AWS Service Catalog

• AWS Service Catalog helps centrally manage cloud resources to achieve governance at scale of the infrastructure as code (IaC) templates, written in CloudFormation or Terraform.
• allows IT administrators to create, manage, and distribute catalogs of approved products to end users, who can then access the products they need in a personalized portal.
• can help control which users have access to each product to enforce compliance with organizational business policies while making sure the customers can quickly deploy the cloud resources they need.
• increases agility and reduces costs as end users can find and launch only the products they need from a controlled catalog.
• is a regional service and Portfolios and products are a regional construct that will need to be created per region and are only visible/usable on the regions in which they were created.
• supports VPC Endpoints to privately access Service Catalog APIs from VPC without the need for an Internet gateway, NAT gateway, or VPN connection.

Service Catalog Portfolios and Products

• Service Catalog portfolio is a collection of products, with configuration information that determines who can use those products and how they can use them.
• Each Service Catalog product is based on an infrastructure-as-code (IaC) template using CloudFormation or Terraform.
• Customized portfolios can be created for each type of user in an organization and selectively granted access to the appropriate portfolio.
• When an administrator adds a new version of a product to a portfolio, that version is automatically available to all current portfolio users.
• Same product can be included in multiple portfolios.
• Portfolios can be shared with other AWS accounts and extended by applying additional constraints.

Service Catalog Access Control

• Launch Constraint
  • provide AWS Service Catalog with the capability to perform actions on behalf of users even when those users do not have the necessary IAM permissions to perform those actions directly.
  • is an IAM Role that AWS Service Catalog assumes when an end user launches a product.
  • Service Catalog products without a launch constraint will launch and manage products using the end user’s IAM credentials; if the end user credentials are not sufficient for those activities, errors will result either in provisioning or in management activities.
• Template Constraint
  • define rules that limit the parameter values that a user enters when launching a product
  • is applied when provisioning a new product or updating a product that is already in use.
  • applies the most restrictive constraint among all constraints applied to the portfolio and the product.
  • are not supported for Terraform configurations

Service Catalog AppRegistry

• Service Catalog AppRegistry allows organizations to understand the application context of their AWS resources.
• AppRegistry provides a repository for the information that describes the applications and associated resources that you use within your enterprise.
• AppRegistry provides a single, up-to-date, definition of applications within their AWS environment.

AWS Certification Exam Practice Questions

• Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
• AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
• AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
• Open to further feedback, discussion and correction.

1. A company has several business units that want to use Amazon EC2. The company wants to require all business units to provision their EC2 instances by using only approved EC2 instance configurations. What should a SysOps administrator do to implement this requirement?
   1. Create an EC2 instance launch configuration. Allow the business units to launch EC2 instances by specifying this launch configuration in the AWS Management Console.
   2. Develop an IAM policy that limits the business units to provision EC2 instances only. Instruct the business units to launch instances by using an AWS CloudFormation template.
   3. Publish a product and launch constraint role for EC2 instances by using AWS Service Catalog. Allow the business units to perform actions in AWS Service Catalog only.
   4. Share an AWS CloudFormation template with the business units. Instruct the business units to pass a role to AWS CloudFormation to allow the service to manage EC2 instances.