Deploy Additional Services


AWS Control Tower provides the easiest way to set up and govern a new, secure, multi-account AWS environment based on best practices established through AWS’ experience working with thousands of enterprises as they move to the cloud. With AWS Control Tower, builders can provision new AWS accounts in a few clicks, while you have peace of mind knowing your accounts conform to your company-wide policies.

AWS Service Catalog enables organizations to create and manage catalogs of approved IT services for use on AWS. In a multi-account environment, the AWS Service Catalog portfolios can be managed centrally at the Management account and distribute across the remaining accounts across the AWS Organizations. In this lab, we will see different ways of sharing AWS Service Catalog portfolios and use them in the multi-account environment to deploy essential services.

  • Task-1: AWS Control Tower Administrator can provision new AWS accounts using Account Factory. The Account Factory network settings can be configured not to create VPCs automatically on provisioning a new account. Some customers want to do it this way, to have a better-controlled CIDR range.
  • Task-2: Share a set of commonly used products (like EC2 instance, and S3 private encrypted buckets) across multiple accounts. The AWS Control Tower Administrator wants to make all these accounts available to the new AWS accounts that they launch.
  • Task-3: Create an AWS SSO user and allow access to the service catalog portfolio/products.

In the case of Task-1, only the Administrator on the child account will be able to launch the shared resources. There is no need to set up launch constraints. In Task-2 and Task-3, the products shared can be consumed by a local IAM users or an AWS SSO non-admin user. We will use Local launch constraints feature to allow this.

Terminologies Used:

  • Management Account: AWS Control Tower Management account, where we deployed the Control Tower service.
  • Provisioned Account: A new AWS account provisioned using Account Factory in AWS Control Tower.
  • Portfolios: AWS Service Catalog portfolio is a collection of products, together with configuration information.
  • Product: AWS Service Catalog product is an IT service that you want to make available for deployment on AWS.
  • Constraints: Constraints control the ways that specific AWS resources can be deployed for a product.

Task-1 : Share a Admin portfolio across all account in the organization

Using Account Factory in AWS Control Tower, you could now define workflows for provisioning new AWS accounts and implement account baselines with network configurations. Once these new accounts are created, there could be other customizations to be done on the new accounts by the new account owners. AWS Service Catalog allows you to create a central repository of approved products and share it with account owners with Administrator access to launch them as needed.

In this part of the lab, we will walk through:

  • How to create a Service Catalog portfolio with Admin tasks like VPC creation, or common application environment setup across multiple accounts.
  • How to share the portfolio with other members of the AWS organization. We will do this using Organization Sharing feature in Service Catalog.
  • Deploy the VPCs on individual child accounts

1. Configure Service Catalog Portfolio on AWS Control Tower Management account

In this section, we will create an AWS Service Catalog portfolio with some sample products to perform standard administration tasks.

1.1 Collect the AWS Organizations information

1.1.1 With AWS SSO, log into the AWS Control Tower management console in the Management account.

  1. When you launch AWS Control Tower, you will receive an email notification with User portal URL and Username (referred to as admin user).
  2. The email notification will have instructions to log in to AWS SSO and then to AWS Console on the AWS Control Tower Management account.
  3. Click on the Management account to expand. Select Management console next to AWSAdministratorAccess Role to log in to AWS Management console of the Management account (as shown below).
  4. Select the service Control Tower under Management & Governance.

1.1.2 Capture AWS Organizations Id

  1. Go to AWS Organizations Console settings page on the Management account.
  2. Note down the Organization ID. We will use it later in this lab.

1.2 Create Service Catalog Portfolio and Share with AWS Organization

1.2.1 Create AWS Service Catalog Product

  1. Go to AWS Service Catalog Console on the Management account.
  2. On the left sidebar, Under Administration, Choose Products.
  3. Click on Upload new product, and enter below values under Product details:
    • Product Name: Custom VPC
    • Owner: AWS
  4. Under Version details:
    • Choose Use a CloudFormation template option under Choose a method.
    • Type in
  5. Give Version title as v1.0 and leave the remaining values default
  6. Choose Review.
  7. Review the options you selected and click on Create product.

1.2.2 Create a Service Catalog Portfolio

  1. On the left sidebar, Under Adminstration, Choose Portfolios
  2. Click on Create Portfolio, type in below values:
    • Portfolio name: Admin Portfolio
    • Description - optional: Portfolio to share Administration products
    • Owner: AWS
  3. Choose Create.

1.2.3 Associate a Product to the Portfolio

  1. On Portfolios page, select the radio button for Admin Portfolio and choose Actions, and Add product to portfolio.
  2. Select the Custom VPC, and click on Add Product to Portfolio.
  3. Choose Admin Portfolio to open the portfolio details.
  4. Choose Share (0) and Share with new Account.
  5. Choose Organization.
  6. If you are doing this for the first time you need to choose Enable under blue-banner with title Organizational sharing is not available..
  7. Under Node Type, Select Organization from the dropdown.
  8. Under Input Value, paste the AWS organizations ID that you copied in 1.1.2
  9. Choose Share.

You successfully created Launch Constraint Roles across multiple account and created AWS Service Catalog portfolio with Administration related products in it. Also shared the portfolio with remaining accounts within the Organization.

1.3 Launch resources on the child account

In this section, we will switch role to one of the child account (will use resue the account that was created in the lab Account Factory. On the newly provisioned account you deploy a Custom VPC resource using the portfolio that we shared in step 1.2.

1.3.1 Switch Role from Management to Child Account

  1. On Management account, go to AWS Control Tower Accounts page to list all accounts.
  2. Click on the appropriate Account Name and note down the Account ID. You will use this to switch the role.
  3. Expand Username next to bell icon on the top right corner and choose Switch Role option. Type in:
    • Acount: Account ID
    • Role: AWSControlTowerExecution
  4. Choose Switch Role

You are now logged in to the child account with AssumedRole.

1.3.2 Allow Administrator to launch the products

  1. Under Find Services, search for Catalog and select Service Catalog.
  2. On the left sidebar, Under Administration, Choose Portfolios.
  3. Choose Imported tab
  4. Select Organization Portfolios for Portfolio Source.
  5. Choose Admin Portfolio and select Groups, roles and users(0)
  6. Choose Add groups, roles, users.
  7. [ONLY FOR THIS LAB] In Roles tab, type Execution in the Name search bar. Select AWSControlTowerExecution and click Add Access.
  8. Again click on Add groups, roles, users.
  9. In Roles tab, type AWSAdministrator in the Name search bar. Select AWSReservedSSO_AWSAdministrator and click Add Access.

1.3.3 Launch a VPC on the child account

  1. Now click on the Products list on the Top on the left sidebar..
  2. Click on hamburger icon next to Custom VPC and select Launch product.
  3. Under Name, type myVPC-1 and click Next.
  4. Select two different regions for RegionAZ1Name, and RegionAZ2Name.
  5. Change the VPCCIDR values as needed and click NEXT.
  6. Choose NEXT, NEXT.
  7. In Review page, check all the options you selected and click on LAUNCH.
  8. In Provisioned products list, under Events, you could check the current status of the Launch. Wait for Status to change from In progress to Succeeded.
  9. Once the product is launched, all the network configuration is listed under outputs.

Expand username on the top right corner next to Bell icon and select Back to AWSReservedSSO_AWSAdministratorAccess*

Task-2 : Share a non-admin portfolio with a selective Organizational units

In the previous section of this lab, we saw how to share a portfolio across an AWS Organization and deploy services on the child accounts as an Admin user.

In this lab, we will see how to share a set of AWS Service Catalog products across your child accounts on the organizational unit level. We will create a local portfolio in each provisioned account, and add launch constraints on those accounts.

To keep this lab simple, we will use the products available in the Service Catalog in a box portfolio which is included in all AWS accounts by default.

PS: All the steps that we see in this section can be automated using API/CLI. However, for this lab, we will see how to do these activities manually from the AWS Console.

In this section of the lab, we will walk through:

  • How to share a portfolio from Management account to child accounts using AWS Organizational Units sharing.
  • Assign local launch constraints to the shared portfolio
  • Enable self-service for groups, users and roles in the child account

2. Share an AWS Service Catalog Portfolio from Management account

We created an Organizational Unit and provisioned an AWS account in the lab Account Factory. We will use the same resources here in this lab to share the portfolio from Management account. If you are trying this lab directly without going through the lab Account Factory, please go to the lab Account Factory and complete section 1. AWS Control Tower environment setup before proceeding further with this lab.

2.1 Share a portfolio from Management account

2.2.1 Create Launch Constraint Roles on all accounts in the organization

We will use CloudFormation service-managed permissions to create the IAM roles across multiple accounts with in the organization.

  1. Go to CloudFormation StackSets Console
  2. If you see a blue banner to enable trusted access, choose Enable trusted access. This will not be shown if the trusted access was enabled on your account already.
  3. Choose Create StackSet
  4. In Choose a template page, under Specify template, Amazon S3 URL, type in
  5. On Specify StackSet details page, fill the following values:
    • StackSet description: Create AWS Service Catalog Launch Constraint Roles across the organization.
    • Under Parameters, change the values if needed. For this lab leave defaults.
  6. Leave the deafult selection Service managed permissions and choose Next.
  7. In Set deployment options page, select the region you are operating currently and choose Next.
  8. In Review page, select I acknowledge that AWS CloudFormation might create IAM resources with custom names.
  9. Review the options you selected and choose Submit

    Note: The stack instances are not deployed on the Management account when stack is deployed using service-managed permissions option as chosen above. Follow below steps to deploy the stacks on Management account separately.

  10. Click on the Launch Stack below to create required roles on the Management account. CreateStack

  11. Choose Next, Next, Next

  12. In Review page, select I acknowledge that AWS CloudFormation might create IAM resources with custom names.

  13. Choose Create stack.

You sucessfully create Launch Constraints on Management account and all remaining accounts with in the Organization. This allows us to use AWS Service Catalog Local launch constraints feature.

2.1.2 Collect the Organizational Unit ID

  1. Log in to Management account in Control Tower as an Administrator.
  2. Go to Organizational units page on ControlTower dashboard Console.
  3. Click on the OU where you have the child account. In this case click on DEVENV OU that we created in the lab Account Factory.
  4. Note down the OU-ID under Details. It will be in the format as ou-zzzz-xxxxxxx.

2.1.3 Create a portfolio on the Management account

  1. Go to Service Catalog Console.
  2. On the left sidebar, choose Launch solutions with the Getting Started library.
  3. Choose Reference Architectures.
  4. Select Amazon EC2 Linux, and choose Copy Product.
  5. Select Amazon S3 Private Encrypted Bucket, and choose Copy Product.
  6. Go back to Portfolios under Administration on the left sidebar.
  7. In Create Portfolio page, type in below values:
    • Portfolio name: Portfolio-For-Sandboxes
    • Description - optional: Portfolio to allow organization wide approved products
    • Owner: AWS
  8. Choose Create
  9. You will be directed back to Portfolios page

2.1.4 Add products to the portfolio

  1. On the Portfolios page, select the radio button for Portfolio-For-Sandboxes
  2. Choose Actions and select Add product to portfolio
  3. Select the products you copied earlier, and click on Add Product to Portfolio (one product at a time)

2.1.5 Share the portfolio with AWS Organizational Unit

  1. On the Portfolios page, Click on Portfolio-For-Sandboxes.
  2. Choose Share(0) tab and click on Share with new Account.
  3. On Enter AWS Account ID screen select Organization.
  4. Under Node Type, select Organizational Unit from the drop down.
  5. Under Input Value, paste the Organization Unit ID that you noted down in step 2.1.1.
  6. Choose Share

2.1.6 Add local launch constraint to your portfolio.

  1. On the Portfolios page, Click on Portfolio-For-Sandboxes.
  2. Choose Constraints (0) tab and click on Create constraint.
  3. In Create constraint page, select Amazon EC2 Linux from the drop down under Product.
  4. Select Launch under Constaint type.
  5. Under Launch constraint section, select Enter role name as Method.
  6. Type in SCLaunchConstraintRole for Role name.
  7. Choose Create.
  8. Repeat steps 3-7 for Amazon S3 Private Encrypted Bucket as well.

So far we created a portfolio in the Management account, added products from Getting Started Library to the portfolio we just created, shared it with an OU in your environment, and enabled local launch constraints. In the next section, we will see how enable this portfolio to local users with in the AWS account.

3. Enable self-service in child account

By using AWS Service Catalog local launch constratin feature, you can now directly add users to the local portfolios to allow them to launch AWS Service Catalog products. There is no need to create local portfolios from the imported portfolios, when local launch constraints are used.

3.1 Grant permissions to the users in child account

3.1.1 Add users to access the AWS Service Catalog products.

  1. Login in to the provision account as administrator using the information from the lab Account Factory.
  2. Go to Service Catalog Console
  3. On the left sidebar, Under Administration, Choose Portfolios.
  4. Choose Imported tab and select Portfolio-For-Sandboxes from the list.
  5. Choose Groups, role, and users tab and select Add groups, roles, users
  6. For this part of the lab, choose Groups, type in SCEndUserGroup and select the group.
  7. Choose Add access to grant permision to the SCEndUserGroup which was created as part of step 2.1.1

The allowed users in the child account will have a catalog of services ready to consume now. You may verify it by logging in to the child account as SCEndUser and try accessing the service catalog products. The default password for SCEndUser is Change@me unless you changed the parameter value of SCEndUserPassword in step 2.2.1-5.

Task-3 [Optional] : Grant Catalog access permissions to an AWS SSO User

In Task-2, we saw how to grant access to AWS Service Catalog portfolio/product(s) for the local IAM users in the provisioned AWS account. In this part of the lab, we will see how to create an AWS SSO User/Group and grant access to the AWS Service Catalog portfolio/products. We will use the same portfolio/product(s) that we created in Task-2.

4. Allow AWS SSO User to access Service Catalog Products

We will do following tasks in the lab:

  • Create an SSO User centrally in the Management account, and assign appropriate permissions.
  • Grant access to the Service Catalog for newly created AWS SSO User.

4.1 Create an AWS SSO User, Group and Permission set

4.1.1 Create new permission set

  1. Login to AWS Control Tower Management account with AWSAdministratorAccess role.
  2. Under Find Services search bar type Sign-On and select AWS Single Sign-On.
  3. Select AWS accounts on the left side bar.
  4. In AWS Accounts page, select Permission sets tab, and click Create permission set button.
  5. In Create new permission set page, select Create a custom permission set.
  6. Type DeveloperAccessPermissions for Name and enter some Description to the Role.
  7. Under What policies do you want to include in your permission set?, select Attach AWS managed policies.
  8. Under Attach AWS Managed polices search bar, type and select AWSServiceCatalogEndUserFullAccess and click on Create button.

4.1.2 Create a AWS SSO user / group

  1. Select Users from the left sidebar.
  2. Choose Add user button.
  3. Fill in the Email address, confirm email address, select Generate a one-time password…. and all other required fields.
  4. Choose Next:Groups button, and click on Create group.
  5. Type in DevUserGroup under Group name, with some appropriate description and choose Create.
  6. Select the checkbox for the newly create group and click on Add User button.
  7. User will be created, click on Copy details and paste the content in some secured place.
  8. Click on Close button to go back to the Directory page

4.1.3 Assign permission set to AWS SSO User/Group

  1. Now click on the AWS accounts on the left sidebar and select the account that you like to grant DeveloperAccessPermissions permissions.
  2. Click on Assign users, and select the Groups tab, and select the checkbox next to DevUserGroup and click Next: Permission sets
  3. In Select permission sets page, select DeveloperAccessPermissions and click on Finish

4.2 Grant permissions to Service Catalog products

4.2.1 Grant Service Catalog access permissions to the AWS SSO User/Group

  1. Now, Login in to the account to which you granted the permissions in step as Administrator.
  2. Go to AWS Service Catalog, under Admin, select Portfolio list. Choose Local Portfolio for Shared Portfolio.
  3. Select Users, groups and roles and choose ADD USER, GROUP OR ROLE.
  4. Select the Roles tab search for DeveloperAccessPermissions. Select the checkbox next to the SSO Role and choose ADD ACCESS.

Congratulations, you created an user in AWS SSO and allowed Service Catalog End User access to the user across child accounts. You may login to the Child account using AWS SSO user you granted permissions in section 4.1.3.

5. Cleanup the lab resources [Required to avoid additional cost]

The resources like Custom VPC and EC2 instances that are deployed as part of this lab could add up to the cost, if left undeleted. We highly recommend to cleanup these resources once you are done with this lab unless you plan on continue to use them.

5.1.1 Cleanup the EC2 and S3 resources on the Child Account if provisioned.

If you have launched any EC2 instance or S3 products as SCEndUser during the Task-2, delete them using below instructions. You may skip this step if you have not provisioned any resources in Task-2.

  1. Log in to the child account as Administrator and navigate to Provisioned Products list.
  2. Under Filter by, select Account from the drop-down.
  3. Choose the Provisioned Product that you created as part of this lab.
  4. Choose Actions and Terminate to delete the provisioned product.
  5. Wait for the TERMINATE_PROVISIONED_PRODUCT status change to Succeeded.

5.1.2 Cleanup the Custom VPC you created on the Child Account.

As part of Task-1, you provisioned a Custom VPC product on the child account. Delete this VPC to avoid any additional costs added up to your account. As part of this stack, NAT Gateways are created which could get expensive if left undeleted. Delete them if you do not plan to use them post this lab.

  1. Log in to the child account as Administrator and navigate to Provisioned Products list.
  2. Under Filter by, select Account from the drop-down.
  3. Choose the Provisioned Product myVPC-1 that you created as part of this lab.
  4. Choose Actions and Terminate to delete the provisioned product.
  5. Wait for the TERMINATE_PROVISIONED_PRODUCT status change to Succeeded.

Optionally, you could cleanup the AWS Service Catalog product/portfolios by following instructions in Deleting Products and Deleting Portfolios. These resources do not add any expenses if not used.


Copyright 2020, Amazon Web Services, All Rights Reserved.