0.0.0.0/0
WebServerLaunchTemplate: Type: AWS::EC2::LaunchTemplate Properties: LaunchTemplateData: InstanceType: !Ref InstanceType KeyName: !Ref KeyName ImageId: ami-0abcdef1234567890 SecurityGroupIds: - !Ref WebServerSecurityGroup UserData: !Base64 | #!/bin/bash yum install -y httpd systemctl start httpd systemctl enable httpd
WebServerASG: Type: AWS::AutoScaling::AutoScalingGroup Properties: VPCZoneIdentifier: !Ref SubnetIds LaunchTemplate: LaunchTemplateId: !Ref WebServerLaunchTemplate Version: !GetAtt WebServerLaunchTemplate.LatestVersionNumber MinSize: 2 MaxSize: 6 DesiredCapacity: 2 Tags: - Key: Name Value: !Sub '${AWS::StackName}-web-server' PropagateAtLaunch: true - Key: Environment Value: !Ref Environment PropagateAtLaunch: true
Outputs: AutoScalingGroupName: Description: Auto Scaling Group name Value: !Ref WebServerASG
SecurityGroupId: Description: Security Group ID Value: !Ref WebServerSecurityGroup45.4 Constraints
Section titled “45.4 Constraints”Constraint Types
Section titled “Constraint Types” Service Catalog Constraints+------------------------------------------------------------------+| || Launch Constraints || +----------------------------------------------------------+ || | - Specify IAM role for product launch | || | - Control who can launch products | || | - Limit permissions for provisioning | || +----------------------------------------------------------+ || || Tagging Constraints || +----------------------------------------------------------+ || | - Enforce tag requirements | || | - Auto-apply tags to resources | || | - Validate tag compliance | || +----------------------------------------------------------+ || || Template Constraints || +----------------------------------------------------------+ || | - Restrict template parameters | || | - Define allowed values | || | - Hide sensitive parameters | || +----------------------------------------------------------+ || || Stack Set Constraints || +----------------------------------------------------------+ || | - Control Stack Set deployment | || | - Define target accounts/OUs | || | - Manage deployment regions | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Create Launch Constraint
Section titled “Create Launch Constraint”# Create launch constraintaws servicecatalog create-constraint \ --portfolio-id port-1234567890abcdef0 \ --product-id prod-1234567890abcdef0 \ --type LAUNCH \ --description "Launch constraint for EC2 Web Server" \ --parameters '{"RoleArn": "arn:aws:iam::123456789012:role/ServiceCatalogLaunchRole"}'Launch Constraint IAM Role
Section titled “Launch Constraint IAM Role”{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "servicecatalog.amazonaws.com" }, "Action": "sts:AssumeRole" } ]}{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:UpdateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStacks", "cloudformation:GetTemplateSummary" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:*", "autoscaling:*", "elasticloadbalancing:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::123456789012:role/CloudFormationServiceRole" } ]}Create Tagging Constraint
Section titled “Create Tagging Constraint”# Create tagging constraintaws servicecatalog create-constraint \ --portfolio-id port-1234567890abcdef0 \ --product-id prod-1234567890abcdef0 \ --type TAG_UPDATE \ --description "Tagging constraint for compliance" \ --parameters '{ "TagUpdateOnProvisionedProduct": "ALLOW", "TagKey": "Environment,CostCenter,Owner" }'Create Template Constraint
Section titled “Create Template Constraint”{ "Version": "2010-09-09", "ConstraintDescription": "Instance type must be t3.micro or t3.small for development", "Condition": { "Fn:Equals": [ {"Ref": "Environment"}, "development" ] }, "Properties": { "InstanceType": { "AllowedValues": ["t3.micro", "t3.small"] } }}# Create template constraintaws servicecatalog create-constraint \ --portfolio-id port-1234567890abcdef0 \ --product-id prod-1234567890abcdef0 \ --type TEMPLATE \ --description "Template constraint for development environment" \ --parameters file://template-constraint.json45.5 Access Management
Section titled “45.5 Access Management”Portfolio Sharing
Section titled “Portfolio Sharing” Portfolio Sharing+------------------------------------------------------------------+| || Sharing Options || +----------------------------------------------------------+ || | | || | 1. Share with IAM Users/Groups | || | +-------------------------------------------------+ | || | | - Grant access to specific users | | || | | - Grant access to IAM groups | | || | +-------------------------------------------------+ | || | | || | 2. Share with AWS Organization | || | +-------------------------------------------------+ | || | | - Share with entire organization | | || | | - Share with specific OUs | | || | | - Share with specific accounts | | || | +-------------------------------------------------+ | || | | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Share with IAM Users/Groups
Section titled “Share with IAM Users/Groups”# Create IAM group for Service Catalog usersaws iam create-group --group-name ServiceCatalogUsers
# Attach policy to groupaws iam attach-group-policy \ --group-name ServiceCatalogUsers \ --policy-arn arn:aws:iam::aws:policy/AWSServiceCatalogEndUserFullAccess
# Add user to groupaws iam add-user-to-group \ --group-name ServiceCatalogUsers \ --user-name developer1
# Associate portfolio with IAM groupaws servicecatalog associate-principal-with-portfolio \ --portfolio-id port-1234567890abcdef0 \ --principal-arn arn:aws:iam::123456789012:group/ServiceCatalogUsers \ --principal-type IAMShare with Organization
Section titled “Share with Organization”# Share portfolio with organizationaws servicecatalog create-portfolio-share \ --portfolio-id port-1234567890abcdef0 \ --organization-node Type=ORGANIZATION,Value=o-1234567890
# Share portfolio with OUaws servicecatalog create-portfolio-share \ --portfolio-id port-1234567890abcdef0 \ --organization-node Type=ORGANIZATIONAL_UNIT,Value=ou-1234567890
# Share portfolio with specific accountaws servicecatalog create-portfolio-share \ --portfolio-id port-1234567890abcdef0 \ --organization-node Type=ACCOUNT,Value=123456789012IAM Policies for Service Catalog
Section titled “IAM Policies for Service Catalog”{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "servicecatalog:SearchProducts", "servicecatalog:ListProvisioningArtifacts", "servicecatalog:DescribeProduct", "servicecatalog:DescribeProvisioningArtifact" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "servicecatalog:ProvisionProduct", "servicecatalog:TerminateProvisionedProduct", "servicecatalog:UpdateProvisionedProduct" ], "Resource": "*", "Condition": { "StringEquals": { "servicecatalog:portfolioId": "port-1234567890abcdef0" } } } ]}45.6 Provisioning Products
Section titled “45.6 Provisioning Products”Provision Product via Console
Section titled “Provision Product via Console” Provisioning via Console+------------------------------------------------------------------+| || 1. Navigate to Service Catalog || +----------------------------------------------------------+ || | - Open AWS Console | || | - Go to Service Catalog | || | - Select "Products" from menu | || +----------------------------------------------------------+ || | || v || 2. Select Product || +----------------------------------------------------------+ || | - Browse available products | || | - Click on product to view details | || | - Select version to provision | || +----------------------------------------------------------+ || | || v || 3. Configure Parameters || +----------------------------------------------------------+ || | - Enter required parameters | || | - Review constraints | || | - Add tags | || +----------------------------------------------------------+ || | || v || 4. Launch Product || +----------------------------------------------------------+ || | - Review configuration | || | - Click "Launch product" | || | - Monitor provisioning status | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Provision Product via CLI
Section titled “Provision Product via CLI”# Provision productaws servicecatalog provision-product \ --product-id prod-1234567890abcdef0 \ --provisioning-artifact-id pa-1234567890abcdef0 \ --provisioned-product-name "my-web-server" \ --provisioning-parameters \ '[ {"Key": "InstanceType", "Value": "t3.medium"}, {"Key": "VpcId", "Value": "vpc-12345678"}, {"Key": "SubnetIds", "Value": "subnet-12345678,subnet-87654321"}, {"Key": "Environment", "Value": "production"}, {"Key": "KeyName", "Value": "my-keypair"} ]' \ --tags Key=Project,Value=WebApp Key=Owner,Value=DevTeam
# Check provisioning statusaws servicecatalog describe-provisioned-product \ --id pp-1234567890abcdef0Update Provisioned Product
Section titled “Update Provisioned Product”# Update provisioned productaws servicecatalog update-provisioned-product \ --provisioned-product-id pp-1234567890abcdef0 \ --provisioning-artifact-id pa-0987654321fedcba0 \ --provisioning-parameters \ '[ {"Key": "InstanceType", "Value": "t3.large"} ]'Terminate Provisioned Product
Section titled “Terminate Provisioned Product”# Terminate provisioned productaws servicecatalog terminate-provisioned-product \ --provisioned-product-id pp-1234567890abcdef0
# Check termination statusaws servicecatalog describe-record \ --record-id rec-1234567890abcdef045.7 CodePipeline Integration
Section titled “45.7 CodePipeline Integration”CI/CD for Service Catalog Products
Section titled “CI/CD for Service Catalog Products” Service Catalog CI/CD Pipeline+------------------------------------------------------------------+| || Pipeline Stages || +----------------------------------------------------------+ || | | || | Source | || | +------------------------------------------------------+ | || | | - CodeCommit repository | | || | | - CloudFormation templates | | || | | - Product configuration | | || | +------------------------------------------------------+ | || | | | || | v | || | Build | | || | +------------------------------------------------------+ | || | | - Validate templates | | || | | - Run tests | | || | | - Package artifacts | | || | +------------------------------------------------------+ | || | | | || | v | || | Deploy | | || | +------------------------------------------------------+ | || | | - Create new product version | | || | | - Update product | | || | | - Notify stakeholders | | || | +------------------------------------------------------+ | || | | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+CodePipeline Definition
Section titled “CodePipeline Definition”AWSTemplateFormatVersion: '2010-09-09'Description: Service Catalog Product Pipeline
Resources: ArtifactBucket: Type: AWS::S3::Bucket Properties: VersioningConfiguration: Status: Enabled
ServiceRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: codepipeline.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWSCodePipelineServiceRole
Pipeline: Type: AWS::CodePipeline::Pipeline Properties: RoleArn: !GetAtt ServiceRole.Arn ArtifactStore: Type: S3 Location: !Ref ArtifactBucket Stages: - Name: Source Actions: - Name: SourceAction ActionTypeId: Category: Source Owner: AWS Provider: CodeCommit Version: '1' OutputArtifacts: - Name: SourceOutput Configuration: RepositoryName: service-catalog-products BranchName: main
- Name: Build Actions: - Name: BuildAction InputArtifacts: - Name: SourceOutput OutputArtifacts: - Name: BuildOutput ActionTypeId: Category: Build Owner: AWS Provider: CodeBuild Version: '1' Configuration: ProjectName: !Ref BuildProject
- Name: Deploy Actions: - Name: DeployAction InputArtifacts: - Name: BuildOutput ActionTypeId: Category: Deploy Owner: AWS Provider: CloudFormation Version: '1' Configuration: ActionMode: CREATE_UPDATE StackName: service-catalog-product-update Capabilities: CAPABILITY_IAM TemplatePath: BuildOutput::product-update.yaml RoleArn: !GetAtt CloudFormationRole.Arn
BuildProject: Type: AWS::CodeBuild::Project Properties: ServiceRole: !GetAtt BuildRole.Arn Artifacts: Type: CODEPIPELINE Environment: Type: LINUX_CONTAINER ComputeType: BUILD_GENERAL1_SMALL Image: aws/codebuild/standard:5.0 Source: Type: CODEPIPELINE BuildSpec: buildspec.yaml
CloudFormationRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: cloudformation.amazonaws.com Action: sts:AssumeRole Policies: - PolicyName: ServiceCatalogUpdate PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - servicecatalog:CreateProvisioningArtifact - servicecatalog:UpdateProduct - servicecatalog:DescribeProduct Resource: '*'
BuildRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: codebuild.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/PowerUserAccessBuildSpec for Product Update
Section titled “BuildSpec for Product Update”version: 0.2
phases: install: commands: - pip install cfn-lint pre_build: commands: - echo Validating CloudFormation templates... - cfn-lint templates/*.yaml build: commands: - echo Building product update template... - python scripts/create_product_version.py post_build: commands: - echo Build completed
artifacts: files: - product-update.yaml - templates/*.yamlProduct Version Update Script
Section titled “Product Version Update Script”import boto3import jsonimport os
def create_product_version(): """Create new product version in Service Catalog"""
client = boto3.client('servicecatalog')
# Product configuration product_id = os.environ.get('PRODUCT_ID') version = os.environ.get('CODEBUILD_RESOLVED_SOURCE_VERSION', 'v1.0.0')
# Create provisioning artifact response = client.create_provisioning_artifact( ProductId=product_id, Parameters={ 'Name': version, 'Type': 'CLOUD_FORMATION_TEMPLATE', 'Description': f'Version {version}', 'Info': { 'LoadTemplateFromURL': f's3://my-bucket/templates/{version}/template.yaml' } } )
print(f"Created provisioning artifact: {response['ProvisioningArtifactDetail']['Id']}")
# Generate CloudFormation template for product update update_template = { 'AWSTemplateFormatVersion': '2010-09-09', 'Resources': { 'ProductUpdate': { 'Type': 'AWS::ServiceCatalog::CloudFormationProduct', 'Properties': { 'Name': 'EC2 Web Server', 'ProductId': product_id, 'ProvisioningArtifactParameters': [ { 'Name': version, 'Description': f'Version {version}', 'Info': { 'LoadTemplateFromURL': f's3://my-bucket/templates/{version}/template.yaml' }, 'Type': 'CLOUD_FORMATION_TEMPLATE' } ] } } } }
with open('product-update.yaml', 'w') as f: json.dump(update_template, f, indent=2)
if __name__ == '__main__': create_product_version()45.8 StackSets Integration
Section titled “45.8 StackSets Integration”Service Catalog StackSets
Section titled “Service Catalog StackSets” StackSets Integration+------------------------------------------------------------------+| || Multi-Account Deployment || +----------------------------------------------------------+ || | | || | Management Account | || | +------------------------------------------------------+ | || | | Service Catalog | | || | | +--------------------------------------------------+ | | || | | | StackSet Product | | | || | | | - Deploy to multiple accounts | | | || | | | - Deploy to multiple regions | | | || | | +--------------------------------------------------+ | | || | +------------------------------------------------------+ | || | | || +--------------------------+-------------------------------+ || | || +------------------+------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Account A| | Account B| | Account C| || | Region 1 | | Region 1 | | Region 1 | || | Region 2 | | Region 2 | | Region 2 | || +----------+ +----------+ +----------+ || |+------------------------------------------------------------------+Create StackSet Product
Section titled “Create StackSet Product”AWSTemplateFormatVersion: '2010-09-09'Description: StackSet Product for multi-account deployment
Parameters: TargetAccounts: Type: CommaDelimitedList Description: List of target account IDs
TargetRegions: Type: CommaDelimitedList Description: List of target regions
Parameters: Type: String Description: JSON string of parameters
Resources: StackSet: Type: AWS::CloudFormation::StackSet Properties: StackSetName: !Sub '${AWS::StackName}-StackSet' Description: Multi-account deployment TemplateURL: https://s3.amazonaws.com/my-bucket/templates/resource-template.yaml PermissionModel: SERVICE_MANAGED AutoDeployment: Enabled: true RetainStacksOnAccountRemoval: false Parameters: !Ref Parameters Capabilities: - CAPABILITY_IAM - CAPABILITY_NAMED_IAM
Outputs: StackSetId: Value: !Ref StackSet Description: StackSet IDStackSet Constraint
Section titled “StackSet Constraint”# Create StackSet constraintaws servicecatalog create-constraint \ --portfolio-id port-1234567890abcdef0 \ --product-id prod-1234567890abcdef0 \ --type STACK_SET \ --description "StackSet constraint for multi-account deployment" \ --parameters '{ "Accounts": ["123456789012", "123456789013"], "Regions": ["us-east-1", "us-west-2"], "AdminRoleArn": "arn:aws:iam::123456789012:role/StackSetAdminRole", "ExecutionRoleArn": "arn:aws:iam::123456789012:role/StackSetExecutionRole" }'45.10 Why This Matters in DevOps/SRE
Section titled “45.10 Why This Matters in DevOps/SRE”Service Catalog enables self-service infrastructure with governance. SREs use it to provide approved infrastructure to developers while maintaining control.
Service Catalog in DevOps/SRE+------------------------------------------------------------------+| || SRE Platform Engineering: || || 1. Self-Service Enablement || +----------------------------------------------------------+ || | - Developers provision approved infrastructure | || | - No direct AWS console access needed | || | - Faster provisioning, reduced ticket burden | || +----------------------------------------------------------+ || || 2. Governance & Compliance || +----------------------------------------------------------+ || | - Enforce constraints on resources | || | - Ensure tagging and naming standards | || | - Control which products are available | || +----------------------------------------------------------+ || || 3. Cost Optimization || +----------------------------------------------------------+ || | - Track usage across teams | || | - Enforce cost center allocation | || | - Prevent unauthorized resource creation | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+45.11 Linux Systems Perspective
Section titled “45.11 Linux Systems Perspective”Service Catalog CLI
Section titled “Service Catalog CLI”# Install AWS CLIsudo pacman -S aws-cli-v2 jq
# List productsaws servicecatalog list-products
# Provision productaws servicecatalog provision-product \ --product-id prod-id \ --provisioning-artifact-name v1 \ --parameters Key=Environment,Value=dev45.12 Common Mistakes & Anti-Patterns
Section titled “45.12 Common Mistakes & Anti-Patterns” Service Catalog Anti-Patterns+------------------------------------------------------------------+| || ❌ Mistake 1: Too Many Products || +----------------------------------------------------------+ || | Problem: Overwhelming users with choices | || | Impact: Confusion, shadow IT | || | Fix: Curate approved products carefully | || +----------------------------------------------------------+ || || ❌ Mistake 2: Not Using Constraints || +----------------------------------------------------------+ || | Problem: No guardrails on resource creation | || | Impact: Non-compliant resources | || | Fix: Apply launch, stack, and notification constraints | || +----------------------------------------------------------+ || || ❌ Mistake 3: No Version Control || +----------------------------------------------------------+ || | Problem: Can't track or rollback products | || | Impact: Can't reproduce infrastructure | || | Fix: Version all product templates | || +----------------------------------------------------------+ || || ❌ Mistake 4: Not Tracking Usage || +----------------------------------------------------------+ || | Problem: No visibility into what's provisioned | || | Impact: Cost allocation issues, audit gaps | || | Fix: Enable CloudWatch integration for tracking | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+45.13 Interview Questions
Section titled “45.13 Interview Questions”Conceptual Questions
Section titled “Conceptual Questions”-
Q: What’s the difference between Service Catalog and Terraform?
- A: Service Catalog provides approved self-service products. Terraform is an open-source IaC tool. Use Service Catalog to govern what users CAN provision, Terraform for how to provision it.
-
Q: How do Service Catalog constraints work?
- A: Launch constraints specify IAM role for provisioning. Stack sets constraints deploy to multiple accounts. Notification constraints send alerts on provisioning events.
Scenario-Based Questions
Section titled “Scenario-Based Questions”- Q: Design a self-service platform for your organization.
- A: Use Service Catalog: (1) Create portfolios for different teams, (2) Define products with CloudFormation templates, (3) Apply constraints for compliance, (4) Integrate with SSO for access, (5) Track costs with tags.
45.15 Troubleshooting
Section titled “45.15 Troubleshooting”Product Design Best Practices
Section titled “Product Design Best Practices” Service Catalog Best Practices+------------------------------------------------------------------+| || 1. Product Design || +--------------------------------------------------------+ || | - Use parameterized templates | || | - Implement proper tagging | || | - Version control templates | || | - Include comprehensive descriptions | || +--------------------------------------------------------+ || || 2. Portfolio Organization || +--------------------------------------------------------+ || | - Group products by function/team | || | - Use descriptive names | || | - Implement proper access controls | || | - Share across organization | || +--------------------------------------------------------+ || || 3. Governance || +--------------------------------------------------------+ || | - Apply launch constraints | || | - Enforce tagging requirements | || | - Use template constraints | || | - Monitor compliance | || +--------------------------------------------------------+ || || 4. CI/CD || +--------------------------------------------------------+ || | - Automate product updates | || | - Test templates before deployment | || | - Use version control | || | - Implement approval workflows | || +--------------------------------------------------------+ || |+------------------------------------------------------------------+Naming Conventions
Section titled “Naming Conventions”# Recommended naming conventionsProducts: - Format: [Service]-[Purpose]-[Environment] - Examples: - EC2-WebServer-Standard - RDS-PostgreSQL-HA - S3-DataLake-Standard
Portfolios: - Format: [Team/Function]-Portfolio - Examples: - Platform-Portfolio - DataTeam-Portfolio - Security-Portfolio
Provisioned Products: - Format: [Project]-[Environment]-[Product] - Examples: - WebApp-Prod-EC2-WebServer - Analytics-Dev-RDS-PostgreSQLTagging Strategy
Section titled “Tagging Strategy”{ "Tags": [ {"Key": "Environment", "Value": "production"}, {"Key": "Project", "Value": "web-application"}, {"Key": "Owner", "Value": "platform-team"}, {"Key": "CostCenter", "Value": "12345"}, {"Key": "Compliance", "Value": "pci-dss"}, {"Key": "ServiceCatalog:Portfolio", "Value": "port-1234567890abcdef0"}, {"Key": "ServiceCatalog:Product", "Value": "prod-1234567890abcdef0"} ]}45.10 Troubleshooting
Section titled “45.10 Troubleshooting”Common Issues
Section titled “Common Issues” Service Catalog Troubleshooting+------------------------------------------------------------------+| || Issue: Product Launch Failed || +--------------------------------------------------------+ || | Solutions: | || | - Check launch role permissions | || | - Verify CloudFormation template | || | - Check parameter values | || | - Review CloudFormation events | || +--------------------------------------------------------+ || || Issue: Access Denied || +--------------------------------------------------------+ || | Solutions: | || | - Verify portfolio association | || | - Check IAM permissions | || | - Verify principal association | || | - Check constraint configuration | || +--------------------------------------------------------+ || || Issue: Constraint Not Applied || +--------------------------------------------------------+ || | Solutions: | || | - Verify constraint association | || | - Check constraint parameters | || | - Validate constraint JSON | || | - Review CloudTrail logs | || +--------------------------------------------------------+ || |+------------------------------------------------------------------+Debug Commands
Section titled “Debug Commands”# List portfoliosaws servicecatalog list-portfolios
# List products in portfolioaws servicecatalog search-products \ --filters FullTextSearch=EC2
# Describe productaws servicecatalog describe-product \ --id prod-1234567890abcdef0
# List provisioning artifacts (versions)aws servicecatalog list-provisioning-artifacts \ --product-id prod-1234567890abcdef0
# Describe provisioned productaws servicecatalog describe-provisioned-product \ --id pp-1234567890abcdef0
# Get CloudFormation stack eventsaws cloudformation describe-stack-events \ --stack-name SC-pp-1234567890abcdef0
# List constraintsaws servicecatalog list-constraints-for-portfolio \ --portfolio-id port-1234567890abcdef045.15 Key Takeaways
Section titled “45.15 Key Takeaways”| Topic | Key Points |
|---|---|
| Products | CloudFormation templates as deployable services |
| Portfolios | Collections of products for user groups |
| Constraints | Governance rules for deployment control |
| Sharing | Share portfolios across accounts and OUs |
| CI/CD | Automate product version updates |
| StackSets | Multi-account, multi-region deployments |
45.16 References
Section titled “45.16 References”- AWS Service Catalog Documentation
- Service Catalog Best Practices
- Service Catalog Constraints
- Service Catalog Portfolio Sharing
45.17 Exam Tips
Section titled “45.17 Exam Tips”
Key Exam Points+------------------------------------------------------------------+| || 1. Service Catalog: Self-service provisioning platform || || 2. Products: CloudFormation templates or Terraform || || 3. Portfolios: Group products for specific user groups || || 4. Constraints: Control deployment (launch, stack set, template) || || 5. IAM Roles: Control who can launch products || || 6. Portfolio Sharing: Cross-account via RAM or organization || || 7. AWS CloudFormation: Products as stack templates || || 8. TagOption: Dynamic provisioning parameters || || 9. End User View: Web portal for product access || || 10. CI/CD Integration: Automate product version updates || |+------------------------------------------------------------------+45.18 Summary
Section titled “45.18 Summary” Chapter 45 Summary+------------------------------------------------------------------+| || AWS Service Catalog || +------------------------------------------------------------+ || | - Self-service provisioning platform | || | - Product management via portfolios | || | - Governance through constraints | || | - Cross-account sharing | || +------------------------------------------------------------+ || || Key Components || +------------------------------------------------------------+ || | - Products: CloudFormation/Terraform templates | || | - Portfolios: Collections of products | || | - Constraints: Launch, Stack Set, Template | || | - TagOptions: Dynamic parameters | || +------------------------------------------------------------+ || || Best Practices || +------------------------------------------------------------+ || | - Organize products by team or project | || | - Use constraints for governance | || | - Enable portfolio sharing for organization | || | - Integrate with CI/CD for product updates | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Next Chapter: Chapter 46 - High Availability & Disaster Recovery Architecture