Control AWS resources available to your users using AWS Service Catalog

The grant least privilege best practice advises you to grant only the permissions that are required to perform a task. To follow this best practice you should determine what your users need to do and then design IAM policies that let users perform only those tasks. AWS Service Catalog extends the very same best practice. If you are an administrator, it lets you specify the AWS CloudFormation template that your users can launch, while restricting the permissions required to create individual services. If you are an end user of the AWS Service Catalog, you don’t need to worry whether you have enough permissions to launch the stack or whether you are following your organization’s tagging strategy correctly.

In the first part of this two-part series of blog posts, I explain how you can manage the AWS resources your users can create using AWS Service Catalog. In the second blog post, I show how you can use AWS Lambda to decommission all of the resources that have been provisioned from an AWS Service Catalog portfolio.

Before I get into how it works, let’s first review a few key AWS Service Catalog concepts:

• A product is an IT service that you want to make available for deployment on AWS. You create a product by importing a CloudFormation template.
• A provisioned product is a CloudFormation stack. When an end user launches a product, the AWS Service Catalog provisions the product in form of a CloudFormation stack.
• A portfolio is a collection of products, together with the configuration information. You can use portfolios to manage the user access to specific products.
• Constraints control the way users can deploy a product. With launch constraints, you can specify a role that the AWS Service Catalog can assume to launch a product from the portfolio.

Now I’ll walk you through a use case to show you how you can control the AWS resources your users can create. In this use case, you want to conduct a training of a web-based product, say WordPress, using your training AWS account. (WordPress is an open-source blogging tool and content management system (CMS) based on PHP and MySQL.) On the day of the training, attendees sign into your training AWS account using IAM user credentials that you created, and create their own AWS CloudFormation stack using a WordPress CloudFormation template. The stack outputs a WordPress endpoint that they use during the training. Here are two of the many things that could go wrong due to a single malicious attendee:

• The user might tweak the CloudFormation template to do unauthorized actions like:
  • Launching a high-end EC2 instance.
  • Launching an EC2 instance with a wide-open security group.
  • Something else!
• The user might never tag any of the resources they created leaving you a number of unknown resources to manually discover and clean-up after the training.

A simple solution to mitigate these problems is not to give CloudFormation template creation access to the IAM users. Instead, you will use AWS Service Catalog to manage the resource provisioning.

Solution

Here are the steps you need to go through to let attendees launch a stack using your predefined CloudFormation template:

1. First, create a portfolio.
2. Then, upload WordPress product to the portfolio created. The product contains the WordPress CloudFormation template and configuration information.
3. Next, create an AWS Service Catalog IAM role (role) and associate it with the WordPress product, as a launch constraint. Later, when users provision the product, AWS Service Catalog will assume the role created.
4. Next, grant the training attendees access to the portfolio that you created.
5. Then verify whether training users can provision the product. During the training, users can use the AWS Service Catalog to provision the WordPress product.
6. After the training is over, you terminate all provisioned products from the portfolio.

The following solution diagram illustrates how you can set up a training using AWS Service Catalog.

Note

Before you begin, you need to do the following:

1. Create an IAM user group for the training attendees. To do so, create one or more IAM users (for distributing to training attendees) in your AWS account and assign no permissions to them. Next, create an IAM User Group with a group name as Training-Users and then add IAM users created to the Training-Users group.
2. Verify that AWS Service Catalog is supported in the AWS Region.
3. Verify that you have:
   • AWS Service Catalog Administrator access.
   • IAM Permissions to create a new IAM role.

Then, you need to create an AWS Service Catalog portfolio. You will use the portfolio to provide training attendees an access to the WordPress product.

Step 1. Create a portfolio

For this use case, you can create a single portfolio with a Training Portfolio name. You will later grant training attendees access to this portfolio. To create a portfolio:

1. Sign in to the AWS Management Console and then open https://console.aws.amazon.com/servicecatalog/.
2. If you are using the AWS Service Catalog administrator console for the first time, choose Get started to start the wizard for configuring a portfolio. Otherwise, choose Create portfolio.
3. Enter the following values:
   1. Portfolio name – Training Portfolio
   2. Description – Portfolio for conducting a WordPress training.
   3. Owner – Training Team
4. Choose Create.

Next, associate the Portfolio-Name tagOption with the portfolio. This will cause AWS Service Catalog to attach Portfolio-Name tag to all resources created during provisioning of the product from the portfolio. If you are a first-time user, ensure that you have migrated to the TagOption Library. To associate a tag:

1. Open https://console.aws.amazon.com/servicecatalog/.
2. From the Service Catalog drop-down menu, choose TagOption library.
3. Choose Create new TagOption.
4. Specify key as Portfolio-Name, value as Training Portfolio, choose Save.
5. From the Service Catalog drop-down menu, choose Portfolios list.
6. Select Training Portfolio, expand TagOptions, choose Add TagOption.
7. Select the entry with the key as Portfolio-Name, value as Training Portfolio, choose Save.

Next, you need to upload the WordPress product to the portfolio created.

Step 2. Upload the WordPress product in the portfolio

In this step, you upload the CloudFormation Template you want your users to launch, in the form of a product. To upload a product:

1. Open https://console.aws.amazon.com/servicecatalog/.
2. Click on Training Portfolio to open the portfolio details page, and then choose Upload new product.
3. On the Enter product details page, type the following and then choose Next:
   • Product name – WordPress
   • Description – This product launches WordPress CloudFormation Stack.
   • Provided by – Training Team
4. On the Enter support details page, choose Next.
5. On the Version details page, choose Specify a URL location for an Amazon CloudFormation template, type https://s3-us-west-2.amazonaws.com/cloudformation-templates-us-west-2/WordPress_Single_Instance.template in the text box. Specify:
   • Version title – v1.0
   • Description – Base Version
6. Choose Next.
7. On the Review page, choose Create.

Next, you’ll create an IAM role that AWS Service Catalog can assume to allow training attendees to launch a product.

Step 3. Create a Service Catalog IAM role and associate it with the WordPress product as a launch constraint

Create a role that will have permissions to create a CloudFormation stack as well as to create all resources created by the WordPress CloudFormation template. To create the IAM role:

1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. In the navigation pane, choose Policies. Choose Create policy and do the following:
   1. Choose JSON Tab.
   2. Paste the following policy in the editor:

      {
      	"Version": "2012-10-17",
      	"Statement": [
      		{ 
      			"Sid": "LaunchWordPressRole",
      			"Effect": "Allow",
      			"Action": [
      				"ec2:AuthorizeSecurityGroupEgress",
      				"ec2:AuthorizeSecurityGroupIngress",
      				"ec2:DeleteSecurityGroup",
      				"ec2:TerminateInstances", 
      				"ec2:CreateSecurityGroup", 
      				"ec2:RunInstances", 
      				"ec2:createTags", 
      				"catalog-user:*", 
      				"cloudformation:CreateStack", 
      				"cloudformation:DeleteStack", 
      				"cloudformation:DescribeStackEvents", 
      				"cloudformation:DescribeStacks", 
      				"cloudformation:GetTemplateSummary", 
      				"cloudformation:SetStackPolicy", 
      				"cloudformation:ValidateTemplate", 
      				"cloudformation:UpdateStack", 
      				"ec2:describe*", 
      				"ec2:get*", 
      				"s3:GetObject", 
      				"sns:*"
      			], 
      			"Resource": [ 
      				"*" 
      			] 
      		} 
      	] 
      }

   3. Choose Review Policy.
   4. Provide a name, such as WordPressPolicy, choose Create Policy.
3. In the navigation pane, choose Roles. Choose Create role and do the following:
   1. Choose AWS service and then choose Service Catalog. Next, choose Next: Permissions.
   2. In Filter panel, type WordPressPolicy.
   3. Select the check box for the WordPressPolicy policy, and then choose Next: Review.
   4. For Role name, type WordPressServiceCatalogLaunchRole.
   5. Choose Create role.
   6. In the filter panel, type WordPressServiceCatalogLaunchRole.
   7. Click on the result with WordPressServiceCatalogLaunchRole as the role name.
   8. Note the Role ARN displayed on the summary page.

Next, you need to associate the IAM role with the product. This allows AWS Service Catalog to assume the role to launch the product. To associate the IAM role with the product:

1. Open the AWS Service Catalog console at https://console.aws.amazon.com/servicecatalog/.
2. Choose the Training Portfolio.
3. On the portfolio details page, expand the Constraints section, and then choose Add constraints.
4. For Product, choose WordPress, and for Constraint type, choose Launch. Next, choose Continue.
5. On the Launch constraint page, for Enter role arn, type the role ARN your noted earlier, and then choose Submit.

Next, you need to allow the Training-Users IAM Group to provision a product.

Step 4. Grant the training attendees permission to provision a product from the portfolio

Since users will be using AWS Service Catalog to provision a CloudFormation Stack, all they need is access to the AWS Service Catalog and the Cloudformation:ListStackResources access. In this step, you give users access:

1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. In the navigation pane, choose Groups.
3. In the filter panel, type Training-Users, the search result will display a single result, Choose the result.
4. In the summary page, choose permissions tab.
5. Expand inline policies. Console will display a message stating there are no inline policies associated. Choose click here.
6. Choose Custom Policy, then Select.
   1. For Policy Name, type SCProvisionProductAccess.
   2. Paste the following example policy in Policy Document:

      { 
      	"Version": "2012-10-17", 
      	"Statement": [ 
      		{ 
      			"Effect": "Allow", 
      			"Action": ["cloudformation:ListStackResources", "servicecatalog:ProvisionProduct"], 
      			"Resource": "*" 
      		} 
      	] 
      }

7. Choose Apply Policy.
8. On the Summary page, Permissions tab, Managed Policies section, choose Attach Policy.
9. In the Filter panel, type ServiceCatalogEndUserAccess, the search result will display a single result, choose the result.
10. Choose Attach Policy.

Finally, you need to allow Training-Users IAM Group to access the Training Portfolio. To do so:

1. Open https://console.aws.amazon.com/servicecatalog/ and choose the Training Portfolio.
2. On the portfolio details page, expand the Users, groups and roles section.
3. Choose Add user, group or role.
4. On the Groups tab, select the check box for Training-Users.
5. Choose Add Access.

Step 5. Verification

Before you give the account credentials to training attendees, verify whether training users can provision the product.

Note

The WordPress template requires you to have at least one EC2 key pair present in your selected AWS Region. For more information about how to create a key pair, see Creating a Key Pair Using Amazon EC2.

To verify that the training attendees can launch the WordPress product:

1. Sign in to the AWS Management Console with the credentials of any IAM user you added to the Training-Users IAM group. Next, open the AWS Service Catalog console at https://console.aws.amazon.com/servicecatalog/.
2. In the Products section of the console, choose WordPress and then choose Launch product.
3. On the Product version page, for Name, type WordPress.
4. In the Version table, choose v1.0
5. Choose Next.
6. On the Parameters page, type the following and choose Next:
   • KeyName – Select the KeyName you have access to.
   • SSHlocation – Type a valid CIDR range for the IP address from which you will connect to the instance. This can be the default value (0.0.0.0/0) to allow access from any IP address, your IP address followed by /32 to restrict access to your IP address only, or something in between.
   • DBPassword, DBUser, DBRootPassword – Provide alphanumeric characters of your choice.
   • InstanceType – t2.micro
7. On the TagOptions page, choose Next.
8. On the Notifications page, choose Next.
9. On the Review page, review the information that you typed, and then choose Launch to launch the stack. The initial status of the product is shown as Under Change. After the product is launched, the status becomes Available.

Your environment is ready. You can now distribute the user credentials that you created in step 1 to all training attendees.

Training starts

Attendees will be able to provision the WordPress website using the AWS Service Catalog console, but they will not be able launch an EC2 instance or execute any other CloudFormation template from the AWS Management Console. After the training is over, you can easily clean up all resources created by attendees. To see how you can clean up all products attendees provisioned during the training, see Part 2 of this series of blog posts.

Summary

This blog-post is Part one of a two-part series of blog posts. In Part one I show you how you can use AWS Service Catalog to allow users to launch CloudFormation stacks in your environment, in a controlled manner. AWS Service Catalog also allows you to define template constraints if you have a requirement of allowing users to specify only certain CloudFormation input parameters.

To see how you can clean up all products provisioned during the training, using AWS Lambda, see Part two of this two-part series of blog posts.

If you have questions about implementing the solution described in this post, start a new thread on the AWS Service Catalog Forum or contact AWS Support.

About the Author

Kanchan Waikar is an AWS Marketplace Solutions Architect at Amazon Web Services. She enjoys helping customers build architectures using AWS, AWS Marketplace products, and AWS Service Catalog.