A product is an IT service that you want to make available for deployment on Amazon Web Services. A product can comprise one or more Amazon Web Services resources, such as EC2 instances, storage volumes, databases, monitoring configurations, and networking components, or packaged Amazon Web Services Marketplace products. A product can be a single compute instance running Linux, a fully configured multi-tier web application running in its own environment, or anything in between. You create your products by importing Amazon CloudFormation templates. These templates define the Amazon Web Services resources required for the product, the relationships between resources, and the parameters that the end user can plug in when they launch the product to configure security groups, create key pairs, and perform other customizations.
A portfolio is a collection of products, together with configuration information. Portfolios help manage product configuration, and who can use specific products and how they can use them. With Amazon Service Catalog, you can create a customized portfolio for each type of user in your organization and selectively grant access to the appropriate portfolio. When you add a new version of a product to a portfolio, that version is automatically available to all current users of that portfolio. You also can share your portfolios with other Amazon Web Services accounts and allow the administrator of those accounts to distribute your portfolios with additional constraints. For example, for developers, you can define a portfolio of development environments, such as a LAMP stack with approved versions that users can use for software development and testing. You could also define a portfolio for the marketing organizations that includes campaign websites and market analysis applications.
Amazon Service Catalog allows you to manage multiple versions of the products in your catalog. This allows you to add new versions of templates and associated resources based on software updates or configuration changes. When you create a new version of a product, the update is automatically distributed to all users who have access to the product, allowing the user to select which version of the product to use. Users can update running instances of the product to the new version quickly and easily.
Granular access control
Granting a user access to a portfolio enables that user to browse the portfolio and launch the products in it. You apply Amazon Identity and Access Management (IAM) permissions to control who can view and modify your products and portfolios. IAM permissions can be assigned to IAM users, groups, and roles. When a user launches a product that has an IAM role assigned to it, Amazon Service Catalog uses the role to launch the product's cloud resources using Amazon CloudFormation. By assigning an IAM role to each product, you can avoid giving users permissions to perform unapproved operations, and enable them to provision resources using the catalog.
Constraints restrict the ways that specific Amazon Web Services resources can be deployed for a product. You can use them to apply limits to products for governance or cost control. There are two types of constraints: template and launch. Template constraints restrict the configuration parameters that are available for the user when launching the product (for example, EC2 instance types or IP ranges). Template constraints allow you to reuse generic Amazon CloudFormation templates for products and apply restrictions to the templates on a per-product or per-portfolio basis. Launch constraints allow you to specify a role for a product in a portfolio. This role is used to provision the resources at launch, so you can restrict user permissions without impacting users’ ability to provision products from the catalog. For example, for marketing users, you can enable them to create campaign websites, but use constraints to restrict their access to provision the underlying databases.
Every Amazon Service Catalog product is launched as an Amazon CloudFormation stack, which is a set of resources provisioned for that instance of the product. Amazon CloudFormation stacks make it easier to manage the lifecycle of your product by allowing you to provision, tag, update, and terminate your product instance as a single unit.
Using service actions, you can enable end users to perform operational tasks, troubleshoot issues, run approved commands, or request permissions in Amazon Service Catalog on your provisioned products, without needing to grant end users full access to Amazon Web Services services. You use Amazon Systems Manager documents to define service actions. The Amazon Systems Manager documents provide access to pre-defined actions that implement Amazon Web Services best practices, such as Amazon EC2 stop and reboot, and you can define custom actions too.