Portfolio MGT.

Use Case:

You have a Service Catalog portfolio. You need to make it visible to end users, add products and create launch roles for products.


DO NOT use your ROOT user

  1. Create a user called labadmin, give it an an Administrator policy (optional if you have a user with an admin policy)

  2. Login to your AWS Account using the labadmin user (or an admin user)

  3. Use the US East (N. Virginia) region

Select and edit a Service Catalog portfolio.


Service Catalog security overview

Types of security needed

Order Purpose Who/Principle Permission
1 Create CloudFormation templates and test them (EC2,RDS,ECS,EKS,S3,ect), Create Service Catalog Launch Roles Admin role Administrator
2 Create Service Catalog products from CloudFormation templates, manage portfolios, use Launch Roles Service Catalog Administrator arn:aws:iam::aws:policy/AWSServiceCatalogAdminFullAccess
3 Deploy and manage Service Catalog products on behalf of an end-user (EC2,RDS,ECS,EKS,S3,ect) Launch Roles used by Service Catalog Service per product:create,update,list,delete
4 Launch Service Catalog products End users (IAM or SAML) arn:aws:iam::aws:policy/AWSServiceCatalogEndUserFullAccess

Manage portfolios

  1. Login with an admin role

  2. Right click Return to Service Catalog

  3. Choose Portfolio list from the menu on the left.

  4. Choose a portfolio (selet the one you created before)

  5. Review the option in the tab

    • Products - to manage products in the portfolio
    • Constraints - to manage launch product launch roles and other constraints
    • Groups,roles, and users - tom manage which users has access to the portfolio
    • Share - to share the portfolio

Add a S3 Storage bucket product

  1. Create a S3 CloudFormation template or use this sample Right click and copy link

  2. Choose the Products tab

  3. Choose the Upload new product button

  4. Fill in parameters

    • Product name [mys3product]
    • Description
    • Owner [IT Group]
    • Distributor [IT group]
  5. Choose Use a CloudFormation template

  6. Past template in Use a CloudFormation template text box

  7. Version title [v1]

  8. Guidance [default]

  9. Description [default]

  10. Support details .. [defaults]

  11. Choose Review button

  12. On the Product details page choose Create product

You now have an S3 storage bucket product.

Add an execution role to the S3 product


Execution roles with permissions can be added to products, they will be invisible to users. This way users don’t need permissions to create or modify cloud resources. Users only need permission to view Service Catalog products.


  1. Create a s3_launch role using the AWS IAM console or get one from your in house AWS security Administrator.

  2. Right click Return to Service Catalog

  3. Choose Portfolio list from the menu on the left.

  4. Choose a portfolio (selet the one you created before)

  5. Choose the Constraints tab

  6. Fill in parameters

    • Product name [mys3product]
    • Constraint type [Launch]
    • Method [Select IAM role]
    • IAM role [Select the role you creted or was give to you]
    • Description []
  7. Choose Create button

The S3 product can now be launched using the new exectution role.

Cleanup process

To avoid incurring cost, please delete resources that are not needed. You can terminate the Service Catalog product deployed the by selecting Action then Terminate.

End of Lab Exercises

Thank you for using this lab.