Tutorial: Identifying User Resource Allocation - Amazon Service Catalog
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Tutorial: Identifying User Resource Allocation

You can identify the user who provisioned a product and resources associated with the product using the Amazon Service Catalog console. This tutorial helps translate this example to your own specific provisioned products.

To manage all provisioned products for the account, you need AWSServiceCatalogAdminFullAccess or equivalent access to the provisioned product write operations. For more information, see Identity and Access Management in the Amazon Service Catalog Administrator Guide.

To identify the user who provisioned a product and the associated resources

  1. Open https://console.amazonaws.cn/servicecatalog.

  2. In the left navigation menu, choose Provisioned product.

  3. In the Access Filter dropdown menu, choose Account.

  4. In the Account view, choose and open a provisioned product to display its details.

    You can see the details of the provisioned product.

  5. Scroll down to expand the Events section. Note the Provisioned product ID and CloudformationStackARN values.

  6. Use the provisioned product ID to identify the Amazon CloudTrail record that corresponds to this launch and identify the requesting user (typically, you enter an email address during federation). In this example, it is "steve".

    {
  "eventVersion":"1.03","userIdentity":
  {
    "type":"AssumedRole",
    "principalId":"[id]:steve",
    "arn":"arn:aws:sts::[account number]:assumed-role/SC-usertest/steve",
    "accountId":[account number],
    "accessKeyId":[access key],
    "sessionContext":
    {
      "attributes":
      {
        "mfaAuthenticated":[boolean],
        "creationDate":[timestamp]
      },
      "sessionIssuer":
      {
        "type":"Role",
        "principalId":"AROAJEXAMPLELH3QXY",
        "arn":"arn:aws:iam::[account number]:role/[name]",
        "accountId":[account number],
        "userName":[username]
      }
    }
  },
  "eventTime":"2016-08-17T19:20:58Z","eventSource":"servicecatalog.amazonaws.com",
  "eventName":"ProvisionProduct",
  "awsRegion":"us-west-2",
  "sourceIPAddress":[ip address],
  "userAgent":"Coral/Netty",
  "requestParameters":
  {
    "provisioningArtifactId":[id],
    "productId":[id],
    "provisioningParameters":[Shows all the parameters that the end user entered],
    "provisionToken":[token],
    "pathId":[id],
    "provisionedProductName":[name],
    "tags":[],
    "notificationArns":[]
  },
  "responseElements":
  {
    "recordDetail":
    {
      "provisioningArtifactId":[id],
      "status":"IN_PROGRESS",
      "recordId":[id],
      "createdTime":"Aug 17, 2016 7:20:58 PM",
      "recordTags":[],
      "recordType":"PROVISION_PRODUCT",
      "provisionedProductType":"CFN_STACK",
      "pathId":[id],
      "productId":[id],
      "provisionedProductName":"testSCproduct",
      "recordErrors":[],
      "provisionedProductId":[id]
    }
  },
  "requestID":[id],
  "eventID":[id],
  "eventType":"AwsApiCall",
  "recipientAccountId":[account number]
}

  7. Use the CloudformationStackARN value to identify Amazon CloudFormation events to find information about the created resources. You can also use the Amazon CloudFormation API to obtain this information. For more information, see Amazon CloudFormation API Reference.

You can perform steps 1 through 4 using the Amazon Service Catalog API. For more information, see Amazon Service Catalog Developer Guide.