AWS Cloud Operations & Migrations Blog

How managed service providers can use AWS Control Tower to provide services

AWS Control Tower is a managed AWS service that automates the creation of a multi-account AWS environment based upon the AWS Well-Architected Framework. It builds the environment using AWS best practices for security and management services.

In this blog post, we’ll show how a managed service provider can use AWS Control Tower and AWS Service Catalog to create resources and applications (for example, data lakes and ML solutions). These products are packaged in AWS Service Catalog portfolios that customers can implement for their use cases. These portfolios generate revenue for the service provider. In this post, we will focus on a use case for Amazon Comprehend.


To follow the steps in this post, you need an AWS account with permissions to create resources in these services:

Concepts and terminology

The following AWS Service Catalog concepts are used in this post.

  • A product is a blueprint for building the AWS resources to make available for deployment on AWS. It includes the configuration information. You can create a product by importing an AWS CloudFormation template, or, in the case of AWS Marketplace-based products, by copying the product to AWS Service Catalog. A product can belong to multiple portfolios.
  • A portfolio is a collection of products. It includes the configuration information. You use portfolios to manage user access to specific products. You can grant portfolio access for an AWS Identity and Access Management (IAM) user, group, or role.
  • A provisioned product is an AWS CloudFormation stack. When you launch a product, the instance of the product that is provisioned by AWS Service Catalog is a stack with the resources required to run the product.
  • Constraints control the way you can deploy a product. With launch constraints, you can specify a role that the AWS Service Catalog can assume to launch a product.

For more information, see Overview of AWS Service Catalog in the AWS Service Catalog administrator guide.

Solution overview

The following diagram shows the solution architecture.


The managed service provider creates an Amazon Comprehend product in AWS Service Catalog and makes it available to other accounts through CloudFormation. The member accounts deploy the CloudFormation template, which creates an AWS Service Catalog product in their account. You launch the product from the member account.


Figure 1: Solution architecture

The walkthrough includes the following steps:

  1.  The managed service provider creates an Amazon Comprehend AWS Service Catalog product through CloudFormation.
  2. The AWS Service Catalog administrator in the member account adds the portfolio and product by launching the CloudFormation template.
  3. End users in the member account use the AWS Service Catalog product.

Configure the environment

For your convenience, this post provides an AWS CloudFormation template to automate the creation of required AWS resources. We recommend that for this walkthrough, use the northern Virginia Region (US-East-1).

Create the managed account using Control Tower account factory

  1. Log into the AWS Control Tower using the management account
  2. Select the Account factory menu option on the left
  3. Select Enroll account
  4. Fill in the new account information and select Enroll account
  5. The new account will be created in approximately 23 minutes
  6. Login to the new account and follow the steps to configure the environment.

The administrator uses the account factory to create a new account

Figure 2: Account Factory

Download the CloudFormation Template and create an S3 bucket.

  1. Download this CloudFormation Template locally and extract its contents. It will create a folder named content.
  2. Create an S3 bucket and make a note of its name. You will need the name of your bucket in a later step.
  3. Upload the content folder to the bucket.
  4. Open the content/scmspcomprehend folder.
  5. Select the sc_msp_comprehend_setup.json file
  6. Within the Object overview section, copy the object URL.

Deploy the CloudFormation template

ALT: In the Parameters section of Specify stack details, SCenduserRole is user/kwscenduser. SourceBucket is kwdem0s.

Figure 3: Specify Stack Details

  1. Sign in to your AWS account as an administrator with permissions to create AWS resources.
  2. In the AWS CloudFormation console, choose Create stack, and then choose With new resources (standard).
  3. In the Specify template section, choose Amazon S3 URL.
  4. In the Amazon S3 URL field, paste the object URL you copied in the previous procedure, and then choose Next.
  5. On Specify stack details, for Stack name, enter sccomprehend.
  6. In Parameters, for SCenduserrole, enter the user/<your-user>. This is the user, role, or group who will use the product.
  7. For SourceBucket, enter the name of your S3 bucket you created earlier, and then choose Next.
  8. On the Configure stack options page, choose Next.
  9. On the Review page, select I acknowledge that AWS CloudFormation might create IAM resources and then choose Create stack. Your stack is ready when the status changes to CREATE_COMPLETE.

Add text files for analysis.

In the outputs tab on the CloudFormation console, choose the InputTextFolder, then upload your text files

Figure 4: Upload Text File

  1. Select the Outputs tab in the CloudFormation console.
  2. Find the InputTextFolder key right click on the URL and open in a new browser tab.
  3. Create a text file to upload, save the file with an easy-to-read name e.g. marketing_customer_comments.txt
  4. Select Upload, Add files
  5. Select the file you created
  6. Select Upload
  7. Repeated as necessary

Launch the AWS Service Catalog product

  1. On the Outputs tab of the CloudFormation console, choose the ComprehendProduct URL, and then choose Launch product.
  2. Enter the following parameters, and then choose Launch product.
    • Provisioned product name: Enter a name or choose Generate name.
    • Email: Enter your email address. You will receive an email to validate this address. If you don’t see an email in your inbox, check your spam folder.
    • InputText: Choose a file or enter 01-UPDATE to update the list.
  3. When the status of the product changes to Available, scroll down and choose the report URL. The report displays the title of the text document and a graph. The report is not public. By default, it is accessible for three hours only


Analyzed text shows overall sentiment of the txt file breaking it down between mixed, neutral, positive, and negative.

Figure 5: Blog_code_example


To avoid ongoing charges to your account, delete resources you created. In the AWS Service Catalog console, choose Provisioned products and from the Actions menu, choose Terminate.


In this post, we showed how managed service providers can use AWS Service Catalog, AWS CloudFormation, and AWS Control Tower to create AWS Service Catalog portfolios that customers can use for their use cases. These portfolios generate revenue for the service provider.

About the authors

Kenneth Walsh

Kenneth Walsh is a Solutions Architect whose focus is AWS Marketplace. Kenneth is passionate about cloud computing. Kenneth loves being a trusted advisor for his customers.

Cullen Dejean

Cullen Dejean is a Solutions Architect whose focus is helping startups innovate and focus on the evolution of their platforms in their cloud computing journey. Cullen loves technology and enjoys helping his customers solve complex challenges with the cloud computing.