Management Tools | AWS Service Catalog

Question 1

What is AWS Service Catalog?

General

AWS Service Catalog | Management Tools

Answer 1

AWS Service Catalog allows IT administrators to create, manage, and distribute catalogs of approved products to end users, who can then access the products they need in a personalized portal. Administrators can control which users have access to each product to enforce compliance with organizational business policies. Administrators can also setup adopted roles so that End users only require IAM access to AWS Service Catalog in order to deploy approved resources. AWS Service Catalog allows your organization to benefit from increased agility and reduced costs because end users can find and launch only the products they need from a catalog that you control.

Question 2

Who should use AWS Service Catalog?

General

AWS Service Catalog | Management Tools

Answer 2

AWS Service Catalog was developed for organizations, IT teams, and managed service providers (MSPs) that need to centralize policies. It allows IT administrators to vend and manage AWS resource and services. For large organizations, it provides a standard method of provisioning cloud resources for thousands of users. It is also suitable for small teams, where front-line development managers can provide and maintain a standard dev/test environment.

Question 3

How do I get started with AWS Service Catalog?

General

AWS Service Catalog | Management Tools

Answer 3

In the AWS Management Console, choose AWS Service Catalog in Management Tools. In the AWS Service Catalog console, administrators can create portfolios, add products, and grant users permissions to use them with just a few clicks. End users logged into the AWS Service Catalog console can see and launch the products that administers have created for them.

Question 4

What can end users to do with AWS Service Catalog that they could not do before?

General

AWS Service Catalog | Management Tools

Answer 4

End users have a simple portal in which to discover and launch products that comply with organizational policies and budget constraints.

Question 5

What is a portfolio?

General

AWS Service Catalog | Management Tools

Answer 5

A portfolio is a collection of products, with configuration information that determines who can use those products and how they can use them. Administrators can create a customized portfolio for each type of user in an organization and selectively grant access to the appropriate portfolio. When an administrator adds a new version of a product to a portfolio, that version is automatically available to all current portfolio users. The same product can be included in multiple portfolios. Administrators also can share portfolios with other AWS accounts and allow the administrators of those accounts to extend the portfolios by applying additional constraints. By using portfolios, permissions, sharing, and constraints, administrators can ensure that users are launching products that are configured properly for the organization’s needs.

Question 6

What is a product?

General

AWS Service Catalog | Management Tools

Answer 6

A product is a service or application for end users. A catalog is a collection of products that the administrator creates, adds to portfolios, and provides updates for using AWS Service Catalog. A product can comprise one or more AWS resources, such as Amazon Elastic Compute Cloud (Amazon EC2) instances, storage volumes, databases, monitoring configurations, and networking components. It can be a single compute instance running AWS Linux, a fully configured multitier web application running in its own environment, or anything in between.

Administrators distribute products to end users in portfolios. Administrators create catalogs of products by importing AWS CloudFormation templates. These templates define the AWS resources that the product needs to work, the relationships between components, and the parameters that the end user chooses when launching the product to configure security groups, create key pairs, and perform other customizations.

An end user with access to a portfolio can use the AWS Management Console to find a standard dev/test environment product, for example, in the form of an AWS CloudFormation template, then manage the resulting resources using the AWS CloudFormation console. For information about creating a product, see “How do I create a product?” in the Administrator FAQ.

Question 7

Is AWS Service Catalog a regionalized service?

General

AWS Service Catalog | Management Tools

Answer 7

Yes. AWS Service Catalog is fully regionalized, so you can control the regions in which data is stored. Portfolios and products are a regional construct which will need to be created per region and are only visible/usable on the regions in which they were created.

Question 8

In which Regions is AWS Service Catalog available?

General

AWS Service Catalog | Management Tools

Answer 8

For a full list of supported AWS Regions, see the AWS Region Table.

Question 9

Are APIs available? Can I use the CLI to access AWS Service Catalog?

General

AWS Service Catalog | Management Tools

Answer 9

Yes, APIs are available and enabled through the CLI. Actions from the management of Service Catalog artifacts through to provisioning and terminating are available. You can find more information in the AWS Service Catalog documentation or download the latest AWS SDK or CLI.

Question 10

Can I privately access AWS Service Catalog APIs from my Amazon Virtual Private Cloud (VPC) without using public IPs?

IT Administrator

AWS Service Catalog | Management Tools

Answer 10

Yes, you can privately access AWS Service Catalog APIs from your Amazon Virtual Private Cloud (VPC) by creating VPC Endpoints. With VPC Endpoints, the routing between the VPC and AWS Service Catalog is handled by the AWS network without the need for an Internet gateway, NAT gateway, or VPN connection. The latest generation of VPC Endpoints used by AWS Service Catalog are powered by AWS PrivateLink, an AWS technology enabling the private connectivity between AWS services using Elastic Network Interfaces (ENI) with private IPs in your VPCs. To learn more about AWS PrivateLink, visit the AWS PrivateLink documentation.

Question 11

How do I create a portfolio?

IT Administrator

AWS Service Catalog | Management Tools

Answer 11

You create portfolios in the AWS Service Catalog console. For each portfolio, you specify the name, a description, and owner.

Question 12

How do I create a product?

IT Administrator

AWS Service Catalog | Management Tools

Answer 12

To create a product, you first create an AWS CloudFormation template by using an existing AWS CloudFormation template or creating a custom template. Next, you use the AWS Service Catalog console to upload the template and create the product. When creating products, you can provide additional information for the product listing, including a detailed product description, version information, support information, and tags.

Question 13

Why would I use tags with a portfolio?

IT Administrator

AWS Service Catalog | Management Tools

Answer 13

Tags are useful for identifying and categorizing AWS resources that are provisioned by end users. You can also use tags in AWS Identity and Access Management (IAM) policies to allow or deny access to IAM users, groups, and roles or to restrict operations that can be performed by IAM users, groups, and roles. When you add tags to your portfolio, the tags are applied to all instances of resources provisioned from products in the portfolio.

Question 14

How do I make a portfolio available to my users?

IT Administrator

AWS Service Catalog | Management Tools

Answer 14

You publish portfolios that you’ve created or that have been shared with you to make them available to IAM users in the AWS account. To publish a portfolio, you add IAM users, groups, or roles to the portfolio from the AWS Service Catalog console by navigating to the portfolio details page. When you add users to a portfolio, they can browse and launch any of the products in the portfolio. Typically, you create multiple portfolios with different products and access permissions customized for specific types of end users. For example, a portfolio for a development team will likely contain different products from a portfolio targeted at the sales and marketing team. A single product can be published to multiple portfolios with different access permissions and provisioning policies.

Question 15

Can I share my portfolio with other AWS accounts?

IT Administrator

AWS Service Catalog | Management Tools

Answer 15

Yes. You can share your portfolios with users in one or more other AWS accounts. When you share your portfolio with other AWS accounts, you retain ownership and control of the portfolio. Only you can make changes, such as adding new products or updating products. You, and only you, can also “unshare” your portfolio at any time. Any products, or stacks, currently in use will continue to run until the stack owner decides to terminate them.

To share your portfolio, you specify the account ID you want to share with, and then send the Amazon Resource Number (ARN) of the portfolio to that account. The owner of that account can create a link to this shared portfolio, and then assign IAM users from that account to the portfolio. To help end users with discovery, you can curate a directory of portfolios.

Question 16

Can I customize the experience for end users when they use a product?

IT Administrator

AWS Service Catalog | Management Tools

Answer 16

Yes. You can tailor a product’s user experience for specific end users. The AWS CloudFormation template contains input parameters that drive the user experience. You can define business-level input parameters (such as “How many users do you need to support?” or “Are you going to store PII data?”) or infrastructure-level input parameters (such as “Which Amazon EC2 instance type?”) depending on the user. When the AWS CloudFormation template is deployed, the user is asked these questions and can select from a constrained list of answers for each question. Depending on the answers, the template may be deployed using different Amazon Elastic Compute Cloud (EC2) instances and different AWS resources.

Question 17

Can I create a product from an existing Amazon EC2 AMI?

IT Administrator

AWS Service Catalog | Management Tools

Answer 17

Yes. You can use an existing Amazon EC2 AMI to create a product by wrapping it in an AWS CloudFormation template.

Question 18

Can I use products from the AWS Marketplace?

IT Administrator

AWS Service Catalog | Management Tools

Answer 18

Yes. You can subscribe to a product in the AWS Marketplace and use the copy to Service Catalog action to copy your Marketplace product directly to Service Catalog. Also you can use the Amazon EC2 AMI for the product to create an AWS Service Catalog product. To do that, you wrap the subscribed product in an AWS CloudFormation template. For more details on how to copy or package your AWS Marketplace products, please click here.

Question 19

How do I control access to portfolios and products?

IT Administrator

AWS Service Catalog | Management Tools

Answer 19

To control access to portfolios and products, you assign IAM users, groups, or roles on the Portfolio details page. Providing access allows users to see the products that are available to them in the AWS Service Catalog console.

Question 20

Can I provide a new version of a product?

IT Administrator

AWS Service Catalog | Management Tools

Answer 20

Yes. You can create new product versions in the same way you create new products. When a new version of a product is published to a portfolio, end users can choose to launch the new version. They can also choose to update their running stacks to this new version. AWS Service Catalog does not automatically update products that are in use when an update becomes available.

Question 21

Can I provide a product and retain full control over the associated AWS resources?

IT Administrator

AWS Service Catalog | Management Tools

Answer 21

Yes. You have full control over the AWS accounts and roles used to provision products. To provision AWS resources, you can use either the user’s IAM access permissions or your pre-defined IAM role. To retain full control over the AWS resources, you specify a specific IAM role at the product level. AWS Service Catalog uses the role to provision the resources in the stack.

Question 22

Can I restrict the AWS resources that users can provision?

IT Administrator

AWS Service Catalog | Management Tools

Answer 22

Yes. You can define rules that limit the parameter values that a user enters when launching a product. These rules are called template constraints because they constrain how the AWS CloudFormation template for the product is deployed. You use a simple editor to create template constraints, and you apply them to individual products.

AWS Service Catalog applies constraints when provisioning a new product or updating a product that is already in use. It always applies the most restrictive constraint among all constraints applied to the portfolio and the product. For example, consider a scenario where the product allows all EC2 instances to be launched and the portfolio has two constraints: one that allows all non-GPU type EC2 instances to be launched and one that allows only t1.micro and m1.small EC2 instances to be launched. For this example, AWS Service Catalog applies the second, more restrictive constraint (t1.micro and m1.small).

Question 23

Can I use a YAML language CloudFormation template in Service Catalog?

End User

AWS Service Catalog | Management Tools

Answer 23

Yes, we currently support both JSON and YAML language templates.

Question 24

How do I find out which products are available?

End User

AWS Service Catalog | Management Tools

Answer 24

You can see which products are available by logging in to the AWS Service Catalog console and searching the portal for products that meet your needs, or you can navigate to the full product list page. You can sort to find the product that you want.

For each product, you can view a Product details page that displays information about the product, including the version, whether a newer version of the product is available, a description, support information, and tags associated with the product. The Product details page might also indicate whether the product will be provisioned using your access permissions (Self) or an administrator-specified role (role-arn).

Question 25

How do I deploy a product?

End User

AWS Service Catalog | Management Tools

Answer 25

When you find a product that meets your requirements in the portal, choose Launch. You will be guided through a series of questions about how you plan to use the product. The questions might be about your business needs or your infrastructure requirements (such as “Which EC2 instance type?”). When you have provided the required information, you’ll see the product in the AWS Service Catalog console. While the product is being provisioned, you will see that it is “in progress.” After provisioning is complete, you will see “complete” and information, such as endpoints or Amazon Resource Names (ARNs), that you can use to access the product.

Question 26

Can I see which products I am using?

End User

AWS Service Catalog | Management Tools

Answer 26

Yes. You can see which products you are using in the AWS Service Catalog console. You can see all of the stacks that are in use, along with the version of the product used to create them.

How do I update my products when a new version becomes available?

When a new version of a product is published, you can use the Update Stack command to use that version. If you are currently using a product for which there is an update, it continues to run until you close it, at which point you can choose to use the new version.