Operations Management

IT Service Provisioning - Self-Service Infrastructure Delivery with AWS Service Catalog

Learn how to catalog approved IT services with AWS Service Catalog and enable self-service infrastructure provisioning through CloudFormation integration. This article covers operational patterns that maintain governance while empowering development teams.

約 5 分で読めます

IT Service Provisioning Challenges and Service Catalog

In enterprise environments, development teams need rapid access to infrastructure resources while ensuring compliance with security standards and regulatory requirements. Traditional manual provisioning by IT departments could take days to weeks from request to delivery, creating a bottleneck for development velocity. AWS Service Catalog lets IT administrators publish approved AWS resource configurations as a catalog, enabling end users to provision them through self-service. CloudFormation templates are registered as products, grouped into portfolios, and published to specific users or groups. End users select the resources they need from the approved product list, enter parameters, and instantly provision infrastructure. IT administrators control template contents to automatically ensure compliance with security standards. To check the product list via CLI, run aws servicecatalog search-products --region ap-northeast-1.

Designing Products and Portfolios

Service Catalog products are defined based on CloudFormation templates, with version management enabling incremental improvements. For example, a "Secure Web Application Environment" product might include a CloudFormation template containing a VPC, subnets, security groups, ALB, EC2Auto Scaling group, and RDS instance. Product parameters such as environment name, instance type, and database size can be selected by end users, while constraints limit instance type choices for cost management. Portfolios are collections of products associated with IAM groups or roles for access control. You can publish development environment products to a development team portfolio and SageMaker notebook environment products to a data science team portfolio, tailoring product offerings to each team's role.

CloudFormation Integration and Governance

Service Catalog uses CloudFormation as its backend, so Infrastructure as Code best practices apply directly. By embedding AWS Config rules, CloudTrail logging, and encryption settings in templates, you ensure all provisioned resources comply with security standards. Launch constraints allow Service Catalog to create resources using a designated IAM role regardless of the end user's IAM permissions, maintaining the principle of least privilege while enabling self-service. Tag options automatically apply mandatory tags (cost center, project name, environment name) to provisioned resources, ensuring consistent cost allocation and management. Notification constraints send provisioning events to SNS topics, allowing IT administrators to monitor usage. To deepen your knowledge of cloud governance design, specialized books (Amazon) can be helpful.

Organizations Integration and Multi-Account Deployment

Service Catalog integrates with AWS Organizations to share portfolios across the entire organization. Sharing portfolios defined in the management account at the OU level provides a consistent product catalog across all accounts. When a new account is added to an OU, portfolio access is automatically granted. Integration with AWS Control Tower enables workflows that automatically provision standard Service Catalog products when creating new accounts through Account Factory. Terraform integration is also supported, allowing you to register Terraform templates as products in addition to CloudFormation. Provisioned products and their status can be centrally managed from the Service Catalog console, and end users can terminate (delete) resources they no longer need through self-service.

Service Catalog Pricing

Service Catalog itself incurs no additional charges. Costs consist solely of the usage fees for provisioned AWS resources. Sharing portfolios through Organizations also incurs no additional charges, making it an attractive low-cost governance foundation for the entire organization. Template constraints that limit instance types help prevent end users from accidentally creating expensive resources.

Summary - Achieving Self-Service Infrastructure Delivery

AWS Service Catalog is a self-service infrastructure provisioning platform that empowers development teams while maintaining governance. By combining standardized approved configurations through CloudFormation templates, least-privilege maintenance through launch constraints, and automated cost management through tag options, it balances security and agility. Integration with Organizations provides a consistent product catalog across multi-account environments, ensuring IT governance at the organizational level.

Related Services

AWS Service CatalogA catalog service for delivering approved IT services across your organization via self-serviceAWS CloudFormationAn IaC service that defines and provisions AWS resources as code using templatesAWS OrganizationsA service for centrally managing multiple AWS accounts

Related Articles

IT Governance with AWS Service Catalog - Standardizing Approved Products and Enabling Self-ServiceLearn how to catalog IT-approved CloudFormation templates and safely provide end-user self-service through launch constraints and template constraints.Procuring Software on AWS Marketplace - SaaS Subscriptions and Private OffersProcure third-party software in three delivery models (AMI, container, SaaS) and consolidate billing with AWS. Learn about organization-wide governance with Private Marketplace and automating contract management.Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.

More on This Topic

How AWS Keeps Time Internally - Amazon Time Sync Service and Leap Second Smearing DesignLearn how Amazon Time Sync Service works, how GPS and atomic clocks provide high-precision time sources, the design decision to absorb leap seconds through smearing, and why time synchronization matters in distributed systems.Centralizing SaaS Audit Logs with AWS AppFabric - OCSF Standardization and Security Lake IntegrationLearn how AppFabric collects audit logs from SaaS applications, standardizes them to OCSF format, and builds analysis pipelines.Implementing Feature Flags with AWS AppConfig - Safe Configuration Deployment and RollbackRoll out configuration changes independently from code deployments using Linear and Exponential strategies. Ensure safety with automatic rollback triggered by CloudWatch alarms.Architecture Review - Systematically Evaluate Workloads with the AWS Well-Architected ToolLearn about architecture reviews using the AWS Well-Architected Tool. Covers evaluation based on the six pillars, improvement planning, and custom lens usage.Audit Log Design and Operations - Complete API Activity Recording with CloudTrailLearn how to design audit logs using AWS CloudTrail, including recording API activity, long-term storage in S3, and compliance automation through integration with AWS Config.Lessons from AWS Incident Reports (COE) - How Past Major Outages Shaped Design PrinciplesAnalyze the root causes of past major incidents including the S3 outage, us-east-1 DNS failure, and Kinesis outage from AWS's published Correction of Errors (COE) and incident reports, and explain how they changed AWS's design principles.Tag Design Determines Operations - Trivia and Practical Naming Conventions for AWS Resource Tagging StrategyWe explain why AWS resource tags are not just labels but the foundation for cost allocation, access control, and automation, covering tag key naming conventions, how to use the 50-tag limit, and governance through tag policies.Why AWS Service Quotas Exist - Multi-Tenant Design That Protects Shared InfrastructureExplain how AWS service quotas (formerly service limits) are not mere restrictions but a design to protect other customers in a multi-tenant environment, covering the noisy neighbor problem, soft vs hard limits, and what happens behind quota increase requests.

Similar Articles and Services

IT Governance with AWS Service Catalog - Standardizing Approved Products and Enabling Self-ServiceLearn how to catalog IT-approved CloudFormation templates and safely provide end-user self-service through launch constraints and template constraints.AWS Service CatalogA governance service that manages organization-approved CloudFormation templates as a catalog and provides end users with self-service resource provisioningPlatform Engineering - Standardizing Infrastructure Templates with AWS ProtonBuild an internal platform with Proton and Service Catalog to provide developers with self-service infrastructure provisioning. Learn about template management and governance design patterns.Procuring Software on AWS Marketplace - SaaS Subscriptions and Private OffersProcure third-party software in three delivery models (AMI, container, SaaS) and consolidate billing with AWS. Learn about organization-wide governance with Private Marketplace and automating contract management.