AWS Service Catalog | IT Administrator Flashcards
Can I privately access AWS Service Catalog APIs from my Amazon Virtual Private Cloud (VPC) without using public IPs?
IT Administrator
AWS Service Catalog | Management Tools
Yes, you can privately access AWS Service Catalog APIs from your Amazon Virtual Private Cloud (VPC) by creating VPC Endpoints. With VPC Endpoints, the routing between the VPC and AWS Service Catalog is handled by the AWS network without the need for an Internet gateway, NAT gateway, or VPN connection. The latest generation of VPC Endpoints used by AWS Service Catalog are powered by AWS PrivateLink, an AWS technology enabling the private connectivity between AWS services using Elastic Network Interfaces (ENI) with private IPs in your VPCs. To learn more about AWS PrivateLink, visit the AWS PrivateLink documentation.
How do I create a portfolio?
IT Administrator
AWS Service Catalog | Management Tools
You create portfolios in the AWS Service Catalog console. For each portfolio, you specify the name, a description, and owner.
How do I create a product?
IT Administrator
AWS Service Catalog | Management Tools
To create a product, you first create an AWS CloudFormation template by using an existing AWS CloudFormation template or creating a custom template. Next, you use the AWS Service Catalog console to upload the template and create the product. When creating products, you can provide additional information for the product listing, including a detailed product description, version information, support information, and tags.
Why would I use tags with a portfolio?
IT Administrator
AWS Service Catalog | Management Tools
Tags are useful for identifying and categorizing AWS resources that are provisioned by end users. You can also use tags in AWS Identity and Access Management (IAM) policies to allow or deny access to IAM users, groups, and roles or to restrict operations that can be performed by IAM users, groups, and roles. When you add tags to your portfolio, the tags are applied to all instances of resources provisioned from products in the portfolio.
How do I make a portfolio available to my users?
IT Administrator
AWS Service Catalog | Management Tools
You publish portfolios that you’ve created or that have been shared with you to make them available to IAM users in the AWS account. To publish a portfolio, you add IAM users, groups, or roles to the portfolio from the AWS Service Catalog console by navigating to the portfolio details page. When you add users to a portfolio, they can browse and launch any of the products in the portfolio. Typically, you create multiple portfolios with different products and access permissions customized for specific types of end users. For example, a portfolio for a development team will likely contain different products from a portfolio targeted at the sales and marketing team. A single product can be published to multiple portfolios with different access permissions and provisioning policies.
Can I share my portfolio with other AWS accounts?
IT Administrator
AWS Service Catalog | Management Tools
Yes. You can share your portfolios with users in one or more other AWS accounts. When you share your portfolio with other AWS accounts, you retain ownership and control of the portfolio. Only you can make changes, such as adding new products or updating products. You, and only you, can also “unshare” your portfolio at any time. Any products, or stacks, currently in use will continue to run until the stack owner decides to terminate them.
To share your portfolio, you specify the account ID you want to share with, and then send the Amazon Resource Number (ARN) of the portfolio to that account. The owner of that account can create a link to this shared portfolio, and then assign IAM users from that account to the portfolio. To help end users with discovery, you can curate a directory of portfolios.
Can I customize the experience for end users when they use a product?
IT Administrator
AWS Service Catalog | Management Tools
Yes. You can tailor a product’s user experience for specific end users. The AWS CloudFormation template contains input parameters that drive the user experience. You can define business-level input parameters (such as “How many users do you need to support?” or “Are you going to store PII data?”) or infrastructure-level input parameters (such as “Which Amazon EC2 instance type?”) depending on the user. When the AWS CloudFormation template is deployed, the user is asked these questions and can select from a constrained list of answers for each question. Depending on the answers, the template may be deployed using different Amazon Elastic Compute Cloud (EC2) instances and different AWS resources.
Can I create a product from an existing Amazon EC2 AMI?
IT Administrator
AWS Service Catalog | Management Tools
Yes. You can use an existing Amazon EC2 AMI to create a product by wrapping it in an AWS CloudFormation template.
Can I use products from the AWS Marketplace?
IT Administrator
AWS Service Catalog | Management Tools
Yes. You can subscribe to a product in the AWS Marketplace and use the copy to Service Catalog action to copy your Marketplace product directly to Service Catalog. Also you can use the Amazon EC2 AMI for the product to create an AWS Service Catalog product. To do that, you wrap the subscribed product in an AWS CloudFormation template. For more details on how to copy or package your AWS Marketplace products, please click here.
How do I control access to portfolios and products?
IT Administrator
AWS Service Catalog | Management Tools
To control access to portfolios and products, you assign IAM users, groups, or roles on the Portfolio details page. Providing access allows users to see the products that are available to them in the AWS Service Catalog console.
Can I provide a new version of a product?
IT Administrator
AWS Service Catalog | Management Tools
Yes. You can create new product versions in the same way you create new products. When a new version of a product is published to a portfolio, end users can choose to launch the new version. They can also choose to update their running stacks to this new version. AWS Service Catalog does not automatically update products that are in use when an update becomes available.
Can I provide a product and retain full control over the associated AWS resources?
IT Administrator
AWS Service Catalog | Management Tools
Yes. You have full control over the AWS accounts and roles used to provision products. To provision AWS resources, you can use either the user’s IAM access permissions or your pre-defined IAM role. To retain full control over the AWS resources, you specify a specific IAM role at the product level. AWS Service Catalog uses the role to provision the resources in the stack.
Can I restrict the AWS resources that users can provision?
IT Administrator
AWS Service Catalog | Management Tools
Yes. You can define rules that limit the parameter values that a user enters when launching a product. These rules are called template constraints because they constrain how the AWS CloudFormation template for the product is deployed. You use a simple editor to create template constraints, and you apply them to individual products.
AWS Service Catalog applies constraints when provisioning a new product or updating a product that is already in use. It always applies the most restrictive constraint among all constraints applied to the portfolio and the product. For example, consider a scenario where the product allows all EC2 instances to be launched and the portfolio has two constraints: one that allows all non-GPU type EC2 instances to be launched and one that allows only t1.micro and m1.small EC2 instances to be launched. For this example, AWS Service Catalog applies the second, more restrictive constraint (t1.micro and m1.small).