Sharing and Importing Portfolios - Amazon Service Catalog
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Sharing and Importing Portfolios

To make your Amazon Service Catalog products available to users who are not in your Amazon Web Services accounts, such as users who belong to other organizations or to other Amazon Web Services accounts in your organization, you share your portfolios with them. You can share in several ways, including account-to-account sharing, organizational sharing, and deploying catalogs using stack sets.

Before you share your products and portfolios to other accounts, you must decide whether you want to share a reference of the catalog or to deploy a copy of the catalog into each recipient account. Note that if you deploy a copy, you must redeploy if there are updates you want to propagate to the recipient accounts.

You can use stack sets to deploy your catalog to many accounts at the same time. If you want to share a reference (an imported version of your portfolio that stays in sync with the original), you can use account-to-account sharing or you can share using Amazon Organizations.

To use stack sets to deploy a copy of your catalog, see How to set up a multi-region, multi-account catalog of company standard Amazon Service Catalog products.

When you share a portfolio using account-to-account sharing or Amazon Organizations, you allow a Amazon Service Catalog administrator of another Amazon account to import your portfolio into their account and distribute the products to end users in that account.

This imported portfolio isn't an independent copy. The products and constraints in the imported portfolio stay in sync with changes that you make to the shared portfolio, the original portfolio that you shared. The recipient administrator, the administrator with whom you share a portfolio, cannot change the products or constraints, but can add Amazon Identity and Access Management (IAM) access for end users. For more information, see Granting Access to Users.

The recipient administrator can distribute the products to end users who belong to their Amazon account in the following ways:

  • By adding users, groups, and roles to the imported portfolio.

  • By adding products from the imported portfolio to a local portfolio, a separate portfolio that the recipient administrator creates and that belongs to their Amazon account. The recipient administrator then adds users, groups, and roles to that local portfolio. Any constraints originally applied to products in the shared portfolio are also present in the local portfolio. The local portfolio recipient administrator can add additional constraints, but cannot remove the constraints that were originally imported from the shared portfolio.

When you add products or constraints to the shared portfolio or remove products or constraints from it, the change propagates to all imported instances of the portfolio. For example, if you remove a product from the shared portfolio, that product is also removed from the imported portfolio. It is also removed from all local portfolios that the imported product was added to. If an end user launched a product before you removed it, the end user's provisioned product continues to run, but the product becomes unavailable for future launches.

If you apply a launch constraint to a product in a shared portfolio, it propagates to all imported instances of the product. To override this launch constraint, the recipient administrator adds the product to a local portfolio and then applies a different launch constraint to it. The launch constraint that is in effect sets a launch role for the product.

A launch role is an IAM role that Amazon Service Catalog uses to provision Amazon resources (such as Amazon EC2 instances or Amazon RDS databases) when an end user launches the product. As an administrator, you can choose to designate a specific launch role ARN or a local role name. If you use the role ARN, the role will be used even if the end user belongs to a different Amazon account than the one that owns the launch role. If you use a local role name, the IAM role with that name in the end user's account is used.

For more information about launch constraints and launch roles, see Amazon Service Catalog Launch Constraints. The Amazon account that owns the launch role provisions the Amazon resources, and this account incurs the usage charges for those resources. For more information, see Amazon Service Catalog Pricing.

This video shows you how to share portfolios across accounts in Amazon Service Catalog.


You cannot re-share products from a portfolio that has been imported or shared.


Portfolio imports must occur in the same region between the management and dependent accounts.

Relationship Between Shared and Imported Portfolios

This table summarizes the relationship between an imported portfolio and a shared portfolio, and the actions that an administrator who imports a portfolio can and can't take with that portfolio and the products in it.

Element of Shared Portfolio Relationship to Imported Portfolio Recipient Administrator Can Recipient Administrator Cannot
Products and product versions


If the portfolio creator adds products to or removes products from the shared portfolio, the change propagates to the imported portfolio.

Add imported products to local portfolios. Products stay in sync with shared portfolio.

Upload or add products to the imported portfolio or remove products from the imported portfolio.

Launch constraints


If the portfolio creator adds launch constraints to or removes launch constraints from a shared product, the change propagates to all imported instances of the product.

If the recipient administrator adds an imported product to their local portfolio, that imported launch constraint is not carried over to the shared portfolio.

In a local portfolio, the administrator can apply launch constraints that affect the local launch of the product.

Add launch constraints to or remove launch constraints from the imported portfolio.

Template constraints


If the portfolio creator adds a template constraint to or removes a template constraints from a shared product, the change propagates to all imported instances of the product.

If the recipient administrator adds an imported product to a local portfolio, the imported template constraints are not carried over to the local portfolio.

In a local portfolio, the administrator can add template constraints that constrain the local product.

Remove the imported template constraints.

Users, groups, and roles Not inherited. Add users, groups, and roles that are in administrator's Amazon account. Not applicable.