Operations Management

IT Governance with AWS Service Catalog - Standardizing Approved Products and Enabling Self-Service

Learn how to catalog IT-approved CloudFormation templates and safely provide end-user self-service through launch constraints and template constraints.

約 3 分で読めます

The Role of Service Catalog

Service Catalog is a service that manages IT-approved AWS resource configurations as a catalog of up to 5,000 products, enabling end users to provision them through self-service. When end users freely create AWS resources, issues arise including security misconfigurations, cost management difficulties, and architectural inconsistency. With Service Catalog, IT teams register CloudFormation templates as products and provide only approved configurations to end users. End users simply select a product from the catalog and enter parameters, and standardized resources are provisioned automatically.

Designing Portfolios and Constraints

A portfolio is a collection of products that grants access to IAM principals (users, groups, roles). You can design portfolios such as a development team portfolio containing dev environment EC2 and RDS, and a data team portfolio containing Redshift and Glue. Launch constraints specify the IAM role used when provisioning a product - resources are created using the role's permissions rather than the end user's own IAM permissions. This allows you to permit resource creation only through the catalog without granting end users direct CloudFormation execution permissions. Template constraints restrict the allowed values of CloudFormation parameters, enabling controls such as limiting instance types to only t3.micro and t3.small.

Usage in Multi-Account Environments

Integration with Organizations lets you share portfolios created in the management account with all accounts or specific OUs in the organization. End users in each account can use products from shared portfolios, applying unified architecture patterns across the entire organization. Product version management enables gradual rollout of template updates. When a new version is published, existing provisioned products are not automatically updated - end users explicitly perform the version upgrade. This prevents unexpected impacts from updates. For planning Service Catalog operational design, related books (Amazon) are a helpful reference.

Service Catalog Pricing

Service Catalog itself incurs no additional charges. Costs consist only of the usage fees for provisioned AWS resources (EC2, RDS, etc.). However, if you use third-party resource types in AWS CloudFormation, charges apply per handler operation. Sharing portfolios via Organizations also incurs no additional fees, making it an attractive low-cost governance foundation for the entire organization. Template constraints that restrict instance types also reduce the risk of end users accidentally creating expensive resources.

Summary

Service Catalog is a service that balances IT governance with end-user self-service. It catalogs approved architecture patterns and enforces safe provisioning through launch constraints and template constraints. Integration with Organizations enables standardization across multi-account environments.

Related Services

AWS Service CatalogA catalog service for delivering approved IT services across your organization via self-serviceAWS CloudFormationAn IaC service that defines and provisions AWS resources as code using templatesAWS OrganizationsA service for centrally managing multiple AWS accounts

Related Articles

DevOps Notifications with AWS Chatbot - Integrating AWS Events with Slack and TeamsLearn how to deliver CloudWatch alarm and CodePipeline notifications to Slack and Teams, and build a ChatOps environment where you can operate AWS using @aws commands from chat.Building a Multi-Account Environment with AWS Control Tower - Landing Zone and GuardrailsEstablish governance for your multi-account environment with automated landing zone construction and guardrail-based policy enforcement. Also covers automated account creation with Account Factory.IT Service Provisioning - Self-Service Infrastructure Delivery with AWS Service CatalogLearn how to catalog approved IT services with AWS Service Catalog and enable self-service infrastructure provisioning through CloudFormation integration. This article covers operational patterns that maintain governance while empowering development teams.

More on This Topic

How AWS Keeps Time Internally - Amazon Time Sync Service and Leap Second Smearing DesignLearn how Amazon Time Sync Service works, how GPS and atomic clocks provide high-precision time sources, the design decision to absorb leap seconds through smearing, and why time synchronization matters in distributed systems.Centralizing SaaS Audit Logs with AWS AppFabric - OCSF Standardization and Security Lake IntegrationLearn how AppFabric collects audit logs from SaaS applications, standardizes them to OCSF format, and builds analysis pipelines.Implementing Feature Flags with AWS AppConfig - Safe Configuration Deployment and RollbackRoll out configuration changes independently from code deployments using Linear and Exponential strategies. Ensure safety with automatic rollback triggered by CloudWatch alarms.Architecture Review - Systematically Evaluate Workloads with the AWS Well-Architected ToolLearn about architecture reviews using the AWS Well-Architected Tool. Covers evaluation based on the six pillars, improvement planning, and custom lens usage.Audit Log Design and Operations - Complete API Activity Recording with CloudTrailLearn how to design audit logs using AWS CloudTrail, including recording API activity, long-term storage in S3, and compliance automation through integration with AWS Config.Lessons from AWS Incident Reports (COE) - How Past Major Outages Shaped Design PrinciplesAnalyze the root causes of past major incidents including the S3 outage, us-east-1 DNS failure, and Kinesis outage from AWS's published Correction of Errors (COE) and incident reports, and explain how they changed AWS's design principles.Tag Design Determines Operations - Trivia and Practical Naming Conventions for AWS Resource Tagging StrategyWe explain why AWS resource tags are not just labels but the foundation for cost allocation, access control, and automation, covering tag key naming conventions, how to use the 50-tag limit, and governance through tag policies.Why AWS Service Quotas Exist - Multi-Tenant Design That Protects Shared InfrastructureExplain how AWS service quotas (formerly service limits) are not mere restrictions but a design to protect other customers in a multi-tenant environment, covering the noisy neighbor problem, soft vs hard limits, and what happens behind quota increase requests.

Similar Articles and Services

IT Service Provisioning - Self-Service Infrastructure Delivery with AWS Service CatalogLearn how to catalog approved IT services with AWS Service Catalog and enable self-service infrastructure provisioning through CloudFormation integration. This article covers operational patterns that maintain governance while empowering development teams.AWS Service CatalogA governance service that manages organization-approved CloudFormation templates as a catalog and provides end users with self-service resource provisioningPlatform Engineering - Standardizing Infrastructure Templates with AWS ProtonBuild an internal platform with Proton and Service Catalog to provide developers with self-service infrastructure provisioning. Learn about template management and governance design patterns.Procuring Software on AWS Marketplace - SaaS Subscriptions and Private OffersProcure third-party software in three delivery models (AMI, container, SaaS) and consolidate billing with AWS. Learn about organization-wide governance with Private Marketplace and automating contract management.