AWS account Governance through Service Catalog

alt AWS Service Catalog allows organizations to create and manage catalogs of IT services. It enables users to quickly deploy the approved IT services they need in a self-service manner. Organizations Developers Control Standardization Governance Agility Self-service Time to market.

  • The product is described through a cloudformation template and multiple versioned products can be controlled through a portfolio.
  • The permission access to a product by an individual , group, user or department can be controlled.
  • The use of AWS Resources can be controlled by specifying constraints on the product.

So, here’s a blog summing up the use of AWS Service Catalog. In this blog, we have shown how end users can launch an EC2 and a RDS instance through a catalog product with limited permissions. The end users will be given only access to the catalog product and the options to launch the instance are controlled by applying product constraints. This post consists the following sections:

  • Prerequisites: The resources which should be available before getting started with service catalog.
  • Creating a Porfolio: Steps to create a catalog profolio to maintain the versioned products.
  • Creating a product for EC2 Instance: Product through which an EC2 instance can be launched.
  • Launch the EC2 product: Steps to launch an EC2 Instance
  • Creating a product for RDS Instance: Product through which a DB instance can be launched.
  • Launch the DB product: Steps to launch a DB Instance

Prerequisites

  • CloudFormation Templates to launch an EC2 Instance and a RDS Instance

Refer to this link for both of the templates (launch-ec2.json and launch-rds.json) → https://github.com/powerupcloud/CloudFormation_Templates.git

  • Service Catalog IAM Role which will have the sufficient permissions to launch the Instances with a cloudformation stack.

Create an IAM Role.

Select AWS Service Catalog Role type.

Create Role. Assign the following inline policy.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "Stmt1480326795000",
                "Effect": "Allow",
                "Action": [
                    "ec2:*",
                    "cloudformation:*",
                    "s3:*",
                    "rds:*"
                ],
                "Resource": [
                    "*"
                ]
            }
        ]
    }
  • IAM Role which will have service catalog access only by which they will be able to launch the instances.

Create Role.

Select Role for Cross Account Access. Provide Access between account you own. Give the Account ID.

Assign the following policy:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:Describe*",
                    "rds:DescribeDBInstances",
                    "servicecatalog:Describe*",
                    "servicecatalog:ListLaunchPaths",
                    "servicecatalog:ListProvisioningArtifacts",
                    "servicecatalog:ListRecordHistory",
                    "servicecatalog:ProvisionProduct",
                    "servicecatalog:ScanProvisionedProducts",
                    "servicecatalog:DeleteProvisioningArtifact",
                    "servicecatalog:SearchProducts",
                    "servicecatalog:TerminateProvisionedProduct",
                    "servicecatalog:UpdateProvisionedProduct"
                ],
                "Resource": "*"
            }
        ]
    }

Once the Role is created, you will be able to switch role and access the resources for which you have given access.

Creating Service Catalog Portfolio

Go to AWS Service Catalog Console.

Create a Portfolio. Give a name and description to your portfolio and provide an Owner name.

Create it and your portfolio will be available in the portfolio list.

Creating a Product for EC2 Instance

Click on the created portfolio i.e. LaunchInstances.

Upload a new product. We are creating a new product by which end users can launch an EC2 instance with the limited options available to them.

Click Next. You can add support details on the next screen.

Click Next. Upload the cloudformation template. Provide a version label and description.

Next. Review and Create.

Once created, the product will be available under the Products tab.

To limit the options for the end user, we need to apply the constraints on the product. Click on Add Constraint. Select the product and select “Template” Constraint Type.

Continue and add the following JSON in the template constraint.

    {
      "Rules": {
        "Rule1": {
          "Assertions": [
            {
              "Assert": {
                "Fn::Contains": [
                  [
                    "subnet-xxxxxxx"
                  ],
                  {
                    "Ref": "SubnetID"
                  }
                ]
              },
              "AssertDescription": "Instance should launch in default subnet"
            },
            {
              "Assert": {
                "Fn::Contains": [
                  [
                    "sg-xxxxxxxx"
                  ],
                  {
                    "Ref": "SecurityGroupID"
                  }
                ]
              },
              "AssertDescription": "Instance should launch with default security group"
            },
            {
              "Assert": {
                "Fn::Contains": [
                  [
                    "t2.micro"
                  ],
                  {
                    "Ref": "EC2InstanceType"
                  }
                ]
              },
              "AssertDescription": "Instance type should be t2.micro"
            }
          ]
        }
      }
    }

So, with the constraint, we are limiting the end user to launch the EC2 instance in the default subnet with a default security group. Also, the end user will be able to launch only t2.micro instance. The subnet id and security group id can be changed in the JSON as required.
Add another constraint to add the service catalog role which will have sufficient permissions to launch the instances. Add the Launch Constraint.

Select the Role.

Submit. The constraints will be available under the Constraints tab.

The product should have permission to the IAM role by which the end users will be able to launch the product. Add Role.

Select the role and Add access.

You can add the users, groups and other roles to provide the access to them.
You can also share the portfolio with other account just by providing the account id in the next tab “Share with other AWS accounts”.

Launch the EC2 Product

Switch to the role to which you have given access.

Go to the Service Catalog Console.

Select the product to launch and Launch it.

Give a name for the provisioned product. Select version to launch. While launching, the options available will be the only ones as applied through the constraint.

Click Next after providing all the inputs.

Click Next. Review and Launch the product.

You can see the status of the provisioning product on the next screen.

Switch to the product lists or provisioned product lists using the dropdown of Service Catalog.

Once the provisioned product is available, you can switch to the EC2 Console and check the instance provisioned.

Creating a Product for RDS Instance

Upload a new Product in the same portfolio.

Upload the CloudFormation Template.

Review and Create the product.

Add Constraint for the RDS Product. Select the product and add the “Template” Constraint.

Add the following JSON in template constraint:

    {
      "Rules": {
        "Rule1": {
          "Assertions": [
            {
              "Assert": {
                "Fn::Contains": [
                  [
                    "subnet-xxxxxx"
                  ],
                  {
                    "Ref": "SubnetA"
                  }
                ]
              },
              "AssertDescription": "Instance should launch in default subnet in AvailabilityZone A"
            },
            {
              "Assert": {
                "Fn::Contains": [
                  [
                    "subnet-xxxxxx"
                  ],
                  {
                    "Ref": "SubnetB"
                  }
                ]
              },
              "AssertDescription": "Instance should launch in default subnet in AvailabilityZone B"
            },
            {
              "Assert": {
                "Fn::Contains": [
                  [
                    "sg-xxxxxxx"
                  ],
                  {
                    "Ref": "DBSecurityGroup"
                  }
                ]
              },
              "AssertDescription": "Instance should launch with default security group"
            },
            {
              "Assert": {
                "Fn::Contains": [
                  [
                    "db.t2.micro"
                  ],
                  {
                    "Ref": "DBClass"
                  }
                ]
              },
              "AssertDescription": "Instance type should be db.t2.micro"
            }
          ]
        }
      }
    }

Also, add the Launch Constraint.

Add the IAM Role.

So the Product and Constraints will be available:

Launch the DB Product

Switch the Role and Select the Product to launch.

Give a name to the provisioned DB product and select the version.

In parameters, you will have the only options as applied through the constraint.

After providing all the parameters, review the details and launch it.

You can check the provisioning status on the next screen.

Go to RDS Console and you can see your DB Instance.

That’s it. Hope it will help in getting started with AWS Service Catalog..!! :)

Priyanka Sharma

Priyanka is Senior Cloud and DevOps Engineer. She can churn out CloudFormation templates at a moment's notice and play with Chef/Ansible. Dancing, music, badminton and word games are her hobbies

comments powered by Disqus