The power of AWS Service Catalog

Leticia Massae
4 min readJun 24, 2022

Introduction

AWS Service Catalog is a service that allows Organizations and Teams to create and manage catalogs of IT services that can be used on AWS. These services include every service and feature that AWS has to offer. Using this service for your applications and infrastructure speeds up deployments with consistent governance. Since the organization’s core teams deployed the Service Catalog products, it also follows the organization’s compliance rules.

Benefits:

  • Ensure compliance with corporate standards.
  • Help users quickly find and deploy IT services.
  • Centrally manage IT services lifecycle.
  • Manage all of your information on AWS.

More about in the AWS documentation here.

Usage Example

Now let’s go to the fun part!

Let’s say that this is the first time your company wants to use the AWS Service Catalog. A team is responsible for this product, how can they think of an architecture where you can deploy several portfolios from different teams on every member account of your Organization where the users can deploy all of the resources they need?

This is a pipeline to deploy the portfolios for all accounts within the Organization.

  1. The pipeline itself will be in a management account that is owned by the responsible team for this solution.
  2. The team uses GitHub/BitBucket/GitLab for the code versioning.
  3. The sync is done automatically from the original versioning tool to the CodeCommit repository when there is any update.
  4. CloudWatch Event Rule (EventBridge Rule) identifies this update and triggers the pipeline.
  5. The CodeBuild executes a buildspec.yml file and it executes a python script where it assumes a role in the master account and calls the AWS Organization API to get the list of all accounts within the organization and executes all the deployment logic. OR your Organization storages the information of all accounts in a DynamoDB table during the account creation process to avoid calling the Organization API every time.
  6. Creation/Update of the Portfolios, products, and their versions.

User View:

PS: The name of every CloudFormation Stack created by the Service Catalog in the member account starts with “SC-”

Take note that this is the Happy Path!

Now let’s complicate a few things:

  • Since these portfolio products are CloudFormation templates, How can we ensure that the users won’t change anything in the template once the Cloudformation is created at their account? We can create GuardRails for this or take advantage of the Service Control Policies(SCP)
    If we use the SCPs, we can add an explicit deny for any resource name that starts with “SC-” since this Service Catalog configuration is set up by default by the service(you can know more about SCPs in my other article here).
  • And what if the users update the resources themselves, not from the CloudFormation template? We can add AWS Config rules in the templates linked to the resources inside of it.

AWS Service Catalog in AWS Control Tower

AWS Control tower Provides the easiest way to set up and govern a secure, multi-account AWS environment, called Landing Zone. It creates your landing zone using AWS Organizations, bringing ongoing account management and governance as well as implementation best practices based on AWS’s experience working with thousands of customers as they move to the cloud. Builders can provision new AWS accounts in a few clicks, while you have peace of mind knowing that your accounts conform to company policies. Extend governance into new or existing accounts, and gain visibility into their compliance status quickly. If you are building a new AWS environment, starting out on your journey to AWS, or starting a new cloud initiative, AWS Control Tower will help you get started quickly with built-in governance and best practices.

More about it in the AWS documentation here

If your company uses or wants to use Control Tower, you can definitely take advantage of it. Instead of developing the pipeline solution above, there is a feature in the Master account where you can enable the Service catalog and it allows the deployment(share) across all organizations or specifics Organizational Units(OU).

https://aws.amazon.com/pt/blogs/mt/self-service-vpcs-in-aws-control-tower-using-aws-service-catalog/

If you take a look at one of the member accounts you will see the tab “Imported” populated once the Service Catalog sharing is enabled:

https://aws.amazon.com/pt/blogs/mt/self-service-vpcs-in-aws-control-tower-using-aws-service-catalog/

Considerations

We got a better understanding of what is the AWS Service Catalog, Whats it does, how users can leverage it and how it applies to Organizations.

We saw an example of how to deploy portfolios in an AWS Organization using the AWS Service Catalog through using a pipeline that deploys in each member account and how to deploy using the AWS Control Tower’s Service Catalog sharing feature

There are always several ways to execute something in AWS, you just need to see the best for your Organization’s standards.

Feel free to comment about it and I hope this article can come in handy!

--

--

Leticia Massae

Technology enthusiast working as a DevOps with experience in Security Automations. https://www.linkedin.com/in/leticiamassae/