Security Best Practices for Amazon Service Catalog - Amazon Service Catalog
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Security Best Practices for Amazon Service Catalog

Amazon Service Catalog provides a number of security features to consider as you develop and implement your own security policies. The following best practices are general guidelines and don’t represent a complete security solution. Because these best practices might not be appropriate or sufficient for your environment, treat them as helpful considerations rather than prescriptions.

You can define rules that limit the parameter values that a user enters when launching a product. These rules are called template constraints because they constrain how the Amazon CloudFormation template for the product is deployed. You use a simple editor to create template constraints, and you apply them to individual products.

Amazon Service Catalog applies constraints when provisioning a new product or updating a product that is already in use. It always applies the most restrictive constraint among all constraints applied to the portfolio and the product. For example, consider a scenario where the product allows all Amazon EC2 instances to be launched and the portfolio has two constraints: one that allows all non-GPU type EC2 instances to be launched and one that allows only t1.micro and m1.small EC2 instances to be launched. For this example, Amazon Service Catalog applies the second, more restrictive constraint (t1.micro and m1.small).

You can limit the access end users have to Amazon resources when you attach an IAM policy to a launch role. You then use Amazon Service Catalog to create a launch constraint to use the role when launching the product.

To learn more about managed policies for Amazon Service Catalog, see Amazon Managed Policies for Amazon Service Catalog.