AWS Management Tools

AWS Service Catalog

5 min read
Updated June 23, 2025
5,137 characters

AWS Service Catalog Cheat Sheet

AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS. It simplifies governance and helps organizations achieve consistent standards while enabling users to quickly deploy the services they need through a self-service portal.

Core Problem and Personas

Service Catalog is designed to serve two primary roles within an organization:

  • Administrators: Central IT or cloud platform teams who define a curated portfolio of approved products, manage versions, apply constraints, and grant access to end-users. They are responsible for the underlying infrastructure templates.

  • End-Users: Developers, data scientists, and other internal customers who can browse the catalog and launch products with a single action. They don't need deep AWS expertise or direct permissions for the underlying services, which accelerates their work.

Key Components

Product

  • A product is a blueprint for an AWS service or application that you want to make available for deployment.

  • Each product is based on an AWS CloudFormation template, which defines all the AWS resources required for that product (e.g., an EC2 instance with a specific AMI, a database, a VPC configuration).

  • Products are version-controlled, allowing administrators to update templates and manage the product lifecycle (e.g., updating AMIs, changing instance types) in a controlled manner.

Portfolio

  • A portfolio is a collection of products, combined with the configuration information that governs how those products can be used.

  • Administrators use portfolios to:

    • Group related products together (e.g., a "Web Application" portfolio).

    • Grant access to specific IAM users, groups, or roles.

    • Apply constraints to the products within the portfolio.

  • Portfolios can also be shared across AWS accounts within an AWS Organization.

Provisioned Product

  • A provisioned product is the live, running instance of a product that an end-user has launched from the catalog.

  • Under the hood, a provisioned product is a deployed AWS CloudFormation stack.

Constraints (Governance)

Constraints are a critical feature for enforcing governance, cost control, and security. They are applied to a product within a portfolio.

  • Launch Constraint: This is the most powerful feature. An administrator specifies an IAM role that Service Catalog assumes when an end-user launches the product. This allows the end-user to provision resources they do not have direct IAM permissions for, enforcing the principle of least privilege.

  • Template Constraint: Restricts the configuration parameters that an end-user can input when launching a product. For example, an administrator can use this to limit the available EC2 instance types to a specific, cost-effective list.

  • Notification Constraint: Sends notifications about stack events (create, update, delete) for provisioned products to a specified Amazon SNS topic. This is useful for tracking and monitoring.

  • Tag Update Constraint: Controls whether end-users are allowed to modify the tags on the resources that make up their provisioned product.

Other Key Features

Service Actions

  • Allows administrators to create a list of approved, custom actions that end-users can perform on their own provisioned products.

  • These actions are defined using AWS Systems Manager documents and can be used for common operational tasks like rebooting an instance, creating a database snapshot, or applying patches.

AppRegistry

  • A feature within Service Catalog that allows you to create a central repository of your applications and their associated resources.

  • It helps you understand your application's context by linking resource collections and metadata, which is useful for discovery, reporting, and management.

How It Works: The Workflow

  1. Admin Creates Template: An administrator creates an AWS CloudFormation template that defines the resources for a service (e.g., a standard three-tier web application).

  2. Admin Creates Product: The admin imports this template into Service Catalog to create a versioned product.

  3. Admin Configures Portfolio: The admin adds the product to a portfolio, applies necessary constraints (like a launch role), and grants access to an IAM group of developers.

  4. End-User Launches Product: A developer in that IAM group browses the portfolio and launches the product. They only need to provide the parameters allowed by the template constraints.

  5. Service Catalog Provisions: Service Catalog assumes the specified launch role and executes the CloudFormation template to create the stack and all its resources on the developer's behalf.

Pricing

  • AWS Service Catalog has a free tier that includes 1,000 API calls per account per month.

  • Beyond the free tier, you are charged based on the number of API calls made to the service. You also pay for the underlying AWS resources that are created by the provisioned products.

📚 Recommended AWS Resources

AWS Certified Solutions Architect Study Guide
Complete preparation for AWS certification exams
AWS Cookbook
Practical recipes for AWS cloud solutions
As an Amazon Associate, we earn from qualifying purchases.
Back to All