AWS Service Catalog

AWS Service Catalog

Administrator Guide

AWS Service Catalog: Administrator Guide

Copyright © Amazon Web Services, Inc. and/or its affiliates. All rights reserved.

Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by Amazon.

Table of Contents

What Is AWS Service Catalog? ... 1

Video: Introduction to AWS Service Catalog ... 1

Overview ... 1

Users ... 2

Products ... 2

Provisioned Products ... 2

Portfolios ... 2

Versioning ... 2

Permissions ... 3

Constraints ... 3

Initial Administrator Workflow ... 3

Initial End User Workflow ... 4

Quotas ... 4

AppRegistry ... 4

AWS Organizations ... 4

Constraint quotas ... 4

Portfolio quotas ... 4

Product quotas ... 5

Provisioned product quotas ... 5

Regional quotas ... 5

Service action quotas ... 5

TagOptions quotas ... 5

Setting Up ... 6

Sign Up for Amazon Web Services ... 6

Grant Permissions to Administrators and End Users ... 6

Grant Permissions to Administrators ... 6

Grant Permissions to End Users ... 8

Getting Started ... 9

Step 1: Download the Template ... 9

Template Download ... 9

Template Overview ... 9

Step 2: Create a Key Pair ... 12

Step 3: Create a Portfolio ... 12

Step 4: Create a Product ... 13

Step 5: Add a Template Constraint ... 13

Step 6: Add a Launch Constraint ... 14

Step 7: Grant End Users Access to the Portfolio ... 15

Step 8: Test the End User Experience ... 16

Getting Started Library ... 17

Prerequisites ... 17

Reference Architectures ... 17

High Reliability Architectures ... 17

Learn More ... 18

Security ... 19

Data Protection ... 19

Protecting Data with Encryption ... 20

Identity and Access Management ... 20

Audience ... 21

Predefined AWS Managed Policies ... 21

Identity-based policy examples for AWS Service Catalog ... 22

Troubleshooting AWS Service Catalog identity and access ... 26

Controlling Access ... 28

Using Service-Linked Roles for AWS Service Catalog AppRegistry ... 28

Logging and Monitoring ... 31

Compliance Validation ... 31

Resilience ... 31

Infrastructure Security ... 32

Security Best Practices ... 32

Managed policies ... 33

AWS Service Catalog updates to managed policies ... 35

Managing Catalogs ... 37

Managing Portfolios ... 37

Creating, Viewing, and Deleting Portfolios ... 37

Viewing Portfolio Details ... 38

Creating and Deleting Portfolios ... 38

Adding Products ... 38

Adding Constraints ... 40

Granting Access to Users ... 41

Sharing a Portfolio ... 41

Sharing and Importing Portfolios ... 44

Managing Products ... 47

Viewing the Products Page ... 47

Creating Products ... 47

Adding Products to Portfolios ... 48

Updating Products ... 49

Deleting Products ... 49

Managing Versions ... 50

Using Constraints ... 51

Launch Constraints ... 51

Notification Constraints ... 53

Tag Update Constraints ... 54

Stack Set Constraints ... 54

Template Constraints ... 55

Using Service Actions ... 57

Prerequisites ... 58

Step 1: Configure end user permissions ... 58

Step 2: Create a service action ... 59

Step 3: Associate the service action with a product version ... 59

Step 4: Test the end user experience ... 60

Step 5: Troubleshooting ... 60

Adding AWS Marketplace Products to Your Portfolio ... 61

Managing AWS Marketplace Products Using AWS Service Catalog ... 62

Managing and Adding AWS Marketplace Products Manually ... 62

Using AWS CloudFormation StackSets ... 67

Stack sets vs. stack instances ... 67

Stack set constraints ... 67

Managing Budgets ... 67

Prerequisites ... 68

Creating a Budget ... 69

Associating a Budget ... 69

Viewing a Budget ... 70

Disassociating a Budget ... 70

Managing Provisioned Products ... 71

Managing All Provisioned Products as Administrator ... 71

Changing Provisioned Product Owner ... 71

See Also ... 72

Updating templates for provisioned products ... 72

Tutorial: Identifying User Resource Allocation ... 72

Managing Tags ... 76

AutoTags ... 76

TagOption Library ... 77

Launching a Product with TagOptions ... 78

Managing TagOptions ... 80

Using TagOptions with AWS Organizations tag policies ... 81

Monitoring ... 84

Monitoring Tools ... 84

Automated Tools ... 84

CloudWatch Metrics ... 84

Enabling CloudWatch Metrics ... 85

Available Metrics and Dimensions ... 85

Viewing AWS Service Catalog Metrics ... 86

CloudTrail logs ... 86

AWS Service Catalog information in AWS CloudTrail ... 86

Understanding AWS Service Catalog log file entries ... 87

Using AppRegistry ... 4

Creating applications ... 89

Accessing application details ... 90

Editing applications ... 90

Deleting applications ... 91

Associating application resources ... 91

Associating attribute groups ... 92

Creating attribute groups ... 92

Accessing attribute group details ... 92

Associating attribute groups ... 93

Adding tags ... 95

Product and Service Integrations ... 97

Connector for ServiceNow ... 97

Service management alignment ... 98

Background ... 99

Getting started ... 99

Release notes ... 100

Configuring AWS ... 101

Configuring ServiceNow ... 110

Validating configurations ... 132

ServiceNow additional features ... 144

Version 2.3.4 release transition instructions ... 148

Connector for Jira Service Management ... 149

Background ... 150

Jira Service Management Supported Versions and Releases ... 150

Getting Started ... 151

Release Notes ... 152

Baseline Permissions ... 153

Configuring AWS Service Catalog ... 158

Configuring AWS Security Hub ... 159

Configuring Jira Service Management ... 160

IT Lifecycle Management Setup and Use Case ... 167

Validating Configurations ... 172

Managing AWS Security Hub settings in JSM Integration ... 174

Jira Additional Administrator Features ... 175

Document History ... 177

Video: Introduction to AWS Service Catalog

What Is AWS Service Catalog?

AWS Service Catalog enables organizations to create and manage catalogs of IT services that are approved for AWS. These IT services can include everything from virtual machine images, servers, software, databases, and more to complete multi-tier application architectures.

AWS Service Catalog allows organizations to centrally manage commonly deployed IT services, and helps organizations achieve consistent governance and meet compliance requirements. End users can quickly deploy only the approved IT services they need, following the constraints set by your organization.

AWS Service Catalog provides the following benefits:

• Standardization

Administer and manage approved assets by restricting where the product can be launched, the type of instance that can be used, and many other configuration options. The result is a standardized landscape for product provisioning for your entire organization.

• Self-service discovery and launch

Users browse listings of products (services or applications) that they have access to, locate the product that they want to use, and launch it all on their own as a provisioned product.

• Fine-grain access control

Administrators assemble portfolios of products from their catalog, add constraints and resource tags to be used at provisioning, and then grant access to the portfolio through AWS Identity and Access Management (IAM) users and groups.

• Extensibility and version control

Administrators can add a product to any number of portfolios and restrict it without creating another copy. Updating the product to a new version propagates the update to all products in every portfolio that references it.

For more information, see the AWS Service Catalog detail page.

The AWS Service Catalog API provides programmatic control over all end-user actions as an alternative to using the AWS Management Console. For more information, see AWS Service Catalog Developer Guide.

Video: Introduction to AWS Service Catalog

This video (7:27) describes how to create, organize, and govern a curated catalog of AWS products, and share products with permissions level. As a result, end users can quickly provision approved IT resources without direct access to the underlying AWS services.

Introduction to AWS Service Catalog

Overview of AWS Service Catalog

As you get started with AWS Service Catalog, you'll benefit from understanding its components and the initial workflows for administrators and end users.

Users

Users

AWS Service Catalog supports the following types of users:

• Catalog administrators (administrators) – Manage a catalog of products (applications and services), organizing them into portfolios and granting access to end users. Catalog administrators prepare AWS CloudFormation templates, configure constraints, and manage IAM roles for products to provide for advanced resource management.

• End users – Receive AWS credentials from their IT department or manager and use the AWS

Management Console to launch products to which they have been granted access. Sometimes referred to as simply users, end users may be granted different permissions depending on your operational requirements. For example, a user may have the maximum permission level (to launch and manage all of the resources required by the products they use) or only permission to use particular service features.

Products

A product is an IT service that you want to make available for deployment on AWS. A product consists of one or more AWS resources, such as EC2 instances, storage volumes, databases, monitoring

configurations, and networking components, or packaged AWS Marketplace products. A product can be a single compute instance running AWS Linux, a fully configured multi-tier web application running in its own environment, or anything in between.

You create a product by importing an AWS CloudFormation template. AWS CloudFormation templates define the AWS resources required for the product, the relationships between resources, and the

parameters that end users can plug in when they launch the product to configure security groups, create key pairs, and perform other customizations.

Provisioned Products

AWS CloudFormation stacks make it easier to manage the lifecycle of your product by enabling you to provision, tag, update, and terminate your product instance as a single unit. An AWS CloudFormation stack includes an AWS CloudFormation template, written in either JSON or YAML format, and its

associated collection of resources. A provisioned product is a stack. When an end user launches a product, the instance of the product that is provisioned by AWS Service Catalog is a stack with the resources necessary to run the product. For more information, see AWS CloudFormation User Guide.

Portfolios

A portfolio is a collection of products that contains configuration information. Portfolios help manage who can use specific products and how they can use them. With AWS Service Catalog, you can create a customized portfolio for each type of user in your organization and selectively grant access to the appropriate portfolio. When you add a new version of a product to a portfolio, that version is automatically available to all current users.

You also can share your portfolios with other AWS accounts and allow the administrator of those accounts to distribute your portfolios with additional constraints, such as limiting which EC2 instances a user can create. Through the use of portfolios, permissions, sharing, and constraints, you can ensure that users are launching products that are configured properly for the organization’s needs and standards.

Versioning

AWS Service Catalog allows you to manage multiple versions of the products in your catalog. This approach allows you to add new versions of templates and associated resources based on software updates or configuration changes.

Permissions

When you create a new version of a product, the update is automatically distributed to all users who have access to the product, allowing the user to select which version of the product to use. Users can update running instances of the product to the new version quickly and easily.

Permissions

Granting a user access to a portfolio enables that user to browse the portfolio and launch the products in it. You apply AWS Identity and Access Management (IAM) permissions to control who can view and modify your catalog. IAM permissions can be assigned to IAM users, groups, and roles.

When a user launches a product that has an IAM role assigned to it, AWS Service Catalog uses the role to launch the product's cloud resources using AWS CloudFormation. By assigning an IAM role to each product, you can avoid giving users permissions to perform unapproved operations and enable them to provision resources using the catalog.

Constraints

Constraints control the ways that you can deploy specific AWS resources for a product. You can use them to apply limits to products for governance or cost control. There are different types of AWS Service Catalog constraints: launch constraints, notification constraints, and template constraints.

With launch constraints, you specify a role for a product in a portfolio. Use this role to provision the resources at launch, so you can restrict user permissions without impacting users' ability to provision products from the catalog.

Notification constraints enable you to get notifications about stack events using an Amazon SNS topic.

Template constraints restrict the configuration parameters that are available for the user when launching the product (for example, EC2 instance types or IP address ranges). With template constraints, you reuse generic AWS CloudFormation templates for products and apply restrictions to the templates on a per- product or per-portfolio basis.

Initial Administrator Workflow

This diagram shows the initial workflow for an administrator to create a catalog.

Initial End User Workflow

Initial End User Workflow

This diagram shows the initial workflow for an end user.

AWS Service Catalog default service quotas

Your AWS account has the following default quotas related to AWS Service Catalog for AppRegistry, AWS Organizations, constraint, portfolio, product, provisioned product, regional, service action, and TagOptions.

You can use Service Quotas to manage your quotas or to request a quota increase. For more information about Service Quotas, see What Is Service Quotas? in the Service Quotas User Guide. To learn how to request a quota increase, see Requesting a Quota Increase.

AppRegistry

• Applications per account and region: 100

• Attribute groups per account and region: 100

• Associated resources per application: 200

• Associated attribute groups per application: 100

• Size of attribute group: 8,000 characters

AWS Organizations

• AWS Service Catalog delegated administrators per organization: 50

Constraint quotas

• Constraints per product per portfolio: 100

Portfolio quotas

• Users, groups, and roles per portfolio: 100

• Products per portfolio: 150

Product quotas

• Tags per portfolio: 20

• Shared accounts per portfolio: 5000

• Tag values per tag key: 25

Product quotas

• Users, groups, and roles per product: 200

• Product versions per product: 100

• Tags per product: 20

• Tag values per tag key: 25

Provisioned product quotas

• Tags per provisioned product: 50

Regional quotas

• Portfolios: 100

• Products: 350

Service action quotas

• Service actions per region: 200

• Service action associations per product version: 25

TagOptions quotas

• TagOptions per resource: 25

• Values per TagOption: 25

Sign Up for Amazon Web Services

Setting Up AWS Service Catalog

Before you get started with AWS Service Catalog, complete the following tasks.

Sign Up for Amazon Web Services

To use Amazon Web Services (AWS), you will need to sign up for an AWS account.

To sign up for an AWS account

1. Open https://portal.aws.amazon.com/billing/signup.

2. Follow the online instructions.

Part of the sign-up procedure involves receiving a phone call and entering a verification code on the phone keypad.

AWS sends you a confirmation email after the sign up process is complete. At any time, you can view your current account activity and manage your account by going to https://aws.amazon.com/ and choosing My Account, AWS Management Console.

Grant Permissions to Administrators and End Users

Catalog administrators and end users require different IAM permissions to use AWS Service Catalog.

As a catalog administrator, you must have IAM permissions that allow you to access the AWS Service Catalog administrator console, create products, and manage products. Before your end users can use your products, you must grant them permissions that allow them to access the AWS Service Catalog end user console, launch products, and manage launched products as provisioned products.

AWS Service Catalog provides many of these permissions using managed policies. AWS maintains these policies and provides them in the AWS Identity and Access Management (IAM) service. You can use these policies by attaching them to the IAM users, groups, or roles that you and your end users use.

• Identity and Access Management in AWS Service Catalog (p. 20)

• Grant Permissions to AWS Service Catalog Administrators (p. 6)

• Grant Permissions to AWS Service Catalog End Users (p. 8)

Grant Permissions to AWS Service Catalog Administrators

As a catalog administrator, you require access to the AWS Service Catalog administrator console view and IAM permissions that allow you to perform tasks such as the following:

• Creating and managing portfolios

Grant Permissions to Administrators

• Creating and managing products

• Adding template constraints to control the options that are available to end users when launching a product

• Adding launch constraints to define the IAM roles that AWS Service Catalog assumes when end users launch products

• Granting end users access to your products

You, or an administrator who manages your IAM permissions, must attach policies to your IAM user, group, or role that are required to complete this tutorial.

To grant permissions to a catalog administrator

1. Open the IAM console at https://console.aws.amazon.com/iam/.

2. In the navigation pane, choose Users. If you have already created an IAM user that you would like to use as the catalog administrator, choose the user name and choose Add permissions. Otherwise, create a user as follows:

a. Choose Add user.

b. For User name, type ServiceCatalogAdmin.

c. Select Programmatic access and AWS Management Console access.

d. Choose Next: Permissions.

3. Choose Attach existing policies directly.

4. Choose Create policy and do the following:

a. Choose the JSON tab.

b. Copy the following example policy and paste it in Policy Document:

{

"Version": "2012-10-17", "Statement": [

{

"Effect": "Allow", "Action": [

"ec2:CreateKeyPair",

"iam:AddRoleToInstanceProfile", "iam:AddUserToGroup",

"iam:AttachGroupPolicy", "iam:CreateAccessKey", "iam:CreateGroup",

"iam:CreateInstanceProfile", "iam:CreateLoginProfile", "iam:CreateRole",

"iam:CreateUser", "iam:Get*", "iam:List*",

"iam:PutRolePolicy",

"iam:UpdateAssumeRolePolicy"

],

"Resource": [ "*"

] } ] }

c. Choose Review policy.

d. For Policy Name, type ServiceCatalogAdmin-AdditionalPermissions.

Grant Permissions to End Users

e. You must grant administrators permissions for Amazon S3 so they can access templates stored by AWS Service Catalog in Amazon S3. For more information, see User Policy Examples in the Amazon Simple Storage Service User Guide

f. Choose Create Policy.

5. Return to the browser window with the permissions page and choose Refresh.

6. In the search field, type ServiceCatalog to filter the policy list.

7. Select the checkboxes for the AWSServiceCatalogAdminFullAccess and ServiceCatalogAdmin- AdditionalPermissions policies, and then choose Next: Review.

8. If you are updating a user, choose Add permissions.

If you are creating a user, choose Create user. You can download or copy the credentials and then choose Close.

9. To sign in as the catalog administrator, use your account-specific URL. To find this URL, choose Dashboard in the navigation pane and choose Copy Link. Paste the link in your browser, and use the name and password of the IAM user you created or updated in this procedure.

Grant Permissions to AWS Service Catalog End Users

Before the end user can use AWS Service Catalog, you must grant access to the AWS Service Catalog end user console view. To grant access, you attach policies to the IAM user, group, or role that is used by the end user. In the following procedure, we attach the AWSServiceCatalogEndUserFullAccess policy to an IAM group. For more information, see Predefined AWS Managed Policies (p. 21).

To grant permissions to an end user group

1. Open the IAM console at https://console.aws.amazon.com/iam/.

2. In the navigation pane, choose Groups.

3. Choose Create New Group and do the following:

a. For Group Name, type Endusers, and then choose Next Step.

b. In the search field, type AWSServiceCatalog to filter the policy list.

c. Select the checkbox for the AWSServiceCatalogEndUserFullAccess policy, and then choose Next Step. You also have the option to choose AWSServiceCatalogEndUserReadOnlyAccess instead.

d. On the Review page, choose Create Group.

4. In the navigation pane, choose Users.

5. Choose Add user and do the following:

a. For User name, type a name for the user.

b. Select AWS Management Console access.

c. Choose Next: Permissions.

d. Choose Add user to group.

e. Select the checkbox for the Endusers group and choose Next: Tags and then Next: Review.

f. On the Review page, choose Create user. Download or copy the credentials and then choose Close.

Step 1: Download the Template

Getting Started

This tutorial introduces you to the key tasks that you do as a catalog administrator. You create a product that is based on an AWS CloudFormation template, which defines the AWS resources used by the product. The product, Linux Desktop, is a cloud development environment that runs on Amazon Linux.

You add the product to a portfolio and distribute it to the end user. Finally, you log in as the end user to test the product.

Before You Begin

Complete the tasks described in Setting Up AWS Service Catalog (p. 6).

Tasks

• Step 1: Download the AWS CloudFormation Template (p. 9)

• Step 2: Create a Key Pair (p. 12)

• Step 3: Create an AWS Service Catalog Portfolio (p. 12)

• Step 4: Create an AWS Service Catalog Product (p. 13)

• Step 5: Add a Template Constraint to Limit Instance Size (p. 13)

• Step 6: Add a Launch Constraint to Assign an IAM Role (p. 14)

• Step 7: Grant End Users Access to the Portfolio (p. 15)

• Step 8: Test the End User Experience (p. 16)

Step 1: Download the AWS CloudFormation Template

To provision and configure portfolios and products, you use AWS CloudFormation templates, which are JSON– or YAML-formatted text files. For more information, see Template Formats in the AWS CloudFormation User Guide. These templates describe the resources that you want to provision. You can use the AWS CloudFormation editor or any text editor to create and save templates. For this tutorial, we've provided a simple template to get you started. This template launches a single Linux instance configured for SSH access.

Template Download

The sample template provided for this tutorial, development-environment.template, is available at https://awsdocs.s3.amazonaws.com/servicecatalog/development-environment.template.

Template Overview

The text of the sample template follows:

{

"AWSTemplateFormatVersion" : "2010-09-09",

"Description" : "AWS Service Catalog sample template. Creates an Amazon EC2 instance running the Amazon Linux AMI. The AMI is chosen based on the region in which the stack is run. This example creates an EC2 security group for the instance to give you SSH access. **WARNING** This template creates an Amazon EC2 instance. You will be billed for the

Template Overview

AWS resources used if you create a stack from this template.", "Parameters" : {

"KeyName": {

"Description" : "Name of an existing EC2 key pair for SSH access to the EC2 instance.",

"Type": "AWS::EC2::KeyPair::KeyName"

},

"InstanceType" : {

"Description" : "EC2 instance type.", "Type" : "String",

"Default" : "t2.micro",

"AllowedValues" : [ "t2.micro", "t2.small", "t2.medium", "m3.medium", "m3.large", "m3.xlarge", "m3.2xlarge" ]

},

"SSHLocation" : {

"Description" : "The IP address range that can SSH to the EC2 instance.", "Type": "String",

"MinLength": "9", "MaxLength": "18", "Default": "0.0.0.0/0",

"AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})", "ConstraintDescription": "Must be a valid IP CIDR range of the form x.x.x.x/x."

} },

"Metadata" : {

"AWS::CloudFormation::Interface" : { "ParameterGroups" : [{

"Label" : {"default": "Instance configuration"}, "Parameters" : ["InstanceType"]

},{

"Label" : {"default": "Security configuration"}, "Parameters" : ["KeyName", "SSHLocation"]

}],

"ParameterLabels" : {

"InstanceType": {"default": "Server size:"}, "KeyName": {"default": "Key pair:"},

"SSHLocation": {"default": "CIDR range:"}

} } },

"Mappings" : {

"AWSRegionArch2AMI" : {

"us-east-1" : { "HVM64" : "ami-08842d60" }, "us-west-2" : { "HVM64" : "ami-8786c6b7" }, "us-west-1" : { "HVM64" : "ami-cfa8a18a" }, "eu-west-1" : { "HVM64" : "ami-748e2903" }, "ap-southeast-1" : { "HVM64" : "ami-d6e1c584" }, "ap-northeast-1" : { "HVM64" : "ami-35072834" }, "ap-southeast-2" : { "HVM64" : "ami-fd4724c7" }, "sa-east-1" : { "HVM64" : "ami-956cc688" }, "cn-north-1" : { "HVM64" : "ami-ac57c595" }, "eu-central-1" : { "HVM64" : "ami-b43503a9" } }

},

"Resources" : { "EC2Instance" : {

"Type" : "AWS::EC2::Instance", "Properties" : {

"InstanceType" : { "Ref" : "InstanceType" },

Template Overview

"SecurityGroups" : [ { "Ref" : "InstanceSecurityGroup" } ], "KeyName" : { "Ref" : "KeyName" },

"ImageId" : { "Fn::FindInMap" : [ "AWSRegionArch2AMI", { "Ref" : "AWS::Region" }, "HVM64" ] }

} },

"InstanceSecurityGroup" : {

"Type" : "AWS::EC2::SecurityGroup", "Properties" : {

"GroupDescription" : "Enable SSH access via port 22", "SecurityGroupIngress" : [ {

"IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22",

"CidrIp" : { "Ref" : "SSHLocation"}

} ] } } },

"Outputs" : {

"PublicDNSName" : {

"Description" : "Public DNS name of the new EC2 instance", "Value" : { "Fn::GetAtt" : [ "EC2Instance", "PublicDnsName" ] } },

"PublicIPAddress" : {

"Description" : "Public IP address of the new EC2 instance", "Value" : { "Fn::GetAtt" : [ "EC2Instance", "PublicIp" ] } }

} }

Template Resources

The template declares resources to be created when the product is launched. It consists of the following sections:

• AWSTemplateFormatVersion – The version of the AWS Template Format used to create this template.

• Description – A description of the template.

• Parameters – The parameters that your user must specify to launch the product. For each parameter, the template includes a description and constraints that must be met by the value typed. For more information about constraints, see Using AWS Service Catalog Constraints (p. 51).

The KeyName parameter allows you to specify an Amazon Elastic Compute Cloud (Amazon EC2) key pair name that end users must provide when they use AWS Service Catalog to launch your product.

You will create the key pair in the next step.

• Metadata – An optional section that defines details about the template. The

AWS::CloudFormation::Interface key defines how the end user console view displays parameters. The ParameterGroups property defines how parameters are grouped and headings for those groups.

The ParameterLabels property defines friendly parameter names. When a user is specifying parameters to launch a product that is based on this template, the end user console view displays the parameter labeled Server size: under the heading Instance configuration, and it displays the parameters labeled Key pair: and CIDR range: under the heading Security configuration.

• Mappings – A list of AWS Regions and the Amazon Machine Image (AMI) that corresponds to each.

AWS Service Catalog uses the mapping to determine which AMI to use based on the AWS Region that the user selects in the AWS Management Console.

• Resources – An EC2 instance running Amazon Linux and a security group that allows SSH access to the instance. The Properties section of the EC2 instance resource uses the information that the user types to configure the instance type and a key name for SSH access.

Step 2: Create a Key Pair

AWS CloudFormation uses the current AWS Region to select the AMI ID from the mappings defined earlier and assigns a security group to it. The security group is configured to allow inbound access on port 22 from the CIDR IP address range that the user specifies.

• Outputs – Text that tells the user when the product launch is complete. The provided template gets the public DNS name of the launched instance and displays it to the user. The user needs the DNS name to connect to the instance using SSH.

Step 2: Create a Key Pair

To enable your end users to launch the product that is based on the sample template for this tutorial, you must create an Amazon EC2 key pair. A key pair is a combination of a public key that is used to encrypt data and a private key that is used to decrypt data. For more information about key pairs, see Amazon EC2 Key Pairs in the Amazon EC2 User Guide for Linux Instances.

The AWS CloudFormation template for this tutorial, development-environment.template, includes the KeyName parameter:

. . .

"Parameters" : { "KeyName": {

"Description" : "Name of an existing EC2 key pair for SSH access to the EC2 instance.",

"Type": "AWS::EC2::KeyPair::KeyName"

}, . . .

End users must specify the name of a key pair when they use AWS Service Catalog to launch the product that is based on the template.

If you already have a key pair in your account that you would prefer to use, you can skip ahead to Step 3:

Create an AWS Service Catalog Portfolio (p. 12). Otherwise, complete the following steps.

To create a key pair

1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

2. In the navigation pane, under Network & Security, choose Key Pairs.

3. On the Key Pairs page, choose Create Key Pair.

4. For Key pair name, type a name that is easy for you to remember, and then choose Create.

5. When the console prompts you to save the private key file, save it in a safe place.

Important

This is the only chance for you to save the private key file.

Step 3: Create an AWS Service Catalog Portfolio

To provide users with products, begin by creating a portfolio for those products.

To create a portfolio

1. Open the AWS Service Catalog console at https://console.aws.amazon.com/servicecatalog/.

2. If you are using the AWS Service Catalog administrator console for the first time, choose Launch solutions with the Getting Started library to start the wizard for configuring a portfolio.

Otherwise, choose Create portfolio.

Step 4: Create a Product

3. Type the following values:

• Portfolio name – Engineering Tools

• Description – Sample portfolio that contains a single product.

• Owner – IT ([email protected]) 4. Choose Create.

Step 4: Create an AWS Service Catalog Product

After you have created a portfolio, you're ready to add a product. For this tutorial, you will create a product called Linux Desktop, a cloud development environment that runs on Amazon Linux.

To create a product

1. If you've just completed the previous step, the Portfolios page is already displayed. Otherwise, open https://console.aws.amazon.com/servicecatalog/.

2. Choose and open a portfolio. Next choose a product and then choose Upload new product.

3. On the Enter product details page, enter the following and then choose Next:

• Product name – Linux Desktop

• Description – Cloud development environment configured for engineering staff.

Runs AWS Linux.

• Owner – IT

• Distributor – (blank)

4. On the Version details page, choose Use a CloudFormation template, choose Specify an Amazon S3 template URL, enter the following, and then choose Next:

• Select template – https://awsdocs.s3.amazonaws.com/servicecatalog/development- environment.template

• Version title – v1.0

• Description – Base Version

5. On the Enter support details page, enter the following and then choose Next:

• Email contact – [email protected]

• Support link – https://wiki.example.com/IT/support

• Support description – Contact the IT department for issues deploying or connecting to this product.

6. On the Review page, choose Create product.

Step 5: Add a Template Constraint to Limit Instance Size

Constraints add another layer of control over products at the portfolio level. Constraints can control the launch context of a product (launch constraints), or add rules to the AWS CloudFormation template (template constraints). For more information, see Using AWS Service Catalog Constraints (p. 51).

Now add a template constraint to the Linux Desktop product that prevents users from selecting large instance types at launch time. The development-environment template allows the user to select from six instance types; this constraint limits valid instance types to the two smallest types, t2.micro and t2.small. For more information, see T2 Instances in the Amazon EC2 User Guide for Linux Instances.

Step 6: Add a Launch Constraint

To add a template constraint to the Linux Desktop product

1. On the Portfolio details page, choose Constraints, then choose Create constraint.

2. In the Select product and type window, for Product, choose Linux Desktop. Then, for Constraint type, choose Template.

3. Choose Text editor.

4. Paste the following into the Template constraint text box:

{ "Rules": { "Rule1": { "Assertions": [ {

"Assert" : {"Fn::Contains": [["t2.micro", "t2.small"], {"Ref":

"InstanceType"}]},

"AssertDescription": "Instance type should be t2.micro or t2.small"

} ] } }}

5. For Description, enter Small instance sizes.

6. Choose Create.

Step 6: Add a Launch Constraint to Assign an IAM Role

A launch constraint designates an IAM role that AWS Service Catalog assumes when an end user launches a product.

For this step, you add a launch constraint to the Linux Desktop product so that AWS Service Catalog can use the AWS resources that are part of the product's AWS CloudFormation template.

The IAM role that you assign to a product as a launch constraint must have permissions to use:

1. AWS CloudFormation

2. Services in the AWS CloudFormation template for the product 3. Read access to the AWS CloudFormation template in Amazon S3

This launch constraint enables the end user to launch the product and, after launch, manage it as a provisioned product. For more information, see AWS Service Catalog Launch Constraints.

Without a launch constraint, you need to grant additional IAM permissions to your end users before they can use the Linux Desktop product. For example, the ServiceCatalogEndUserAccess policy grants the minimum IAM permissions required to access the AWS Service Catalog end user console view.

By using a launch constraint, you can keep your end users' IAM permissions to a minimum, which is an IAM best practice. For more information, see Grant least privilege in the IAM User Guide.

To create an IAM policy, attach it to an IAM role, and add a launch constraint.

To add a launch constraint

1. Open the IAM console at https://console.aws.amazon.com/iam.

Step 7: Grant End Users Access to the Portfolio

2. In the navigation pane, choose Policies, Create policy and do the following:

a. On the Create policy page, choose the JSON tab.

b. Copy this example policy and paste it in the Policy Document to replace the placeholder JSON in the text field:

{ "Version": "2012-10-17", "Statement": [

{

"Effect": "Allow", "Action": [

"cloudformation:CreateStack", "cloudformation:DeleteStack",

"cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks", "cloudformation:GetTemplateSummary", "cloudformation:SetStackPolicy", "cloudformation:ValidateTemplate", "cloudformation:UpdateStack", "ec2:*",

"s3:GetObject", "servicecatalog:*", "sns:*"

],

"Resource": "*"

} ] }

c. Choose Next, Review policy.

d. For Policy Name, type linuxDesktopPolicy.

e. Choose Create policy.

3. In the navigation pane, choose Roles. Then choose Create role and do the following:

a. For Select type of trusted entity, choose AWS service and then choose Service Catalog. Select the Service Catalog use case and then choose Next: Permissions.

b. Search for the linuxDesktopPolicy policy and then select the checkbox.

c. Choose Next: Tags, and then Next: Review.

d. For Role name, type linuxDesktopLaunchRole.

e. Choose Create role.

4. Open the AWS Service Catalog console at https://console.aws.amazon.com/servicecatalog.

5. Choose the Engineering Tools portfolio.

6. On the portfolio details page, choose the Constraints tab, and then choose Create constraint.

7. For Product, choose Linux Desktop, and for Constraint type, choose Launch.

8. Choose Select IAM role. Next choose linuxDesktopLaunchRole, and then choose Create.

Step 7: Grant End Users Access to the Portfolio

Now that you have created a portfolio and added a product, you are ready to grant access to end users.

Prerequisites

If you haven't created an IAM group for the endusers, see Grant Permissions to AWS Service Catalog End Users (p. 8).

Step 8: Test the End User Experience

To provide access to the portfolio

1. On the portfolio details page, choose the Groups, roles, and users tab.

2. Choose Add groups, roles, users.

3. On the Groups tab, select the checkbox for the IAM group for the end users.

4. Choose Add Access.

Step 8: Test the End User Experience

To verify the end user can successfully access the end user console view and launch your product, sign in to AWS as the end user and perform those tasks.

To verify that the end user can access the end user console

1. To sign in as the IAM user, use the account-specific URL. To find this URL, open the IAM console, choose Dashboard in the navigation pane, and choose Copy to clipboard. Paste the link in your browser, and use the name and password of the IAM user.

2. In the menu bar, choose the AWS Region in which you created the Engineering Tools portfolio.

For this tutorial, choose us-east-1 region.

3. Choose Service Catalog from the recently used services to see:

• Products – The products that the user can use.

• Provisioned products – The provisioned products that the user has launched.

To verify the end user can launch the Linux Desktop product

Note that for this tutorial, choose us-east-1 region.

1. In the Products section of the console, choose Linux Desktop.

2. Choose Launch product to start the wizard that configures your product.

3. On the Launch: Linux Desktop page, enter Linux-Desktop for the provisioned product name.

4. On the Parameters page, enter the following and choose Next:

• Server size – Choose t2.micro.

• Key pair – Select the key pair that you created in Step 2: Create a Key Pair (p. 12).

• CIDR range – Enter a valid CIDR range for the IP address to connect to the instance. You can use the default value (0.0.0.0/0) to allow access from any IP address, then your IP address, followed by /32 to restrict access to your IP address only, or something in between.

5. Choose Launch to launch the stack. The console displays the stack details page for the Linux- Desktop stack. The initial status of the product is Launching. It takes several minutes for AWS Service Catalog to launch the product. To see the current status, refresh your browser. After the product launches, the status is Available.

Prerequisites

Getting Started Library

AWS Service Catalog provides a Getting Started Library of well-architected product templates so you can get started quickly. You can copy any of the products in our Getting Started Library portfolios to your own account, then customize them to suit your needs.

Topics

• Prerequisites (p. 17)

• Reference Architectures (p. 17)

• High Reliability Architectures (p. 17)

• Learn More (p. 18)

Prerequisites

Before you use the templates in our Getting Started Library, make sure you have the following:

• The required permissions to use AWS CloudFormation templates. For more information, see Controlling Access with AWS Identity and Access Management.

• The required administrator permissions to manage AWS Service Catalog. For more information, see the section called “Identity and Access Management” (p. 20).

Reference Architectures

Our Reference Architectures portfolio is a general repository available to all AWS Service Catalog administrators. It contains well-architected, best practice templates for common AWS services, including:

• Compute - with Amazon EC2

• Storage - with Amazon S3

• Networking - with Amazon VPC

• Database - with Amazon RDS

To view the Reference Architectures portfolio in the administrator console

1. In the AWS Service Catalog console, choose Portfolios.

2. On the Portfolios page, choose the Getting Started library tab.

3. Choose the Reference Architectures portfolio.

4. You can browse the list of available product templates, copy them to your own portfolio, and customize them.

You can view the repository of AWS Service Catalog Reference Architectures on GitHub here: Sample AWS CloudFormation templates and architecture for AWS Service Catalog.

High Reliability Architectures

Our High Reliability Architectures portfolio is a repository of well-architected, multi-Region blueprints.

Each blueprint provides prescriptive implementation guidance for AWS services commonly used to

Learn More

build multi-Region workloads. Examples include patterns for managing infrastructure changes and data storage backup and recovery for user identity, key-value, and object data across multiple Regions.

Learn More

• For more information about the well-architected framework, see AWS Well-Architected.

Data Protection

Security in AWS Service Catalog

Cloud security at AWS is the highest priority. As an AWS customer, you benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations.

Security is a shared responsibility between AWS and you. The shared responsibility model describes this as security of the cloud and security in the cloud:

• Security of the cloud – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the AWS Compliance Programs. To learn about the compliance programs that apply to AWS Service Catalog, see AWS Services in Scope by Compliance Program.

• Security in the cloud – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations.

This documentation helps you understand how to apply the shared responsibility model when using AWS Service Catalog. The following topics show you how to configure AWS Service Catalog to meet your security and compliance objectives. You also will be introduced to other AWS services that help you to monitor and secure your AWS Service Catalog resources.

Topics

• Data Protection in AWS Service Catalog (p. 19)

• Identity and Access Management in AWS Service Catalog (p. 20)

• Logging and Monitoring in AWS Service Catalog (p. 31)

• Compliance Validation for AWS Service Catalog (p. 31)

• Resilience in AWS Service Catalog (p. 31)

• Infrastructure Security in AWS Service Catalog (p. 32)

• Security Best Practices for AWS Service Catalog (p. 32)

Data Protection in AWS Service Catalog

The AWS shared responsibility model applies to data protection in AWS Service Catalog. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud.

You are responsible for maintaining control over your content that is hosted on this infrastructure. This content includes the security configuration and management tasks for the AWS services that you use. For more information about data privacy, see the Data Privacy FAQ. For information about data protection in Europe, see the AWS Shared Responsibility Model and GDPR blog post on the AWS Security Blog.

For data protection purposes, we recommend that you protect AWS account credentials and set up individual user accounts with AWS Identity and Access Management (IAM). That way each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways:

• Use multi-factor authentication (MFA) with each account.

• Use SSL/TLS to communicate with AWS resources. We recommend TLS 1.2 or later.

• Set up API and user activity logging with AWS CloudTrail.

• Use AWS encryption solutions, along with all default security controls within AWS services.

Protecting Data with Encryption

• Use advanced managed security services such as Amazon Macie, which assists in discovering and securing personal data that is stored in Amazon S3.

• If you require FIPS 140-2 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see Federal Information Processing Standard (FIPS) 140-2.

We strongly recommend that you never put sensitive identifying information, such as your customers' account numbers, into free-form fields such as a Name field. This includes when you work with AWS Service Catalog or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into AWS Service Catalog or other services might get picked up for inclusion in diagnostic logs. When you provide a URL to an external server, don't include credentials information in the URL to validate your request to that server.

Protecting Data with Encryption

Encryption at rest

AWS Service Catalog uses Amazon S3 buckets and Amazon DynamoDB databases that are encrypted at rest using Amazon-managed keys. To learn more, refer to information about encryption at rest provided by Amazon S3 and Amazon DynamoDB.

Encryption in transit

AWS Service Catalog uses Transport Layer Security (TLS) and client-side encryption of information in transit between the caller and AWS.

You can privately access AWS Service Catalog APIs from your Amazon Virtual Private Cloud (Amazon VPC) by creating VPC endpoints. With VPC endpoints, the routing between the VPC and AWS Service Catalog is handled by the AWS network without the need for an internet gateway, NAT gateway, or VPN connection.

The latest generation of VPC endpoints used by AWS Service Catalog is powered by Amazon PrivateLink, an AWS technology enabling the private connectivity between AWS services using Elastic Network Interfaces with private IPs in your VPCs.

Identity and Access Management in AWS Service Catalog

Access to AWS Service Catalog requires credentials. Those credentials must have permission to access AWS resources, such as an AWS Service Catalog portfolio or product. AWS Service Catalog integrates with AWS Identity and Access Management (IAM) to enable you to grant AWS Service Catalog administrators the permissions they need to create and manage products, and to grant AWS Service Catalog end users the permissions they need to launch products and manage provisioned products.

These policies are either created and managed by AWS or individually by administrators and end users.

To control access, you attach these policies to the IAM users, groups, and roles that you use with AWS Service Catalog.

Topics

• Audience (p. 21)

• Predefined AWS Managed Policies (p. 21)

• Identity-based policy examples for AWS Service Catalog (p. 22)

• Troubleshooting AWS Service Catalog identity and access (p. 26)

Audience

• Controlling Access (p. 28)

• Using Service-Linked Roles for AWS Service Catalog AppRegistry (p. 28)

Audience

The permissions you have with AWS Identity and Access Management (IAM) may depend on the role you play in AWS Service Catalog.

The permissions you have through AWS Identity and Access Management (IAM) may depend on the role you play in AWS Service Catalog.

Administrator - As an AWS Service Catalog administrator, you need full access to the administrator console and IAM permissions that allow you to perform tasks such as creating and managing portfolios and products, managing constraints, and granting access to end users.

End user - Before your end users can use your products, you need to grant them permissions that give them access to the AWS Service Catalog end user console. They can also have permissions to launch products and manage provisioned products.

IAM administrator - If you're an IAM administrator, you might want to learn details about how you can write policies to manage access to AWS Service Catalog. To view example AWS Service Catalog identity-based policies that you can use in IAM, see the section called “Predefined AWS Managed Policies” (p. 21).

Predefined AWS Managed Policies

The managed policies created by AWS grant the required permissions for common use cases. You can attach these policies to your IAM users and roles. For more information, see AWS Managed Policies in the IAM User Guide.

The following are the AWS managed policies for AWS Service Catalog.

Administrators

• AWSServiceCatalogAdminFullAccess — Grants full access to the administrator console view and permission to create and manage products and portfolios.

• AWSServiceCatalogAdminReadOnlyAccess — Grants full access to the administrator console view. Does not grant access to create or manage products and portfolios.

End users

• AWSServiceCatalogEndUserFullAccess — Grants full access to the end user console view. Grants permission to launch products and manage provisioned products.

• AWSServiceCatalogEndUserReadOnlyAccess — Grants read-only access to the end user console view. Does not grant permission to launch products or manage provisioned products.

To attach a policy to an IAM user

1. Open the IAM console at https://console.aws.amazon.com/iam/.

2. In the navigation pane, choose Users.

3. Choose the name (not the check box) of the IAM user.

4. On the Permissions tab, choose Add permissions.

5. On the Add permissions page, choose Attach existing policies directly.

6. Select the check box next to the managed policy for AWS Service Catalog, and then choose Next:

Review.

7. On the Permissions summary page, choose Add permissions.

Identity-based policy examples for AWS Service Catalog

8. (Optional) You must grant administrators additional permissions for Amazon S3 if they need to use a private CloudFormation template. For more information, see User Policy Examples in the Amazon Simple Storage Service User Guide.

Deprecated policies

The following managed policies are deprecated:

• ServiceCatalogAdminFullAccess — Use AWSServiceCatalogAdminFullAccess instead.

• ServiceCatalogAdminReadOnlyAccess — Use AWSServiceCatalogAdminReadOnlyAccess instead.

• ServiceCatalogEndUserFullAccess — Use AWSServiceCatalogEndUserFullAccess instead.

• ServiceCatalogEndUserAccess — Use AWSServiceCatalogEndUserReadOnlyAccess instead.

Use the following procedure to ensure that your administrators and end users are granted permissions using the current policies.

To migrate from the deprecated policies to the current policies

1. Open the IAM console at https://console.aws.amazon.com/iam/.

2. In the navigation pane, choose Policies.

3. In the search field, type ServiceCatalog to filter the policy list. Choose the name (not the check box) for ServiceCatalogAdminFullAccess.

4. For each attached entity (user, group, or role), do the following:

a. Open the summary page for the entity.

b. Add one of the current policies described in the procedure linkend="attach-managed-policy"

Add one of the current policies described in th procedure:To attach a policy to an IAM user (p. 21).

Add one of the current policies described in the procedure To attach a policy to an IAM user (p. 21).

c. On the Permissions tab, next to ServiceCatalogAdminFullAccess, choose Detach Policy. When prompted for confirmation, choose Detach.

5. Repeat the process for ServiceCatalogEndUserFullAccess.

Identity-based policy examples for AWS Service Catalog

Topics

• Console access for end users (p. 22)

• Product access for end users (p. 23)

• Example policies for managing provisioned products (p. 23)

Console access for end users

The AWSServiceCatalogEndUserFullAccess and AWSServiceCatalogEndUserReadOnlyAccess policies grant access to the AWS Service Catalog end user console view. When a user who has either of these policies chooses AWS Service Catalog in the AWS Management Console, the end user console view displays the products they have permission to launch.

Identity-based policy examples for AWS Service Catalog

Before end users can successfully launch a product from AWS Service Catalog to which you give access, you must provide them additional IAM permissions to allow them to use each of the underlying AWS resources in a product's AWS CloudFormation template. For example, if a product template includes Amazon Relational Database Service (Amazon RDS), you must grant the users Amazon RDS permissions to launch the product.

To learn about how to enable end users to launch products while enforcing least-access permissions to AWS resources, see the section called “Using Constraints” (p. 51).

If you apply the AWSServiceCatalogEndUserReadOnlyAccess policy, your users have access to the end user console, but they won't have the permissions that they need to launch products and manage provisioned products. You can grant these permissions directly to an end user using IAM, but if you want to limit the access that end users have to AWS resources, you should attach the policy to a launch role.

You then use AWS Service Catalog to apply the launch role to a launch constraint for the product. For more information about applying a launch role, launch role limitations, and a sample launch role, see AWS Service Catalog Launch Constraints (p. 51).

Note

If you grant users IAM permissions for AWS Service Catalog administrators, the administrator console view displays instead. Don't grant end users these permissions unless you want them to have access to the administrator console view.

Product access for end users

Before end users can use a product to which you give access, you must provide them additional IAM permissions to allow them to use each of the underlying AWS resources in a product's AWS CloudFormation template. For example, if a product template includes Amazon Relational Database Service (Amazon RDS), you must grant the users Amazon RDS permissions to launch the product.

If you apply the ServiceCatalogEndUserAccess policy, your users have access to the end user console view, but they won't have the permissions that they need to launch products and manage provisioned products. You can grant these permissions directly to an end user in IAM, but if you want to limit the access that end users have to AWS resources, you should attach the policy to a launch role. You then use AWS Service Catalog to apply the launch role to a launch constraint for the product. For more information about applying a launch role, launch role limitations, and a sample launch role, see AWS Service Catalog Launch Constraints (p. 51).

Example policies for managing provisioned products

You can create custom policies to help meet the security requirements of your organization. The following examples describe how to customize the access level for each action with support for user, role, and account levels. You can grant users access to view, update, terminate, and manage provisioned products created only by that user or created by others also under their role or the account to which they are logged in. This access is hierarchical — granting account level access also grants role level access and user level access, while adding role level access also grants user level access but not account level access.

You can specify these in the policy JSON using a Condition block as accountLevel, roleLevel, or userLevel.

These examples also apply to access levels for AWS Service Catalog API write operations:

UpdateProvisionedProduct and TerminateProvisionedProduct, and read operations:

DescribeRecord, ScanProvisionedProducts, and ListRecordHistory. The

ScanProvisionedProducts and ListRecordHistory API operations use AccessLevelFilterKey as input, and that key's values correspond to the Condition block levels discussed here (accountLevel is equivalent to an AccessLevelFilterKey value of "Account", roleLevel to "Role", and userLevel to "User"). For more information, see the AWS Service Catalog Developer Guide.

Examples

• Example: Full admin access to provisioned products (p. 24)

Identity-based policy examples for AWS Service Catalog

• Example: End-user access to provisioned products (p. 24)

• Example: Partial admin access to provisioned products (p. 25)

Example: Full admin access to provisioned products

The following policy allows full read and write access to provisioned products and records within the catalog at the account level.

{ "Version":"2012-10-17", "Statement":[

{

"Effect":"Allow", "Action":[

"servicecatalog:*"

],

"Resource":"*", "Condition": { "StringEquals": {

"servicecatalog:accountLevel": "self"

} } } ]}

This policy is functionally equivalent to the following policy:

{

"Version":"2012-10-17", "Statement":[

{

"Effect":"Allow", "Action":[

"servicecatalog:*"

],

"Resource":"*"

} ] }

In other words, not specifying a Condition block in any policy for AWS Service Catalog is treated as the same as specifying "servicecatalog:accountLevel" access. Note that accountLevel access includes roleLevel and userLevel access.

Example: End-user access to provisioned products

The following policy restricts access to read and write operations to only the provisioned products or associated records that the current user created.

{ "Version": "2012-10-17", "Statement": [

{

"Effect": "Allow", "Action": [

"servicecatalog:DescribeProduct", "servicecatalog:DescribeProductView",

"servicecatalog:DescribeProvisioningParameters", "servicecatalog:DescribeRecord",

Identity-based policy examples for AWS Service Catalog

"servicecatalog:ListLaunchPaths", "servicecatalog:ListRecordHistory", "servicecatalog:ProvisionProduct",

"servicecatalog:ScanProvisionedProducts", "servicecatalog:SearchProducts",

"servicecatalog:TerminateProvisionedProduct", "servicecatalog:UpdateProvisionedProduct"

],

"Resource": "*", "Condition": { "StringEquals": {

"servicecatalog:userLevel": "self"

} } } ] }

Example: Partial admin access to provisioned products

The two policies below, if both applied to the same user, allow what might be called a type of "partial admin access" by providing full read-only access and limited write access. This means the user can see any provisioned product or associated record within the catalog's account but cannot perform any actions on any provisioned products or records that aren't owned by that user.

The first policy allows the user access to write operations on the provisioned products that the current user created, but no provisioned products created by others. The second policy adds full access to read operations on provisioned products created by all (user, role, or account).

{ "Version": "2012-10-17", "Statement": [

{

"Effect": "Allow", "Action": [

"servicecatalog:DescribeProduct", "servicecatalog:DescribeProductView",

"servicecatalog:DescribeProvisioningParameters", "servicecatalog:ListLaunchPaths",

"servicecatalog:ProvisionProduct", "servicecatalog:SearchProducts",

"servicecatalog:TerminateProvisionedProduct", "servicecatalog:UpdateProvisionedProduct"

],

"Resource": "*", "Condition": { "StringEquals": {

"servicecatalog:userLevel": "self"

} } } ] }

{

"Version": "2012-10-17", "Statement": [

{

"Effect": "Allow", "Action": [

"servicecatalog:DescribeRecord", "servicecatalog:ListRecordHistory",

Troubleshooting AWS Service Catalog identity and access

"servicecatalog:ScanProvisionedProducts"

],

"Resource": "*", "Condition": { "StringEquals": {

"servicecatalog:accountLevel": "self"

} } } ] }

Troubleshooting AWS Service Catalog identity and access

Use the following information to help you diagnose and fix common issues you might encounter when working with AWS Service Catalog and AWS Identity and Access Management.

Topics

• I am not authorized to perform an action in AWS Service Catalog (p. 26)

• I am not authorized to perform iam:PassRole (p. 26)

• I want to view my access keys (p. 27)

• I'm an administrator and want to allow others to access AWS Service Catalog (p. 27)

• I want to allow people outside of my AWS account to access my AWS Service Catalog resources (p. 27)

I am not authorized to perform an action in AWS Service Catalog

If the AWS Management Console tells you that you're not authorized to perform an action, then you must contact your administrator for assistance. Your administrator is the person that provided you with your user name and password. The following example error occurs when the mateojackson IAM user tries to use the console to view details about a fictional my-example-widget resource but does not have the fictional awes:GetWidget permissions.

User: arn:aws:iam::123456789012:user/mateojackson is not authorized to perform:

awes:GetWidget on resource: my-example-widget

In this case, Mateo asks his administrator to update his policies to allow him to access the my-example- widget resource using the awes:GetWidget action.

I am not authorized to perform iam:PassRole

If you receive an error that you're not authorized to perform the iam:PassRole action, then you must contact your administrator for assistance. Your administrator is the person that provided you with your user name and password. Ask that person to update your policies to allow you to pass a role to AWS Service Catalog.

Some AWS services allow you to pass an existing role to that service, instead of creating a new service role or service-linked role. To do this, you must have permissions to pass the role to the service.

The following example error occurs when an IAM user named marymajor tries to use the console to perform an action in AWS Service Catalog. However, the action requires the service to have permissions granted by a service role. Mary does not have permissions to pass the role to the service.