運用管理

AWS Service Catalog

A governance service that manages organization-approved CloudFormation templates as a catalog and provides end users with self-service resource provisioning

About 5 min read

Overview

AWS Service Catalog lets IT administrators register approved infrastructure configurations as products, enabling end users to provision them through self-service. CloudFormation templates or Terraform configurations are cataloged as products and access is managed at the portfolio level. End users can deploy approved configurations simply by entering parameters, without needing CloudFormation expertise. Constraints enforce governance rules at the product level, such as restricting instance types or limiting regions.

Portfolio and Product Design

The core concepts of Service Catalog are the two-tier structure of portfolios and products. A portfolio is a logical grouping of products and serves as the unit for granting access to IAM principals (users, groups, roles). For example, a 'Data Analytics Team Portfolio' might contain Redshift cluster, Glue job, and S3 bucket products, shared exclusively with the data team. A product is a version-controlled CloudFormation template or Terraform configuration, where the template's parameters become the input fields presented to end users. Product versioning enables gradual rollout of template updates. Existing environments provisioned with older versions continue to operate and are unaffected until users explicitly perform a version upgrade. As a product design best practice, it is important to minimize the number of parameters and narrow choices using default values and AllowedValues. Instead of requiring direct CIDR block input, provide abstracted parameters like 'Small / Medium / Large' so end users don't have to deliberate over technical details.

Constraints and Provisioning Rules

Constraints are governance rules applied when provisioning products. Template constraints restrict the allowed values of CloudFormation parameters - for example, limiting instance types to only t3.micro and t3.small. Launch constraints specify the IAM role used during provisioning. This eliminates the need to grant end users direct CloudFormation execution permissions; instead, the minimum required permissions are consolidated in the launch role, making it easier to implement the principle of least privilege. Notification constraints send provisioning events to an SNS topic for administrator notifications and audit logging. Stack set constraints enable deploying a single product across multiple regions or accounts simultaneously. TagOptions (discussed next) are a mechanism for forcibly applying tags to provisioned resources. For a deeper understanding of cloud governance strategies, books on cloud governance (Amazon) are a great resource. The combination of constraints lets you design the right balance between controlling end-user freedom and maintaining self-service convenience. Overly strict constraints defeat the purpose of self-service, while overly lenient ones render governance ineffective.

TagOptions and Organizations Integration

TagOptions is a feature that forcibly applies tags to resources provisioned through Service Catalog. When a TagOption is associated with a portfolio or product, the tag is automatically applied whenever an end user provisions resources. Enforcing cost allocation tags (CostCenter, Project, Environment) via TagOptions prevents cost tracking gaps caused by missing tags. TagOption key-value pairs are centrally managed by administrators, and end users simply select from the available values. Integration with Organizations enables bulk sharing of Service Catalog portfolios across multiple accounts within an organization. Create portfolios in the management account or a delegated administrator account and specify sharing targets by OU (organizational unit) or individual account. Shared portfolios are imported into member accounts and can be used just like local portfolios. This mechanism enables a hub-and-spoke governance model where a central IT team distributes approved configurations company-wide, and individual teams provision the resources they need through self-service. Combined with Control Tower, you can also automate the distribution of standard portfolios when new accounts are created.

共有するXB!

Related Terms

AWS CloudFormationAWS OrganizationsAWS Control TowerAWS Config

Related Services

AWS CloudFormationAWS OrganizationsAWS Control TowerAWS ConfigAWS Resource Access Manager

Related Articles

Building a Multi-Account Environment with AWS Control Tower - Landing Zone and GuardrailsEstablish governance for your multi-account environment with automated landing zone construction and guardrail-based policy enforcement. Also covers automated account creation with Account Factory.Multi-Account Management - Organization-Wide Governance with AWS Organizations and RAMLearn how to deploy CloudTrail, Config, GuardDuty, and Security Hub across all accounts using the Organizations delegated administrator model, achieving unified security and compliance management.Multi-Account Management with AWS Organizations - OU Design and Governance with SCPsEstablish governance for multi-account environments through OU hierarchy design and SCP-based access control. Also covers cost management with consolidated billing.Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.Tag Design Determines Operations - Trivia and Practical Naming Conventions for AWS Resource Tagging StrategyWe explain why AWS resource tags are not just labels but the foundation for cost allocation, access control, and automation, covering tag key naming conventions, how to use the 50-tag limit, and governance through tag policies.

Similar Terms and Articles

IT Governance with AWS Service Catalog - Standardizing Approved Products and Enabling Self-ServiceLearn how to catalog IT-approved CloudFormation templates and safely provide end-user self-service through launch constraints and template constraints.IT Service Provisioning - Self-Service Infrastructure Delivery with AWS Service CatalogLearn how to catalog approved IT services with AWS Service Catalog and enable self-service infrastructure provisioning through CloudFormation integration. This article covers operational patterns that maintain governance while empowering development teams.AWS Service CatalogA catalog service for delivering approved IT services across your organization via self-servicePlatform Engineering - Standardizing Infrastructure Templates with AWS ProtonBuild an internal platform with Proton and Service Catalog to provide developers with self-service infrastructure provisioning. Learn about template management and governance design patterns.Procuring Software on AWS Marketplace - SaaS Subscriptions and Private OffersProcure third-party software in three delivery models (AMI, container, SaaS) and consolidate billing with AWS. Learn about organization-wide governance with Private Marketplace and automating contract management.