In large AWS environments, you want to provide your users with secure and compliant ways to use AWS cloud services. You can empower them to consume services independently and reduce your operational teams‘ workloads. The result? Increased user satisfaction and more time for operations to concentrate on value-adding activities. AWS offers a native way to create and share your products in your AWS organization with the AWS Service Catalog.
Creating, managing, and controlling your organization's AWS Service Catalog products is the first step to providing self-service. Your organization benefits from a variety of advantages, including:
Each AWS product is based on an AWS CloudFormation template. The definition of what a product executes and, consequently, what a user can do, is determined in the template. It’s also possible to enable additional restrictions through various measures, called constraints:
Launch Constraints define which IAM role the AWS Service Catalog assumes when it launches the product
Notification Constraints give the possibility to get information via SNS (Simple Notification Service) when products are managed
Tag Update Constraints provides the ability to prevent tag updates on deployed resources
Stack Set Constraints enables StackSets deployments to multiple accounts or regions
Template Constraints limit the options for users at launch
As well as constraints, there are so-called ‘service actions’ which offer the possibility to perform predefined actions on already provisioned AWS Service Catalog products. (For example, initiate a restart of an EC2 machine). Service actions can be defined in AWS Systems Manager documents and attached to a product.
One of our enterprise customers needed a way to enable self-service capabilities to centrally managed and shared services. Furthermore, users are only allowed to use services that provide a minimum level of security. And this is where the AWS Service Catalog comes into play, as its capabilities can cover the requirements.As our customer also has high demands for automation, the entire solution had to be rolled out in an automated and reusable way. In this case, a CI/CD integration was essential.