AWS Cloud Operations & Migrations Blog
Using an AWS Service Catalog service action to allow end users to update resources after deployment
Enterprise customers with multiple users want to manage policies on cloud resources like AWS Key Management Service (AWS KMS) and Amazon Simple Storage Service (Amazon S3) to grant access to additional users after the product has been deployed through, for example, AWS CloudFormation templates. In addition, customers want to accomplish this task in a self-service manner without the involvement of cloud operations or admin teams.
In this blog post, we will show how you can use AWS Service Catalog to manage a permission policy post-deployment on a KMS resource. AWS Service Catalog helps you deploy AWS resources using a repeatable process that follows best practices for standardization, compliance, and security.
The solution we share in this post uses the following AWS services.
- AWS CloudFormation
- AWS Service Catalog
- AWS Systems Manager
- AWS KMS
- AWS Identity and Access Management (IAM)
Most of the resources are set up for you with an AWS CloudFormation stack.
Here are some of AWS Service Catalog concepts referenced in this post.
- A product is a blueprint for building the AWS resources you want to make available for deployment on AWS. It contains configuration information. You create a product by importing an AWS CloudFormation template, or, in the case of AWS Marketplace-based products, by copying the product to AWS Service Catalog. A product can belong to multiple portfolios.
- A portfolio is a collection of products. You use portfolios to manage user access to products. You can grant portfolio access for an IAM user, group, or role.
- A provisioned product is an AWS CloudFormation stack. When an end user launches a product, AWS Service Catalog provisions the product from an AWS CloudFormation stack.
- Constraints control the way users can deploy a product. With launch constraints, you can specify a role that the AWS Service Catalog must assume to launch a product.
For more information, see Overview of AWS Service Catalog in the AWS Service Catalog Administrator Guide.
The following diagram shows the solution architecture for adding user permissions to a KMS key on accounts managed by AWS Service Catalog.
Figure 1: Solution architecture diagram
The administrator uses CloudFormation to deploy the components required by the solution, including an AWS Service Catalog product. The end user uses the product to deploy a KMS instance and later uses an AWS Service Catalog service action to update the KMS policy.
An end user in the managed account uses AWS Service Catalog to deploy a KMS key. The end user also uses an AWS Service Catalog service action to update the KMS key policy.
Configuring an environment
Download the content
- Download the content
- Extract the zipped file “blogkmsaction.zip” that was downloaded
- The following artifacts below are located in the extracted folder named “blogkmsaction“:
Create s3 bucket
- Sign in to your AWS account as an administrator. Make sure that you have an AdministratorAccess IAM policy attached to your role so you can create AWS resources.
- Create an S3 bucket in your AWS account. For instructions, see Creating a bucket in the Amazon S3 User Guide.
- In the Buckets list, choose the name of the bucket and choose Create folder. For the folder name, enter
- Upload all the files from the “blogkmaction” folder
- Open the folder “blogkmaction” and select the
- Choose Object URL to copy the object URL.
Follow these steps to deploy the CloudFormation template.
- In the AWS CloudFormation console, choose Create Stack.
- On the Specify template page, in the Specify template section, choose Amazon S3 URL. Paste the URL you copied in the last procedure into the Amazon S3 URL field, and then choose Next.
- Choose Create Stack with new resources (standard) .
- Choose Amazon S3 URL.
- Paste the link you copied into Amazon S3 URL.
- Make a note of or copy the bucket name, and then choose Next.
- On the specified stack details page enter you parameters.
- In Parameters, specify the following, and then choose Next.
- For Stack Name,
- For SourceBucket, paste the bucket name you copied.
- For ServiceCatalogEndUser, enter the IAM user name
(user/<your IAM username>), or IAM role (role/<rolename>)that will have access to the AWS Service Catalog portfolio.
- For Stack Name,
- Choose Next.
- On the Configure stack options page, choose Next.
- Leave the default values except as noted.
- On the Review page, select the I acknowledge that AWS CloudFormation might create IAM resources with custom names checkbox and then choose Create.
Wait for the status of the stack to change to CREATE COMPLETE.
Figure 2: Specify stack details
Provision the product in AWS Service Catalog
Provisioned products provide information, called outputs, when a product launches.
- In the AWS Service Catalog console, scroll down to Outputs.
- Find the
KMSQueueProduct, right-click the URL, and open it in a new tab.
- Choose Launch Product.
- Select the Generate name checkbox.
- For QueueName, enter
myqueue23<initals>. e.g. myqueue23ockmc
- Use the defaults for the other parameters.
- Choose Launch product.
Wait for the status to change to Available.
You have just deployed an Amazon Simple Queue Service (Amazon SQS) queue and a KMS key with a default KMS policy. You can now use the AWS Service Catalog service action to add a user to the KMS key policy. This supports a use case where a user can be granted access to the KMS key after deployment without redeploying the KMS key.
Update the KMS key policy with an AWS Service Catalog service action
- Get a
user ARNthat will be added to the KMS policy.
- In the AWS KMS console, right click and open in a new browser tab
- Select “Customer managed keys” on the left, and to the right select the
- Select the
Figure 3: The key policy shows the Id of SQSThirdParty-myque23ke-CMK and the Sid of Key Management
- Open the AWS Service Catalog console, and then choose Provisioned products.
- Choose the
- From the Actions menu.
- Choose the
- For QueueUserArn, enter the user ARN from step 1.
- Choose Perform action. When the action is completed you can view the changes to the KMS policy.
Figure 4: The new user appears in the KMS policy. The Sid is Key Usage
To avoid charges to your account, delete the resources you no longer need. To terminate the AWS Service Catalog product, choose the product, choose Actions, and then choose Terminate. You can also use AWS CloudFormation to delete the stacks you deployed.
This post showed an easy way for end-users to deploy a KMS key and manage KMS policies post-deployment using AWS Service Catalog and service actions. When you use AWS Service Catalog to deploy and manage resources, business objectives are supported, and you also get an extra layer of governance and control.