AWS Cloud Operations & Migrations Blog

Using an AWS Service Catalog service action to allow end users to update resources after deployment

Enterprise customers with multiple users want to manage policies on cloud resources like AWS Key Management Service (AWS KMS) and Amazon Simple Storage Service (Amazon S3) to grant access to additional users after the product has been deployed through, for example, AWS CloudFormation templates. In addition, customers want to accomplish this task in a self-service manner without the involvement of cloud operations or admin teams.

In this blog post, we will show how you can use AWS Service Catalog to manage a permission policy post-deployment on a KMS resource. AWS Service Catalog helps you deploy AWS resources using a repeatable process that follows best practices for standardization, compliance, and security.

The solution we share in this post uses the following AWS services.

Most of the resources are set up for you with an AWS CloudFormation stack.

Here are some of AWS Service Catalog concepts referenced in this post.

  • A product is a blueprint for building the AWS resources you want to make available for deployment on AWS. It contains configuration information. You create a product by importing an AWS CloudFormation template, or, in the case of AWS Marketplace-based products, by copying the product to AWS Service Catalog. A product can belong to multiple portfolios.
  • A portfolio is a collection of products. You use portfolios to manage user access to products. You can grant portfolio access for an IAM user, group, or role.
  • A provisioned product is an AWS CloudFormation stack. When an end user launches a product, AWS Service Catalog provisions the product from an AWS CloudFormation stack.
  • Constraints control the way users can deploy a product. With launch constraints, you can specify a role that the AWS Service Catalog must assume to launch a product.

For more information, see Overview of AWS Service Catalog in the AWS Service Catalog Administrator Guide.

Solution overview

The following diagram shows the solution architecture for adding user permissions to a KMS key on accounts managed by AWS Service Catalog.

The administrator deploys the components that will support the service catalog product. The end-user then uses the service catalog product to deploy and manage the KMS key and its policies.

Figure 1: Solution architecture diagram

Administrator process

The administrator uses CloudFormation to deploy the components required by the solution, including an AWS Service Catalog product. The end user uses the product to deploy a KMS instance and later uses an AWS Service Catalog service action to update the KMS policy.

End-user process

An end user in the managed account uses AWS Service Catalog to deploy a KMS key. The end user also uses an AWS Service Catalog service action to update the KMS key policy.

Configuring an environment

Download the content

  1. Download the content
  2. Extract the zipped file “” that was downloaded
  3. The following artifacts below are located in the extracted folder named “blogkmsaction“:
    • SC_KMS_MGT.json
    • sc_kms_service_action_sc_portfolio.json
    • sc_kms_service_action_sc_product.json

Create s3 bucket

  1. Sign in to your AWS account as an administrator. Make sure that you have an AdministratorAccess IAM policy attached to your role so you can create AWS resources.
  2. Create an S3 bucket in your AWS account. For instructions, see Creating a bucket in the Amazon S3 User Guide.
  3. In the Buckets list, choose the name of the bucket and choose Create folder. For the folder name, enter content/blogkmsaction/.
  4. Upload all the files from the “blogkmaction” folder
  5. Open the folder “blogkmaction” and select the
    • sc_kms_service_action_sc_portfolio.json file 
  6. Choose Object URL to copy the object URL.

Follow these steps to deploy the CloudFormation template.

  1. In the AWS CloudFormation console, choose Create Stack.
  2. On the Specify template page, in the Specify template section, choose Amazon S3 URL. Paste the URL you copied in the last procedure into the Amazon S3 URL field, and then choose Next.
  3. Choose Create Stack with new resources (standard) .
  4. Choose Amazon S3 URL.
  5. Paste the link you copied into Amazon S3 URL.
  6. Make a note of or copy the bucket name, and then choose Next.
  7. On the specified stack details page enter you parameters.
  8. In Parameters, specify the following, and then choose Next.
    • For Stack Name, kmssetup123
    • For SourceBucket, paste the bucket name you copied.
    • For ServiceCatalogEndUser, enter the IAM user name (user/<your IAM username>), or IAM role (role/<rolename>) that will have access to the AWS Service Catalog portfolio.
  9. Choose Next.
  10. On the Configure stack options page, choose Next.
  11. Leave the default values except as noted.
  12. On the Review page, select the I acknowledge that AWS CloudFormation might create IAM resources with custom names checkbox and then choose Create.

Wait for the status of the stack to change to CREATE COMPLETE.

The administrator launches a stack to configure the environment. The admin enters a stack name as well as other parameters, then starts the process.

Figure 2: Specify stack details

Provision the product in AWS Service Catalog

Provisioned products provide information, called outputs, when a product launches.

  1. In the AWS Service Catalog console, scroll down to Outputs.
  2. Find the KMSQueueProduct, right-click the URL, and open it in a new tab.
  3. Choose Launch Product.
  4. Select the Generate name checkbox.
  5. For QueueName, enter myqueue23<initals>. e.g. myqueue23ockmc
  6. Use the defaults for the other parameters.
  7. Choose Launch product.

Wait for the status to change to Available.

You have just deployed an Amazon Simple Queue Service (Amazon SQS) queue and a KMS key with a default KMS policy. You can now use the AWS Service Catalog service action to add a user to the KMS key policy. This supports a use case where a user can be granted access to the KMS key after deployment without redeploying the KMS key.

Update the KMS key policy with an AWS Service Catalog service action

  1. Get a user ARN that will be added to the KMS policy.
  2. In the AWS KMS console, right click and open in a new browser tab
  3. Select “Customer managed keys” on the left, and to the right select the
  4. Select the SQSThirdParty_KMS_myquexxxx aliases.

The key policy displays the policy before the end-user updates it. It contains only one access statement.

Figure 3: The key policy shows the Id of SQSThirdParty-myque23ke-CMK and the Sid of Key Management

  1. Open the AWS Service Catalog console, and then choose Provisioned products.
  2. Choose the SCproductKMSQueue product.
  3. From the Actions menu.
  4. Choose the sc_svc_action_name option.
  5. For QueueUserArn, enter the user ARN from step 1.
  6. Choose Perform action. When the action is completed you can view the changes to the KMS policy.The policy has changed after the end-user added a second user. It now contains two access statements.

Figure 4: The new user appears in the KMS policy. The Sid is Key Usage


To avoid charges to your account, delete the resources you no longer need. To terminate the AWS Service Catalog product, choose the product, choose Actions, and then choose Terminate. You can also use AWS CloudFormation to delete the stacks you deployed.


This post showed an easy way for end-users to deploy a KMS key and manage KMS policies post-deployment using AWS Service Catalog and service actions. When you use AWS Service Catalog to deploy and manage resources, business objectives are supported, and you also get an extra layer of governance and control.


About the authors

Kevin McLeold

Kevin McLeod

Kevin McLeod is a New York-based Senior Technical Account Manager in Health and Life Sciences, HCLS. He is enthusiastic about cloud computing solutions backed by microservices and enjoys helping HCLS customers on their cloud journey to operational excellence. When he’s away from his computer, Kevin enjoys cycling, podcasts, Brazilian jiu-jitsu, and teaching his boxer new tricks.

Kenneth Walsh

Kenneth Walsh

Kenneth Walsh is a New York-based Solutions Architect whose focus is AWS Marketplace. Kenneth is passionate about cloud computing and loves being a trusted advisor for his customers. When he’s not working with customers on their journey to the cloud, he enjoys cooking, audio books, movies, and spending time with his family and dog.

Charles Okochu

Charles Okochu

Charles Okochu is a New York-based Senior Technical Account Manager who works with Blockchain and Financial Services customers. Charles has years of fintech experience. He’s passionate about how blockchain technologies can transform the technology landscape. In his spare time, Charles enjoys running, playing soccer, and spending time with his family and cat.