Service Catalog Template Constraint

AWS Service Catalog

AWS Service Catalog
~ Last updated on : ~ jayendrapatil ~ 1 Comment

AWS Service Catalog

  • AWS Service Catalog helps centrally manage cloud resources to achieve governance at scale of the infrastructure as code (IaC) templates, written in CloudFormation, Terraform, or other IaC tools via External Engines.
  • allows IT administrators to create, manage, and distribute catalogs of approved products to end users, who can then access the products they need in a personalized portal.
  • can help control which users have access to each product to enforce compliance with organizational business policies while making sure the customers can quickly deploy the cloud resources they need.
  • increases agility and reduces costs as end users can find and launch only the products they need from a controlled catalog.
  • is a regional service and Portfolios and products are a regional construct that will need to be created per region and are only visible/usable on the regions in which they were created.
  • supports VPC Endpoints to privately access Service Catalog APIs from VPC without the need for an Internet gateway, NAT gateway, or VPN connection.
  • integrates with AWS Organizations for portfolio sharing across accounts, supporting delegated administrator capabilities.
AWS Service Catalog
Source: AWS

Service Catalog Portfolios and Products

  • Service Catalog portfolio is a collection of products, with configuration information that determines who can use those products and how they can use them.
  • Each Service Catalog product is based on an infrastructure-as-code (IaC) template using CloudFormation, Terraform, or External Engines.
  • Service Catalog supports three product types:
    • AWS CloudFormation – native support for CloudFormation templates
    • Terraform Cloud – integration with HashiCorp Terraform Cloud managed service
    • External – supports Terraform Community Edition (formerly Terraform Open Source) and other third-party IaC tools via self-managed provisioning engines
  • Customized portfolios can be created for each type of user in an organization and selectively granted access to the appropriate portfolio.
  • When an administrator adds a new version of a product to a portfolio, that version is automatically available to all current portfolio users.
  • Same product can be included in multiple portfolios.
  • Portfolios can be shared with other AWS accounts and extended by applying additional constraints.
  • Portfolio sharing supports account-to-account sharing, AWS Organizations sharing (to OUs or the entire organization), and deployment via CloudFormation StackSets.

Service Catalog Git-Synced Products

  • Service Catalog supports syncing products with IaC template files from external Git repositories including GitHub, GitHub Enterprise, and Bitbucket.
  • Git-synced products automatically update when changes are pushed to the connected repository, keeping products in sync with source control.
  • Uses AWS CodeConnections (formerly AWS CodeStar Connections, renamed March 2024) to establish and manage the connection between AWS and the external Git provider.
  • Enables Platform Engineers to streamline DevOps processes by keeping IaC templates in source control while automatically reflecting changes in Service Catalog.
  • Service Catalog uses the AWSServiceCatalogSyncServiceRolePolicy managed policy and the AWSServiceRoleForServiceCatalogSync service-linked role for sync operations.

Service Catalog External Engines

  • External Engines extend Service Catalog capabilities beyond native CloudFormation templates, enabling the use of other IaC tools.
  • The EXTERNAL product type replaced the previous “Terraform Open Source” product type (October 2023).
    • AWS Service Catalog no longer supports Terraform Open Source as a valid product type for any new products or provisioned products.
    • Existing Terraform Open Source products must be migrated to the External product type.
  • External engines require installing and configuring a provisioning engine in the Service Catalog administrator account (hub account).
  • Supports self-managed engines for governance, allowing organizations to use Terraform Community Edition, Pulumi, or other IaC tools with Service Catalog’s governance framework.

Service Catalog Access Control

  • Launch Constraint
    • provide AWS Service Catalog with the capability to perform actions on behalf of users even when those users do not have the necessary IAM permissions to perform those actions directly.
    • is an IAM Role that AWS Service Catalog assumes when an end user launches a product.
    • Service Catalog products without a launch constraint will launch and manage products using the end user’s IAM credentials; if the end user credentials are not sufficient for those activities, errors will result either in provisioning or in management activities.
    • supported for CloudFormation, Terraform Open Source (External), and Terraform Cloud product types.
  • Template Constraint
    • define rules that limit the parameter values that a user enters when launching a product
    • is applied when provisioning a new product or updating a product that is already in use.
    • applies the most restrictive constraint among all constraints applied to the portfolio and the product.
    • are not supported for Terraform/External or Terraform Cloud product types
  • Stack Set Constraint
    • allows configuring product deployment options using CloudFormation StackSets.
    • enables launching products as stack sets across multiple accounts and Regions.
    • a product can have either a launch constraint or a stack set constraint, but not both.
    • not supported for Terraform/External product types.
  • Notification Constraint
    • allows specifying an Amazon SNS topic to receive notifications about stack events.
    • not supported for Terraform Open Source or Terraform Cloud products.
  • TagOptions
    • TagOption library provides a centralized way to manage tags on provisioned resources.
    • allows administrators to define a set of key-value pairs that are applied to provisioned products.
    • resource tagging varies by account, so TagOptions are managed separately from portfolio product configurations.

Service Catalog Service Actions

  • Service actions enable end users to perform operational tasks, troubleshoot issues, run approved commands, or request permissions on provisioned products.
  • Eliminates the need to grant end users full access to AWS services.
  • Uses AWS Systems Manager (SSM) documents to define service actions.
  • Provides access to pre-defined actions that implement AWS best practices (e.g., EC2 stop and reboot) and custom actions.
  • Service actions are not available for Terraform/External or Terraform Cloud product types.

Service Catalog AppRegistry

  • Service Catalog AppRegistry allows organizations to understand the application context of their AWS resources.
  • AppRegistry provides a repository for the information that describes the applications and associated resources that you use within your enterprise.
  • AppRegistry provides a single, up-to-date definition of applications within their AWS environment.
  • Applications are defined with a name, description, associations to attribute groups (metadata), and associations to CloudFormation stacks (resources).
  • Attribute Groups support an open JSON schema, providing flexibility to capture enterprise metadata such as security classification, organizational ownership, cost center, and support information.
  • AppRegistry integrates with the myApplications dashboard in the AWS Management Console (launched November 2023), providing an application-centric view of key metrics including cost, health, security findings, and performance.
  • The awsApplication tag is automatically applied to associated resources, enabling application-level tracking across AWS services.
  • Supports Terraform-managed applications through the myApplications integration.

Service Catalog Integration with ITSM

  • AWS Service Management Connector previously provided integration with ServiceNow and Jira Service Management for provisioning Service Catalog products from ITSM tools.
  • Note: AWS Service Management Connector is no longer available to new customers as of March 31, 2026, and will reach end of support on March 31, 2027. Existing customers can continue using it until the end of support date.

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. A company has several business units that want to use Amazon EC2. The company wants to require all business units to provision their EC2 instances by using only approved EC2 instance configurations. What should a SysOps administrator do to implement this requirement?
    1. Create an EC2 instance launch configuration. Allow the business units to launch EC2 instances by specifying this launch configuration in the AWS Management Console.
    2. Develop an IAM policy that limits the business units to provision EC2 instances only. Instruct the business units to launch instances by using an AWS CloudFormation template.
    3. Publish a product and launch constraint role for EC2 instances by using AWS Service Catalog. Allow the business units to perform actions in AWS Service Catalog only.
    4. Share an AWS CloudFormation template with the business units. Instruct the business units to pass a role to AWS CloudFormation to allow the service to manage EC2 instances.
  2. A platform engineering team wants to ensure that all infrastructure deployments across the organization use approved Terraform configurations. The team wants developers to self-provision infrastructure without needing direct access to AWS services. Which approach meets these requirements?
    1. Store Terraform configurations in an S3 bucket and grant developers read access to download and run them locally.
    2. Create products using the External product type in AWS Service Catalog with a Terraform provisioning engine and grant developers access to the portfolio.
    3. Create an IAM policy that allows developers to run terraform apply only with pre-approved configurations.
    4. Use AWS CloudFormation to deploy Terraform configurations using custom resources.
  3. A company wants to maintain a catalog of approved AWS resources that automatically stays in sync with their GitHub repository whenever templates are updated. Which Service Catalog feature should they use?
    1. Create a Lambda function that triggers on GitHub webhooks to update Service Catalog products.
    2. Use AWS CodePipeline to deploy updated templates to Service Catalog on each commit.
    3. Use Service Catalog Git-synced products with AWS CodeConnections to sync products from the GitHub repository.
    4. Manually upload new template versions to Service Catalog after each repository update.
  4. An organization needs to track the cost, health, and security posture of their cloud applications from a single dashboard. They use Service Catalog AppRegistry to define their applications. Which AWS feature provides this consolidated application-level view?
    1. AWS CloudWatch Application Insights
    2. AWS Systems Manager Application Manager
    3. myApplications dashboard in the AWS Management Console
    4. AWS Resource Groups console