Q: What is Amazon Service Catalog?
Amazon Service Catalog allows IT administrators to create, manage, and distribute catalogs of approved products to end users, who can then access the products they need in a personalized portal. Administrators can control which users have access to each product to enforce compliance with organizational business policies. Administrators can also setup adopted roles so that end users only require IAM access to Amazon Service Catalog in order to deploy approved resources. Amazon Service Catalog allows your organization to benefit from increased agility and reduced costs because end users can find and launch only the products they need from a catalog that you control.
Q: Who should use Amazon Service Catalog?
Amazon Service Catalog was developed for organizations, IT teams, and managed service providers (MSPs) that need to centralize policies. It allows IT administrators to vend and manage Amazon Web Services resource and services. For large organizations, it provides a standard method of provisioning cloud resources for thousands of users. It is also suitable for small teams, where front-line development managers can provide and maintain a standard dev/test environment.
Q: How do I get started with Amazon Service Catalog?
In the Amazon Web Services Management Console, choose Amazon Service Catalog in Management Tools. In the Amazon Service Catalog console, administrators can create portfolios, add products, and grant users permissions to use them with just a few clicks. End users logged into the Amazon Service Catalog console can see and launch the products that administers have created for them.
Q: What can end users to do with Amazon Service Catalog that they could not do before?
End users have a simple portal in which to discover and launch products that comply with organizational policies and budget constraints.
Q: What is a portfolio?
A portfolio is a collection of products, with configuration information that determines who can use those products and how they can use them. Administrators can create a customized portfolio for each type of user in an organization and selectively grant access to the appropriate portfolio. When an administrator adds a new version of a product to a portfolio, that version is automatically available to all current portfolio users. The same product can be included in multiple portfolios. Administrators also can share portfolios with other Amazon Web Services accounts and allow the administrators of those accounts to extend the portfolios by applying additional constraints. By using portfolios, permissions, sharing, and constraints, administrators can ensure that users are launching products that are configured properly for the organization’s needs.
Q: What is a product?
A product is a service or application for end users. A catalog is a collection of products that the administrator creates, adds to portfolios, and provides updates for using Amazon Service Catalog. A product can comprise one or more Amazon Web Services resources, such as Amazon Elastic Compute Cloud (Amazon EC2) instances, storage volumes, databases, monitoring configurations, and networking components. It can be a single compute instance running Amazon Linux, a fully configured multitier web application running in its own environment, or anything in between.
Administrators distribute products to end users in portfolios. Administrators create catalogs of products by importing Amazon CloudFormation templates. These templates define the Amazon Web Services resources that the product needs to work, the relationships between components, and the parameters that the end user chooses when launching the product to configure security groups, create key pairs, and perform other customizations.
An end user with access to a portfolio can use the Amazon Web Services Management Console to find a standard dev/test environment product, for example, in the form of an Amazon CloudFormation template, then manage the resulting resources using the Amazon CloudFormation console. For information about creating a product, see “How do I create a product?” in the Administrator FAQ.
Q: Are APIs available? Can I use the CLI to access Amazon Service Catalog?
Yes, APIs are available. Actions from the management of Service Catalog artifacts through to provisioning and terminating are available. You can find more information in the Amazon Service Catalog documentation.
Q: Can I privately access Amazon Service Catalog APIs from my Amazon Virtual Private Cloud (VPC) without using public IPs?
Yes, you can privately access Amazon Service Catalog APIs from your Amazon Virtual Private Cloud (VPC) by creating VPC Endpoints. With VPC Endpoints, the routing between the VPC and Amazon Service Catalog is handled by the Amazon Web Services network without the need for an Internet gateway, NAT gateway, or VPN connection. The latest generation of VPC Endpoints used by Amazon Service Catalog are powered by Amazon PrivateLink, an Amazon Web Services technology enabling the private connectivity between Amazon Web Services using Elastic Network Interfaces (ENI) with private IPs in your VPCs. To learn more about Amazon PrivateLink, visit the Amazon PrivateLink Documentation.
Q: Does Amazon Service Catalog offer a Service Level Agreement (SLA)?
Yes. The Amazon Service Catalog SLA provides for a service credit if a customer's monthly uptime percentage is below our service commitment in any billing cycle.
Q: How do I create a portfolio?
You create portfolios in the Amazon Service Catalog console. For each portfolio, you specify the name, a description, and owner.
Q: How do I create a product?
To create a product, you first create an Amazon CloudFormation template by using an existing Amazon CloudFormation template or creating a custom template. Next, you use the Amazon Service Catalog console to upload the template and create the product. When creating products, you can provide additional information for the product listing, including a detailed product description, version information, support information, and tags.
Q: Why would I use tags with a portfolio?
Tags are useful for identifying and categorizing Amazon Web Services resources that are provisioned by end users. You can also use tags in Amazon Identity and Access Management (IAM) policies to allow or deny access to IAM users, groups, and roles or to restrict operations that can be performed by IAM users, groups, and roles. When you add tags to your portfolio, the tags are applied to all instances of resources provisioned from products in the portfolio.
Q: How do I make a portfolio available to my users?
You publish portfolios that you’ve created or that have been shared with you to make them available to IAM users in the Amazon Web Services account. To publish a portfolio, you add IAM users, groups, or roles to the portfolio from the Amazon Service Catalog console by navigating to the portfolio details page. When you add users to a portfolio, they can browse and launch any of the products in the portfolio. Typically, you create multiple portfolios with different products and access permissions customized for specific types of end users. For example, a portfolio for a development team will likely contain different products from a portfolio targeted at the sales and marketing team. A single product can be published to multiple portfolios with different access permissions and provisioning policies.
Q: Can I share my portfolio with other Amazon Web Services accounts?
Yes. You can share your portfolios with users in one or more other Amazon Web Services accounts. When you share your portfolio with other Amazon Web Services accounts, you retain ownership and control of the portfolio. Only you can make changes, such as adding new products or updating products. You, and only you, can also “unshare” your portfolio at any time. Any products, or stacks, currently in use will continue to run until the stack owner decides to terminate them.
To share your portfolio, you specify the account ID you want to share with, and then send the Amazon Resource Number (ARN) of the portfolio to that account. The owner of that account can create a link to this shared portfolio, and then assign IAM users from that account to the portfolio. To help end users with discovery, you can curate a directory of portfolios.
Q: Can I customize the experience for end users when they use a product?
Yes. You can tailor a product’s user experience for specific end users. The Amazon CloudFormation template contains input parameters that drive the user experience. You can define business-level input parameters (such as “How many users do you need to support?” or “Are you going to store private data?”) or infrastructure-level input parameters (such as “Which Amazon EC2 instance type?”) depending on the user. When the Amazon CloudFormation template is deployed, the user is asked these questions and can select from a constrained list of answers for each question. Depending on the answers, the template may be deployed using different Amazon Elastic Compute Cloud (EC2) instances and different Amazon Web Services resources.
Q: Can I create a product from an existing Amazon EC2 AMI?
Yes. You can use an existing Amazon EC2 AMI to create a product by wrapping it in an Amazon CloudFormation template.
Q: Can I use products from the Amazon Web Services Marketplace?
Yes. You can subscribe to a product in the Amazon Web Services Marketplace and use the copy to Service Catalog action to copy your Marketplace product directly to Service Catalog. You can also use the Amazon EC2 AMI for the product to create an Amazon Service Catalog product. To do that, you wrap the subscribed product in an Amazon CloudFormation template. For more details on how to copy or package your Amazon Web Services Marketplace products, please visit the Amazon Service Catalog documentation.
Q: How do I control access to portfolios and products?
To control access to portfolios and products, you assign IAM users, groups, or roles on the Portfolio details page. Providing access allows users to see the products that are available to them in the Amazon Service Catalog console.
Q: Can I provide a new version of a product?
Yes. You can create new product versions in the same way you create new products. When a new version of a product is published to a portfolio, end users can choose to launch the new version. They can also choose to update their running stacks to this new version. Amazon Service Catalog does not automatically update products that are in use when an update becomes available.
Q: Can I provide a product and retain full control over the associated Amazon Web Services resources?
Yes. You have full control over the Amazon Web Services accounts and roles used to provision products. To provision Amazon Web Services resources, you can use either the user’s IAM access permissions or your pre-defined IAM role. To retain full control over the Amazon Web Services resources, you specify a specific IAM role at the product level. Amazon Service Catalog uses the role to provision the resources in the stack.
Q: Can I restrict the Amazon Web Services resources that users can provision?
Yes. You can define rules that limit the parameter values that a user enters when launching a product. These rules are called template constraints because they constrain how the Amazon CloudFormation template for the product is deployed. You use a simple editor to create template constraints, and you apply them to individual products that are within a portfolio.
Amazon Service Catalog applies constraints when provisioning a new product or updating a product that is already in use. It always applies the most restrictive constraint among all constraints applied to the portfolio and the product. For example, consider a scenario where the product allows all EC2 instances to be launched and the portfolio has two constraints: one that allows all non-GPU type EC2 instances to be launched and one that allows only t1.micro and m1.small EC2 instances to be launched. For this example, Amazon Service Catalog applies the second, more restrictive constraint (t1.micro and m1.small).
Q: Can I use a YAML language CloudFormation template in Service Catalog?
Yes, we currently support both JSON and YAML language templates.
Q: How do I find out which products are available?
You can see which products are available by logging in to the Amazon Service Catalog console and searching the portal for products that meet your needs, or you can navigate to the full product list page. You can sort to find the product that you want.
For each product, you can view a Product details page that displays information about the product, including the version, whether a newer version of the product is available, a description, support information, and tags associated with the product. The Product details page might also indicate whether the product will be provisioned using your access permissions (Self) or an administrator-specified role (role-arn).
Q: How do I deploy a product?
When you find a product that meets your requirements in the portal, choose Launch. You will be guided through a series of questions about how you plan to use the product. The questions might be about your business needs or your infrastructure requirements (such as “Which EC2 instance type?”). When you have provided the required information, you’ll see the product in the Amazon Service Catalog console. While the product is being provisioned, you will see that it is “in progress.” After provisioning is complete, you will see “complete” and information, such as endpoints or Amazon Resource Names (ARNs), that you can use to access the product.
Q: Can I see which products I am using?
Yes. You can see which products you are using in the Amazon Service Catalog console or using Amazon Web Services API’s. You can see all of the stacks that are in use, along with the version of the product used to create them.
Q: How do I update my products when a new version becomes available?
When a new version of a product is published, you can use the Update Provisioned Product command to use that version. If you are currently using a product for which there is an update, it continues to run until you close it, at which point you can choose to use the new version.
Q: How do I monitor the health of my products?
You can see the products that you are using and their status in the Amazon Service Catalog console.