Written by Aparna M, Associate Solutions Architect at Powerupcloud Technologies
Enterprise customers who are looking to provision and manage AWS accounts and cloud environments available across all areas of business and providing right access maintaining the governance and security as per business standards is always difficult and time-consuming.
When using aws cloud resources it could be frustrating to make sure everyone has right level of access to the services they need especially when different roles and positions have different needs. It gets complicated when administrators want to ensure everything is properly updated and compliant with security standards. To overcome this AWS launched Service catalog, in this blog post we will talk more about service catalog – what it is, benefits and its key concepts.
What is AWS Service catalog?
With AWS Service Catalog you can create and manage catalogs of IT services that are approved for use on AWS. These IT services can include everything from virtual machine images, servers, software, and databases to complete multi-tier application architectures. It allows you to centrally manage deployed IT services and your applications, resources, and metadata. Administrators can control which users have access to each product to enforce governance and meet your compliance requirements.
Why AWS Service Catalog?
- Increase agility with access to services
- Share best practices
- Compliance with business goals and policies
Control provisioning of aws resources
- Tag resources while provisioning
- Restrict user permission
Rapidly Find and Deploy Approved Services
- Own catalog AWS Service and marketplace software
- Connect with ITSM/ITOM Tools
- ITSM tools such as ServiceNow and Jira Service Desk can be integrated with the Service catalog
- Improved security
- constraints on which IAM role should be used to provision resources.
- Build service catalog on top of CloudFormation to follow the security best practices
- Add constraint on resource provisioning
Features of AWS service catalog
- Standardization of assets
- Self-service discovery and launch
- Fine-grain access control
- Extensibility and version control
- Central management of resources
Key AWS Service Catalog concepts
A Product is a blueprint for building your AWS resources A collection of AWS resources like EC2, application servers, RDS, and so on that are instantiated and managed as a stack. You create your products by importing AWS CloudFormation templates. The templates define the AWS resources required for the product, the relationships between resources, and the parameters for launching the product to configure security groups, create key pairs, and perform other customizations.
A portfolio, if a product has multiple versions then it is a good idea that we can put them in a Portfolio. You can use portfolios to manage user access to specific products. You can grant portfolio access at an IAM user, IAM group, and IAM role level.
Users Catalog administrators – Manage a catalog of products, organizing them into portfolios and granting access to end-users.
End users – Use AWS Service Catalog to launch products to which they have been granted access.
Constraints control the way users can deploy a product. Launch constraints allow you to specify a role for a product in a portfolio. This role is used to provision the resources at launch, so you can restrict user permissions without impacting users’ ability to provide products from the catalog.
Access control You can use AWS IAM permissions to control who can view and modify your products and portfolios. By assigning an IAM role to each product, you can avoid giving users permissions to perform unapproved operations, and enable them to provision resources using the catalog.
Versioning Service Catalog allows you to manage multiple versions of the products in your catalog.
Stack every AWS Service Catalog product is launched as an AWS CloudFormation stack. You can use CloudFormation StackSets to launch Service Catalog products across multiple regions and accounts.
- Create and Log In to AWS and open the Console.
- Grant permissions to administrators and end-users.
- Start building Service Catalogs. Use the Getting Started Guide to know-how.
As a Catalog administrator you create a product that is based on cloudformation template, which defines the AWS resources used by the product. You add the product to portfolio and distribute it to the end user. At the end, login in as end user to test the product.
The following diagram explains the end-user workflow once the product is available. End-user can view the product and provision tasks, on the right, as well as the administrator’s tasks, on the left. The tasks are numbered in order.
- Controlled provisioning of AWS Services
- Reduces AWS Costs
- Provide self-service to end users
- Ensure resource standardization, compliance, and consistent service offerings
- Enhanced security
- Help employees quickly find and deploy approved IT services
- Connect with ITSM/ITOM software
- Fine grain access control
- Extensibility and version control
- Automate backups
- Setting up the DevOps pipelines
Our Experience with AWS Service Catalog
- one of our customers who is leading the world with the innovation of new products had a requirement on having a self-service portal that the users across the business should be able to provision AWS resources as per needs with the company standards, compliance, and the security involved in it. They wanted to integrate with the ITSM tools to manage and keep track of the resource creation – As part of this, we leveraged the AWS Service catalog which includes various service catalog products consisting of AWS resources to provision EC2, S3, etc. We had integrated the service catalog with Jira so that the users can self-serve themselves with the resources they need. This helped them to dramatically simplify the process of creating or replicating AWS environments, enabling their teams to offer self-service options for standard configurations. By providing them with services through AWS Service Catalog, they can improve time involved in setting up and reduce stress on in-house IT teams with the assurance that baseline security configurations are maintained.”
- A customer wanted to set up separate AWS accounts so they can meet the different needs of their organization. It takes manual efforts to configure the baseline security practices, and meet the governance and security standards. We had used the AWS Landing zone concept to set up and organize the AWS account with certain company standards. The Account Vending Machine (AVM) is an AWS Landing Zone key component. The AVM is provided as an AWS Service Catalog product, which allows customers to create new AWS accounts pre-configured with an account security baseline. Monitoring, logging, security, and compliance will be pre-configured during account setup. This helps the customs to reduce costs in Infra setup and Operations cost, takes minimum effort to set up the infrastructure. This helps the customers to migrate to AWS in less time reducing all the manual efforts on configuring the baseline for security.
We understood how the AWS Service Catalog allows organizations to centrally manage commonly deployed IT services. We also saw the various benefits of using the Service catalog on how it reduces the effort of users in provisioning the resources.