Note: This is a June 2020 update to the blog post How to set up a multi-region, multi-account catalog of company standard AWS Service Catalog products.

Overview

I have seen interest in the native infrastructure template sharing capabilities offered by AWS Service Catalog. For example, my customers share AWS Service Catalog portfolios directly to AWS accounts or groups of accounts in AWS Organizations. One pattern that my customers use is the AWS Service Catalog hub-and-spoke model. In this model, a central hub AWS account hosts organizationally approved infrastructure services and shares them to other AWS spoke accounts in the company.

As usage around these functionalities has evolved, I have received requests to simplify sharing of AWS Service Catalog portfolios across accounts. The AWS Service Catalog team has been releasing multiple features that support simplification of setup and sharing of AWS Service Catalog portfolios in an AWS Organizations environment. In this blog post, I walk through two of those features:

  1. local launch constraint support
  2. delegated administrator support for AWS Service Catalog in AWS Organizations.

I also set up a sample environment to walk you through these features in a hands-on exercise.

Feature Overview

1) Local launch constraints support for AWS Service Catalog

On April 8, 2020, local launch constraints for AWS Service Catalog became available. This allows administrators to create AWS Service Catalog products in one hub account, assign a launch constraint name (instead of an Amazon Resource Name (ARN)), and share it with another spoke AWS account(s) in their environment. The spoke AWS account can use the shared product with the assigned launched constraint locally. The launch constraint must exist locally in the spoke account, however.

Previously, launch constraints assigned in the hub AWS account were ARNs tied to the hub AWS account, and any spoke AWS accounts launching these products would trigger a launch in the hub AWS account.

2) Delegated administrator support for AWS Organizations

AWS Service Catalog now supports delegated administrator support for AWS Organizations. This means that you can enable multiple AWS accounts (see limits) in the AWS Organization to share AWS Service Catalog portfolios. You can share these portfolios directly to the entire AWS Organization or to an Organizational Unit (OU). Previously, the organizational sharing feature was restricted to the master account in an AWS Organizations environment.

You can now enable a non-master AWS account to act as a delegated administrator account for AWS Organizations. For more information on how to enable AWS accounts as delegated administrator, read AWS Organizations documentation.

There are numerous benefits to sharing AWS Service Catalog products in AWS Organizations, such as:

  • the ability to create multiple hubs of AWS Service Catalog portfolios depending on logical AWS account groups in your company
  • the ability auto-share AWS Service Catalog portfolios with newly created AWS accounts in the AWS Organization or Organizational Unit
  • a single AWS account to manage sharing of infrastructure services to different parts of the company using AWS Service Catalog
  • product updates, additions, and deletions from the hub reflect across the organization automatically.

Step-by-step walkthrough of a sample setup

Prerequisites

A) Set up delegated administrator AWS Organizations accounts for AWS Service Catalog

Step 1: Enable AWS Organizations access for AWS Service Catalog and AWS CloudFormation

In this step, you use the AWS Organizations service to enable trusted access for AWS Service Catalog and AWS CloudFormation StackSets. This allows AWS Service Catalog and AWS CloudFormation to perform tasks in your AWS Organizations and its accounts on your behalf. This enablement can only be done from the master account in the organization.

  • Make sure you’re logged in to your master AWS account using the command line interface with administrator privileges. Read documentation for more details.
    • Enable AWS Organizations trusted access for AWS Service Catalog by entering the following into AWS CLI: aws organizations enable-aws-service-access --service-principal servicecatalog.amazonaws.com
    • Enable AWS Organizations trusted access for AWS CloudFormation StackSets by entering the following: aws organizations enable-aws-service-access --service-principal member.org.stacksets.cloudformation.amazonaws.com
    • To verify if these steps were successful, run the following command: aws organizations list-aws-service-access-for-organization
  • You should see the following output:
"EnabledServicePrincipals": [
       {
            "ServicePrincipal": "member.org.stacksets.cloudformation.amazonaws.com",
            "DateEnabled": "2020-06-04T22:01:18.170000-07:00"
        },
        {
            "ServicePrincipal": "servicecatalog.amazonaws.com",
            "DateEnabled": 1591142184.97
        }
    ]

Step 2: Delegate administrator permissions to shared services account

You can assign multiple delegated administrator accounts (see limits) in your AWS Organizations structure. This allows you to set up multiple hubs in your environment. The steps mentioned in this blog post can be used to set up any delegated administrator account in your environment.

AWS Organizations provides the ability to enable a specified member account to administer the Organizations features of the specified AWS service. AWS Service Catalog is now a supported service for this functionality. This means that you can delegate another AWS account in your AWS Organizations setup to share AWS Service Catalog portfolios at the Organizational level.

The following diagram shows the AWS Organizations master account and multiple organizational units (OU) underneath it. Under the Shared Services Organization Unit, we have a delegated administrator AWS account called Shared Services. The other OUs and AWS accounts underneath them have been represented separately.

Delegated Administrator for AWS Service Catalog

To delegate administrator permissions to a shared service account, do the following:

  • Make sure you’re logged in to your Master AWS account using the command line interface with administrator privileges. Read documentation for more details.
  • To check your current list of delegated administrator accounts, run the following command in your command line: aws organizations list-delegated-administrators
  • If this is the first time you’re running this command in your account, you should see an empty response, since there are no delegated administrator accounts in your AWS Organization:
{
    "DelegatedAdministrators": []
}
  • In our sample setup, you enable the Shared Services account in your AWS Organizations as the delegated administrator. To do so, run the following command in your CLI console. Replace <YOUR_AWS_ACCOUNT_ID> with the account ID of the AWS account you wish to delegate administrator permissions to: aws organizations register-delegated-administrator --account-id <YOUR_AWS_ACCOUNT_ID> --service-principal servicecatalog.amazonaws.com
  • To verify, check your current list of delegated administrator accounts, run the following command in your CLI console. You should see a response with your assigned delegate AWS account details: aws organizations list-delegated-administrators
  • You should now see the response showing your delegated administrator account details:
{
    "DelegatedAdministrators": [
        {
            "Id": "**********",
            "Arn": "arn:aws:organizations::*******:account/o-zd5*****/**********",
            "Email": "*****@amazon.com",
            "Name": "Shared Services",
            "Status": "ACTIVE",
            "JoinedMethod": "INVITED",
            "JoinedTimestamp": "2020-06-02T16:54:59.436000-07:00",
            "DelegationEnabledDate": "2020-06-02T17:53:52.195000-07:00"
        }
    ]
}

B) Set up the AWS Service Catalog hub portfolio in the delegated administrator AWS account

In this section, you up the delegated administrator account assigned in the previous section. You do this using  a central AWS Service Catalog portfolio, which is shared with the entire AWS Organizations structure. You also assign end users and tagOptions to the shared portfolio in all AWS accounts. All of these operations will be centralized and performed from the shared services AWS account only. 

To do so, perform the following three steps:

Step 1: Set up IAM Roles in the entire AWS Organizations structure (single Region)

Download architecture diagram.

In this step, you set up the required IAM roles and launch constraints required for AWS Service Catalog in all the AWS accounts in the AWS Organizations structure using AWS CloudFormation StackSets from the shared services account.

  1. Log in to the AWS console of your master AWS account in your Region of choice with administrator privileges. You can choose us-east-1 (N. Virginia) if you don’t have a preference. Make sure you operate out of the same region for the remainder of the exercise.
  2. Open the AWS CloudFormation StackSet console at https://console.aws.amazon.com/cloudformation/home#/stacksets/create.
  3. Under Prerequisite – Prepare template, choose Template is ready. Under Specify template, select Amazon S3 URL, and enter the following URL: https://marketplace-sa-resources.s3.amazonaws.com/sc-org-sharing-blog-june20/sc-iam-setup-stackset.json and choose Next.
  4. Enter the following details on the Specify StackSet details page, and choose Next:
    1. StackSet name: SC-<YOUR_PORTFOLIO_NAME>-IAM-SETUP (Enter SCHubPortfolioDemo for YOUR_PORTFOLIO_NAME)
    2. StackSet description: IAM Setup for Demo Portfolio in AWS Service Catalog
    3. CreateLaunchConstraintRole: Yes
    4. LaunchConstraintRoleName: DemoLaunchRole
    5. CreateSCEndUserRole: Yes
    6. SCEndUserRoleName: DemoEndUserRole
  5. On the Configure StackSet options page, under the Permissions, choose Service managed permissions and choose Next. This ensures AWS CloudFormation has automatic access to deploy this stack into all AWS accounts in your AWS Organizations.
  6. On the Set deployment options page, under Deployment targets, choose Deploy to organization, and keep the default options selected. Under specify regions, select region US East (N.Virginia). Choose Next. Do not add more than one Region here. IAM roles are not regional and can be accessed globally after creation from one Region. (Note: You choose Deploy to Organization because the AWS Service Catalog will be shared with the Organization. If you plan to share the portfolio with an OU, then you would choose the same OU in the Deployment targets section.)
  7. On the Review page, under Capabilities, check ‘I acknowledge that AWS CloudFormation might create IAM resources with custom names.’ and choose AWS CloudFormation starts creating your stack set. View the progress and status of the creation of the stacks in your stack set in the stack set details page that opens when you choose Submit.

Once all the stack instances are successfully setup, all your AWS accounts contain a launch role for AWS Service Catalog. They also contain an end user role for your end users.

Step 2: Set up AWS Service Catalog portfolio in the delegated administrator AWS account

Download architecture diagram.

In this step, you set up the AWS Service Catalog portfolio and sample set of products in the shared services delegated administrator AWS account. Once the portfolio is set up, you can share the portfolio with all the AWS accounts in AWS Organizations.

Prerequisites

You use AWS CloudFormation nested stacks in this section. Service-managed permissions are not supported by AWS CloudFormation StackSets for nested stacks today. However, the stacks must be set up in the hub account only. So you can use StackSets with self-managed permissions for this account. To set up self-managed permissions for the delegated administrator account, follow these steps:

Once the prerequisites are complete, follow these steps to set up your AWS Service Catalog portfolio in the delegated administrator account. With CloudFormation StackSets, you can set up this portfolio in one or multiple Regions based on your requirements. You can also share portfolios with AWS Organizational Units or individual AWS accounts.

Set up the AWS CloudFormation StackSet for creating a multi-Region portfolio deployment

Once you have completed the prerequisites, follow the next steps to set up your AWS Service Catalog portfolio in the delegated administrator account. With CloudFormation StackSets, you can set up this portfolio in one or multiple Regions based on your requirements.

  1. Log in to the AWS console of your delegated administrator AWS account in your Region of choice with administrator privileges. You can choose us-east-1 (N. Virginia) if you don’t have a preference.
  2. Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation#/stacksets/create.
  3. Under Prerequisite – Prepare template, choose Template is ready. Under Specify template, selected Amazon S3 URL, and enter the following URL: https://marketplace-sa-resources.s3.amazonaws.com/sc-org-sharing-blog-june20/sc-hub-portfolio-setup-stack.json and choose Next.
  4. Enter the following details on the Specify StackSet details page, and choose Next:
    1. StackSet name: SC-<YOUR_PORTFOLIO_NAME>-HUB-SETUP (Enter SCHubPortfolioDemo for YOUR_PORTFOLIO_NAME)
    2. StackSet description: AWS Service Catalog Demo Portfolio Setup for AWS Organizations Sharing.
    3. PortfolioName: SCHubPortfolioDemo
    4. PortfolioProvider: IT Services
    5. PortfolioDescription:  Service Catalog Portfolio that contains reference architecture products for Amazon Elastic Compute Cloud (EC2).
    6. RepoRootURL: https://marketplace-sa-resources.s3.amazonaws.com/sc-org-sharing-blog-june20
    7. Product1TemplateName: sc-product-ec2-linux.json
    8. Product2TemplateName: sc-product-ec2-windows.json
    9. LocalLaunchRoleName: DemoLaunchRole
  5. On the Configure StackSet options page, under the Permissions, choose Self service permissions. Under IAM admin role ARN, choose AWSCloudFormationStackSetAdministrationRole. Under IAM execution role name, enter  AWSCloudFormationStackSetExecutionRole and choose Next.
  6. On the Set deployment options page, under Accounts, choose Deploy stacks in accounts. Under Account numbers, add the account ID of the current delegated administrator account. Under specify regions, select the Regions where you want your portfolio deployed. In this exercise, you can select US East (N.Virginia) and US East (Ohio). Choose Next.
  7. On the Review page, under Capabilities, check ‘I acknowledge that AWS CloudFormation might create IAM resources with custom names.’ and ‘I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND‘ and choose Next. At this point, AWS CloudFormation starts creating your stack set. View the progress and status of the creation of the stacks in your stack set in the stack set details page that opens when you choose Submit.

Now your delegated administrator AWS account contains an AWS Service Catalog portfolio in all the Regions you selected in this section.

Share the AWS Service Catalog portfolio in each Region with AWS Organizations

In this step, you share the portfolio with your AWS Organization. For each Region where your AWS Service Catalog portfolio is set up, perform the following steps::

  1. Log in to the AWS console with AWS Service Catalog administrator privileges to your delegated administrator AWS account in the region (us-east-1, us-east-2 in this case) where AWS Service Catalog portfolio is set up.
  2. Open the AWS Organizations console at https://console.aws.amazon.com/organizations. On the AWS Organizations page, note the Organization ID.
  3. Open the AWS Service Catalog console at https://console.aws.amazon.com/servicecatalog.
  4. Under Administration on the left pane, choose Portfolios. On the Portfolios page, you see the portfolio created in the previous section, SCHubPortfolioDemo, listed as a local portfolio. Choose SCHubPortfolioDemo.
  5. On the SCHubPortfolioDemo page, in the Share tab, choose the Share with new Account button.
  6. On the Enter AWS Account Id popup, select Organization. Select Organization as Node Type, and for Input Value, enter the Organization ID from step 2. Choose Share.
  7. Repeat for the previous steps 1-6 for each Region where the AWS Service Catalog portfolio is set up. From the Portfolio details section, note the Portfolio ID for each Region, as you need it in the next section.

Step 3: Assign end users and TagOptions to the shared portfolio across the entire AWS Organizations

Download architecture diagram.

At this point, your AWS Service Catalog portfolio has been shared with all your AWS accounts in the AWS Organizations. Now, you assign end users who can execute the products in your portfolio. Optionally, you can assign tagOptions to your portfolio in all AWS accounts across all Regions. To do this, you execute a CloudFormation StackSet from the delegated master account across all AWS accounts in the AWS Organization.

Prerequisites

The delegated administrator AWS account may have portfolios in multiple Regions. So you must create a mapping section in the CloudFormation template that maps the Portfolio ID to the AWS Region. Use the Portfolio ID for each Region you noted in step 7 of the previous section for this purpose. Download the CloudFormation template for this section.  Add your mapping information there, and save the template.

"Mappings" : {
      "RegionAndPortfolioNameToPortfolioID" : {
        "us-east-1": {
          "SCHubPortfolioDemo": "<ADD_PORTFOLIO_ID>"
        },
        "us-east-2" : {
          "SCHubPortfolioDemo": "<ADD_PORTFOLIO_ID>"
        }
      }
      }
  1. Log in to your master AWS account in your Region of choice with administrator privileges. You can choose us-east-1 (N. Virginia) if you don’t have a preference.
  2. Open the AWS CloudFormation StackSet console at https://console.aws.amazon.com/cloudformation/home#/stacksets/create.
  3. Under Prerequisite – Prepare template, choose Template is ready. Under Specify template, select Upload a template file, and choose Choose file to upload the CloudFormation template you saved with mapping details.  Choose Next.
  4. Enter the following details on the Specify StackSet details page, and choose Next:
    1. StackSet name: SC-<YOUR_PORTFOLIO_NAME>-ASSIGNMENT (Enter SCHubPortfolioDemo for YOUR_PORTFOLIO_NAME)
    2. StackSet description: IAM and TagOption assignment for Demo Portfolio in AWS Service Catalog
    3. PortfolioName: SCHubPortfolioDemo
    4. LinkEndUserRole: Yes
    5. SCEndUserRoleName: DemoEndUserRole
    6. AddTagOptions: Yes (Optional)
  5. On the Configure StackSet options page, under the Permissions, choose Service managed permissions and choose Next. This ensures AWS CloudFormation has automatic access to deploy this stack into all AWS accounts in your AWS Organizations.
  6. On the Set deployment options page, under Deployment targets, choose Deploy to organization, and keep the default options selected. Under specify regions, select all Regions where you have shared your portfolio. For this exercise, select US East (N.Virginia) and US East (Ohio). Choose Next. (Note: You choose Deploy to Organization because the AWS Service Catalog is shared with the Organization. If you shared the portfolio with an OU, then you would choose the same OU in the Deployment targets section.)
  7. On the Review page, choose Submit. At this point, AWS CloudFormation starts creating your StackSet. View the progress and status of the creation of the stacks in your stack set in the stack set details page.

Once all the stack instances are successfully set up, all your AWS accounts in your AWS Organizations contain a fully set up AWS Service Catalog portfolio. The DemoEndUserRole can now log in to any AWS account and access the AWS Service Catalog products shared by the SCHubPortfolioDemo portfolio.

Conclusion

AWS Service Catalog enables you to build and distribute catalogs of IT services to your organization. In this post, I walked you through the latest features within AWS Service Catalog, AWS CloudFormation, and AWS Organizations. These features simplify deploying multi-Region, multi-account AWS Service Catalog portfolios from a single AWS account in your environment.

You can use this process to create a single or multiple delegated administrator accounts in your environment. Each account is responsible for maintaining and sharing approved infrastructure with the entire AWS Organization, an Organizational Unit, or an individual AWS account. I used AWS CloudFormation automatic deployments. So this process also ensures that any new AWS accounts inherit any AWS Service Catalog portfolios shared with them.

If you have questions about implementing the solution described in this blog post, you can start a new thread on the AWS Service Catalog Forum or contact AWS Support.

Authors

Sagar Khasnis

Sagar Khasnis

Sagar Khasnis is a Partner Solutions Architect focusing on AWS Marketplace, AWS Service Catalog, and AWS Control Tower. He is passionate about building innovative solutions using AWS services to help customers achieve their business objectives. In his free time, you can find him reading biographies, hiking, working out at a fitness studio, and geeking out on his personal rig at home.