Lab B4 – Deploy services in multi-account environment using Service Catalog
AWS Control Tower provides the easiest way to set up and govern a new, secure, multi-account AWS environment based on best practices established through AWS’ experience working with thousands of enterprises as they move to the cloud. With AWS Control Tower, builders can provision new AWS accounts in a few clicks, while you have peace of mind knowing your accounts conform to your company-wide policies.
AWS Service Catalog enables organizations to create and manage catalogs of approved IT services for use on AWS. In a multi-account environment, the AWS Service Catalog portfolios can be managed centrally at the master account and distribute across the remaining accounts across the AWS Organizations. In this lab, we will see different ways of sharing AWS Service Catalog portfolios and use them in the multi-account environment to deploy essential services.
- Task-1 : AWS Control Tower Administrator can provision new AWS accounts using Account Factory. The Account Factory network settings can be configured not to create VPCs automatically on provisioning a new account. Some customers want to do it this way, to have a better-controlled CIDR ranges.
- Task-2 : Share set of commonly used products (like EC2 instance, and S3 private encrypted buckets) across multiple accounts. The AWS Control Tower Administrator, want to make all these accounts available to the new AWS accounts that they launch.
- Task-3 : Create an AWS SSO user and allow access the service catalog portfolio/products.
In the case of Task-1, only the Administrator on the child account will launch the shared resources. There is no need for setting up launch constraints. In Task-2 and Task-3, the products shared can be consumed by a local IAM or an AWS SSO non-admin user. We will use launch constraints locally on each account to allow this.
- Master Account: AWS Control Tower master account, where we deployed the Control Tower service.
- Provisioned Account: A new AWS account provisioned using Account Factory in AWS Control Tower.
- Portfolios: AWS Service Catalog portfolio is a collection of products, together with configuration information.
- Product: AWS Service Catalog product is an IT service that you want to make available for deployment on AWS.
- Constraints: Constraints control the ways that specific AWS resources can be deployed for a product.
Task-1 : Share a Admin portfolio across all account in the organization
Using Account Factory in AWS Control Tower, you could now define workflows for proviosioing new AWS accounts, and implement account baselines with network configurations. Once these new accounts are created there could be other customizations to be done on the new accounts by the new account owners. Using AWS Service Catalog, you could create a central repository of approved products and share it with account owners with Administrator access to launch them as needed.
In this part of the lab, we will walk through:
- How to create a Service Catalog portfolio with Admin tasks like VPC creation, or common application environment setup across multiple accounts.
- How to share the portfolio with other members of the AWS organization. We will do this using Organization Sharing feature in Service Catalog.
- Deploy the VPCs on individual child accounts
1. Configure Service Catalog Portfolio on AWS Control Tower master account
In this section, we will create an AWS Service Catalog portfolio with some sample products to perform standard administration tasks.
1.1 Collect the AWS Organizations information
1.1.1 With AWS SSO, log into the AWS Control Tower management console in the Master account.
- When you launch AWS Control Tower, you will receive an email notification with User portal URL and Username (referred to as admin user).
- The email notification will have instructions to log in to AWS SSO and then to AWS Console on the AWS Control Tower master account.
- Click on the Master account to expand. Select Management console next to AWSAdministratorAccess Role to log in to AWS Management console of the master account (as shown below).
- Select the service Control Tower under Management & Governance.
1.1.2 Capture AWS Organizations Id
- Click HERE to jump to the Organization Console on the Master account.
- Click on settings on top right corner. Note down the Organization ID. We will use it later in this lab.
1.2 Create Service Catalog Portfolio and Share with AWS Organization
1.2.1 Create a Service Catalog Product
- click HERE to jump to the AWS Service Catalog Console on the Master account.
- On the left sidebar, Under Admin, Choose Products list.
- Click on UPLOAD NEW PRODUCT, enter Custom VPC under Product Name and fill Description and Provided by and click NEXT.
- Enter an Email contact and other optional information and click NEXT.
- Under Select template, select Specify a URL location for an Amazon CloudFormation template and paste below link.
- Give Version title as v1.0 and click NEXT.
- Review the options you entered and click on CREATE.
- Use the below template and repeat the above steps to create one more product named as SC End User Env Setup.
1.2.2 Create a Service Catalog Portfolio
- On the left sidebar, Under Admin, Choose Portfolios list
- Click on CREATE PORTFOLIO, type Admin Portfolio under Portfolio name and type in Description and Owner and click on CREATE.
1.2.3 Associate a Product to the Portfolio
- On Portfolios page, select the radio button for Admin Portfolio and click ADD PRODUCT TO PORTFOLIO.
- Select the Custom VPC, and click on ADD PRODUCT TO PORTFOLIO.
- Select the Admin Portfolio and click on SHARE PORTFOLIO.
- If you are doing this for the first time you need to check Select to enable Organizational sharing for this master account.
- Select Organization Node Type and select Organization from the dropdown. Paste the AWS organizations ID that you copied in 1.1.2 in Input Value and click Share.
You successfully created a Service Catalog portfolio with Administration related products in it. Also, shared the portfolio with remaining accounts in the Organization.
1.3 Launch resources on the child account
In this section, we will switch role to one of the child account and deploy the resource from the shared portfolio.
1.3.1 Switch Role from Master to Child Account
- Expand Username next to bell icon on the top right corner,
- Select Switch Role option
- Type the AccountId for Account, AWSControlTowerExecution for Role, and click on Switch Role
1.3.2 Allow Administrator to launch the products
- Under Find Services, search for Catalog and select Service Catalog.
- On the left sidebar, Under Admin, Choose Portfolios list.
- Select Organization Portfolios for Portfolio Source.
- Click on Admin Portfolio and expand Users, groups and roles and click on ADD USER, GROUP OR Role.
- [ONLY FOR THIS LAB] Select roles tab, type Execution in the Name search bar. Select AWSControlTowerExecution and click ADD ACCESS.
- Again click on ADD USER, GROUP OR Role.
- Select roles tab, type AWSAdministrator in the Name search bar. Select AWSReservedSSO_AWSAdministrator_
and click ADD ACCESS.
1.3.3 Launch a VPC on the child account
- Now click on the Products list on the Top on the left sidebar..
- Click on hamburger icon next to Custom VPC and select Launch product.
- Under Name, type myVPC-1 and click Next.
- Select two different regions for RegionAZ1Name, and RegionAZ2Name.
- Change the VPCCIDR values as needed and click NEXT.
- Choose NEXT, NEXT.
- Under Review, check all the settings you selected and click on LAUNCH when ready.
- Under Events, you could check the current status of the Launch. Wait for Status to change from In progress to Succeeded.
- Once the product is launched, all the network configuration is listed under outputs.
1.3.4 Launch a SC End User Env Setup product on child account
- Provisioning the 'SC End User Env Setup' product creates a local IAM user, group and role.
- The role we create here will be used as launch constraint in the next lab.
- Once the product is provisioned, Check in Events under Provisioned products list to get the details of user, group, and role names.
Expand username on the top right corner next to Bell icon and select Back to AWSReservedSSO_AWSAdministratorAccess*
Task-2 : Share a non-admin portfolio with a selective Organizational units
In the previous section of this lab, we saw how to share a portfolio across an AWS Organization and deploy services on the child accounts as an Admin user.
In this lab, we will see how to share a set of AWS Service Catalog products across your child accounts on the organizational unit level. We will create a local portfolio in each provisioned account, and add launch constraints on those accounts. The Portfolio-For-Sandboxes will be shared with Sandboxes-OU.
To keep this lab simple, we will use the products available in the Service Catalog in a box portfolio which is included in all AWS accounts by default.
PS: All the steps that we see in this section can be automated using API/CLI. However, for this lab, we will see how to do these activities manually from the AWS Console.
In this section of the lab, we will walk through:
- How to share a portfolio from Master account to child accounts using AWS Organizational Units sharing.
- Create local portfolios on child account and import the products directly from shared portfolio from master account.
- Assign launch constraints on local portfolios to allow a user/group/role to provision the resources.
2. Share an AWS Service Catalog Portfolio from Master account
We created an Organizational Unit and provisioned an AWS account in Lab 02 – Using Account Factory. We will use the same resources here in this lab to share the portfolio from master account.
If you are trying this lab directly without going through Lab02, please go to Lab02 and complete section 1. AWS Control Tower environment setup before proceeding further with this lab.
2.1 Share a portfolio from Master account
2.1.1 Collect the Organizational Unit ID
- Log in to Master account in Control Tower as an Administrator.
- Click HERE to jump to the controltower dashboard Console on the Master account, and click on Organizational units on left sidebar.
- Click on the OU where you have the child account. In this case click on DEVENV OU that we created in Lab02
- Note down the OU-ID under Details. It will be in the format as ou-zzzz-xxxxxxx
2.1.2 Create a portfolio on the master account
- Go to Service Catalog Console http://console.aws.amazon.com/servicecatalog.
- On the left sidebar, Under Admin, Choose Portfolios list.
- Select Getting Started Library at Portfolio Source and Click on Service Catalog in a box.
- Select Amazon Elastic Compute Cloud (EC2) Linux, and choose COPY TO YOUR PRODUCTS list.
- Select Amazon S3 Private Encrypted Bucket, and choose COPY TO YOUR PRODUCTS list.
- Go back to Portfolios List under Administrator.
- Click on CREATE PORTFOLIO, type Portfolio-For-Sandboxes under Portfolio name and type in Description and Owner and click on CREATE
- You will be directed back to Portfolios page
2.1.3 Add products to the portfolio
- On the Portfolios page, select the radio button for Portfolio-For-Sandboxes and click ADD PRODUCT TO PORTFOLIO
- Select the products you copied earlier, and click on ADD PRODUCT TO PORTFOLIO(one product at a time)
2.1.4 Share the portfolio with AWS Organizational Unit
- Click on Portfolio-For-Sandboxes and expand Share with other accounts and within your AWS Organization and click on SHARE to open up Enter AWS account ID window.
- If you are doing this for the first time you need to check Select to enable Organizational sharing for this master account
- Choose Organization Node Type and select Organizational Unit from drop down.
- Paste the Organizational Unit ID value you noted down on step 2.1.1 and click on SHARE
So far we created a portfolio in the master account, added products from Service Catalog in a box to the portfolio we just created, and shared it an OU in your environment. In next section, we will see how to import these products in to a local portfolio in the child accounts.
3. Setup the child account to use Shared portfolio
3.1 Configure a portfolio in the provisioned account
3.1.1 Create a local Portfolio
- Login in to the provision account as administrator using the information from Lab02
- Go to Service Catalog Console http://console.aws.amazon.com/servicecatalog/
- On the left sidebar, Under Admin, Choose Portfolios list
- Click on CREATE PORTFOLIO, type Local Portfolio for Shared Portfolio under Portfolio name and type in Description and Owner
3.1.2 Add products from master to local portfolio
- You will be redirected to Portfolios page, select the radio button for Local Portfolio for Shared Portfolio and click ADD PRODUCT TO PORTFOLIO
- Under Select product group, select Organizations portfolio, and click on SELECT PORTFOLIO
- Select Portfolio-For-Sandboxes from the list
- Select Amazon Elastic Compute Cloud (EC2) Linux and ADD PRODUCT TO PORTFOLIO
- Repeat the above two steps for other products that your shared from master account
3.1.3 Setup Launch constraints on the local portfolio
In this section we will use the
- Click on the Local Portfolio for Shared Portfolio, expand Constraints and click ADD CONSTRAINTS
- For Product, select Amazon Elastic Compute Cloud (EC2) Linux
- For Constraint Type, select Launch Constraint and click on CONTINUE
- Under IAM role, type Constraint and select SCLaunchConstraintRole and click on SUBMIT
The users in the child account will have the Catalog of services ready to consume now. You may verify it by logging in to the child account and try accessing the service catalog products.
Task-3 [Optional] : Grant Catalog access permissions to an AWS SSO User
In Task-2, we saw how to grant access to AWS Service Catalog portfolio/product(s) for the local IAM users in the provisioned AWS account. In this part of the lab, we will see how to create an AWS SSO User/Group and grant access to the AWS Service Catalog portfolio/products. We will use the same portfolio/product(s) that we create in Task-2.
4. Allow AWS SSO User to access Service Catalog Products
We will do following tasks in the lab:
- Create an SSO User centrally in the master account, and assign appropriate permissions.
- Grant access to the Service Catalog for newly created AWS SSO User.
4.1 Create an AWS SSO User, Group and Permission set
4.1.1 Create new permission set
- Login to AWS Control Tower master account with AWSAdministratorAccess role.
- Under Find Services search bar type Sign-On and select AWS Single Sign-On.
- Select AWS accounts on the left side bar
- In AWS Accounts page, select Permission sets tab, and click Create permission set button
- In Create new permission set page, select Create a custom permission set
- Type DeveloperAccessPermissions for Name and enter some Description to the Role
- Under What policies do you want to include in your permission set?, select Attach AWS managed policies
- Under Attach AWS Managed polices search bar, type and select AWSServiceCatalogEndUserFullAccess and click on Create button
4.1.2 Create a AWS SSO user / group
- Select Directory from the left sidebar
- Under Users, click on Add user button.
- Fill in the Email address, confirm email address, select Generate a one-time password.... and all other required fields.
- Click on Next:Groups button, and click on Create group
- Type in DevUserGroup under Group name, with some appropriate description.
- Select the checkbox for the newly create group and click on Add User button.
- User will be created, click on Copy details and paste the content in some secured place.
- Click on Close button to go back to the Directory page
4.1.3 Assign permission set to AWS SSO User/Group
- Now click on the AWS accounts on the left sidebar and select the account that you like to grant DeveloperAccessPermissions permissions.
- Click on Assign users, and select the Groups tab, and select the checkbox next to DevUserGroup and click Next: Permission sets
- In Select permission sets page, select DeveloperAccessPermissions and click on Finish
4.2 Grant permissions to Service Catalog products
4.1.4 Grant Service Catlalog access permissions to the AWS SSO User/Group
- Now, go back to AWS Service Catalog, under Admin, select Portfolio list. Click on Local Portfolio for Shared Portfolio.
- Click on Users, groups and roles and click on ADD USER, GROUP OR ROLE.
- Select the Roles tab search for DeveloperAccessPermissions. Slect the checkbox next to the SSO Role and select ADD ACCESS.
Congratulations, you created an user in AWS SSO and allowed Service Catalog End User access to the user across child accounts. You may login to the Child account using information you collected in step#16.
- AWS Control Tower
- AWS CloudFormation
- AWS Organizations
- AWS Service Catalog
- AWS Single Sign On
- AWS Control Tower and AWS Security Hub – Powerful Enterprise Twins
Copyright 2019, Amazon Web Services, All Rights Reserved.