AWS Cloud Governance -Service Catalog

Increasing popularity and adoption of the cloud is catching the eye of all the businesses from startups to big enterprises. Now, the question arises “Is the cloud safe?” and the plain answer is “Depends”. As cloud works on the shared responsibility model, security becomes the top priority. But, the cloud is huge and taking care of security is not easy. Some strict rules and regulations should be set up in the AWS environment which provides strict guardrails. This whole setup is called Cloud Governance.

There is no single way that provides the necessary controls to conduct better AWS account management, cost control, and security and compliance through automation. In fact, there are 6 methods by which we can govern the AWS environment.

1. Service Catalog
2. Effective Provisioning
3. Policy Automation
4. Tagging & Chargeback
5. Cost Optimization
6. Security Framework

In this article, I will provide more information on governance using the Service Catalog.

What is a Service Catalog?

Service Catalog allows organizations to create and manage catalogs of IT services. Service Catalog enables end-users to deploy approved IT services they need, in a self-service manner, typically within minutes.

Features of Service Catalog

1. Template constraints restrict configuration parameters available for the user.
2. To ensure that AWS resources adhere to security/governance standards.
3. Developers can launch resources from the console without writing any code.
4. Centralized, Cross account control and better operational control.

Service Catalog Process

The service catalog process is divided into 2 main tasks — Administrator tasks and User tasks.

In the administrator’s tasks, a portfolio is created which consists of multiple products(IT services or resources). Once the portfolio is ready, constraints are applied to the portfolio. This provides the self-service with pre-configured compliance to the users.

In the user tasks, the user will only see the products to which access is provided and hence the self-service provisioning will have the governance control.

Sample Scenario

A user from the developer team should be able to launch EC2 instances for the development purpose but the user should have the option to select t2.micro or m3.mirco instances only. User has no permission to launch EC2 instances directly. Members of the development team should not be able to launch large instances and their choice and options should be limited.

Let’s start implementing the Administrator’s tasks first.

Login to AWS Console with the user having Admin access to Service Catalog. Next, create a portfolio in Service Catalog with the desired name and description.

Select the created portfolio and upload a new product. In this scenario, I am using the CloudFormation template provided by AWS to create a product that builds a wide range of EC2 instances along with security groups and key pair association.

https://awsdocs.s3.amazonaws.com/servicecatalog/development-environment.template

To this point, all the users having access to Service Catalog can launch instances without any restrictions.

The next and most important step is to apply constraints.

Create a template constraint that provides restrictions on the type of instances a user can launch. Users can now select only from t2.micro or m3.medium.

Create another launch constraint and attach it to the product in the portfolio. Now Service Catalog will assume the IAM role defined below and create the resources defined in the template irrespective of the access controls of the user.

Both constraints are created now.

Now final step for the Administrator’s tasks is to add the user in the Portfolio. User, groups, and roles can be added but in this case, we are adding only a single user.

To test the end-user experience for the service catalog, login with a user having Service Catalog end user full access.

Go to the product list and select the product.

Launch the product and provide the name and version of the product.

In the parameters options, only the constrained options of EC2 will be visible. Users can select only from the authorized list, irrespective of the list of EC2 types defined in the CloudFormation template in the product.

Provide the Tags and other required options and launch the instance. All the resources will be created by the user and there is no need to provide access to different resources that are created in the background.

Service Catalog provides governance over the environment. All the existing CloudFormation templates can be included in the Service Catalog and provide the regulated compliance for self-service.