Identity-based policy examples for Amazon Service Catalog
Topics
Console access for end users
The AWSServiceCatalogEndUserFullAccess and
AWSServiceCatalogEndUserReadOnlyAccess policies grant access to the Amazon Service Catalog
end user console view. When a user who has either of these policies chooses Amazon Service Catalog in
the Amazon Web Services Management Console, the end user console view displays the products they have permission
to launch.
Before end users can successfully launch a product from Amazon Service Catalog to which you give access, you must provide them additional IAM permissions to allow them to use each of the underlying Amazon resources in a product's Amazon CloudFormation template. For example, if a product template includes Amazon Relational Database Service (Amazon RDS), you must grant the users Amazon RDS permissions to launch the product.
To learn about how to enable end users to launch products while enforcing least-access permissions to Amazon resources, see Using Amazon Service Catalog Constraints.
If you apply the AWSServiceCatalogEndUserReadOnlyAccess policy, your users have
access to the end user console, but they won't have the permissions that they need
to launch products and manage provisioned products. You can grant these permissions
directly to an end user using IAM, but if you want to limit the access that end
users have to Amazon resources, you should attach the policy to a launch role. You then
use Amazon Service Catalog to apply the launch role to a launch constraint for the product. For more
information about applying a launch role, launch role limitations, and a sample
launch role, see Amazon Service Catalog Launch Constraints.
Note
If you grant users IAM permissions for Amazon Service Catalog administrators, the administrator console view displays instead. Don't grant end users these permissions unless you want them to have access to the administrator console view.
Product access for end users
Before end users can use a product to which you give access, you must provide them additional IAM permissions to allow them to use each of the underlying Amazon resources in a product's Amazon CloudFormation template. For example, if a product template includes Amazon Relational Database Service (Amazon RDS), you must grant the users Amazon RDS permissions to launch the product.
If you apply the AWSServiceCatalogEndUserReadOnlyAccess
policy, your users have access to the end user console view, but they won't have the
permissions that they need to launch products and manage provisioned products. You
can grant these permissions directly to an end user in IAM, but if you want to
limit the access that end users have to Amazon resources, you should attach the
policy to a launch role. You then use Amazon Service Catalog to apply the launch role to a launch
constraint for the product. For more information about applying a launch role,
launch role limitations, and a sample launch role, see Amazon Service Catalog Launch Constraints.
Example policies for managing provisioned products
You can create custom policies to help meet the security requirements of your
organization. The following examples describe how to customize the access level for
each action with support for user, role, and account levels. You can grant users
access to view, update, terminate, and manage provisioned products created only by
that user or created by others also under their role or the account to which they
are logged in. This access is hierarchical — granting account level access
also grants role level access and user level access, while adding role level access
also grants user level access but not account level access. You can specify these in
the policy JSON using a Condition block as accountLevel,
roleLevel, or userLevel.
These examples also apply to access levels for Amazon Service Catalog API write
operations: UpdateProvisionedProduct and
TerminateProvisionedProduct, and read operations:
DescribeRecord, ScanProvisionedProducts, and
ListRecordHistory. The ScanProvisionedProducts and
ListRecordHistory API operations use
AccessLevelFilterKey as input, and that key's values correspond to
the Condition block levels discussed here (accountLevel is
equivalent to an AccessLevelFilterKey value of "Account",
roleLevel to "Role", and userLevel to "User"). For
more information, see the Service Catalog Developer Guide.
Examples
Full admin access to provisioned products
The following policy allows full read and write access to provisioned products and records within the catalog at the account level.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "servicecatalog:*" ], "Resource":"*", "Condition": { "StringEquals": { "servicecatalog:accountLevel": "self" } } } ] }
This policy is functionally equivalent to the following policy:
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "servicecatalog:*" ], "Resource":"*" } ] }
Not specifying a Condition block
in any policy for Amazon Service Catalog is treated as the same as specifying
"servicecatalog:accountLevel" access. Note that
accountLevel access includes roleLevel and
userLevel access.
End-user access to provisioned products
The following policy restricts access to read and write operations to only the provisioned products or associated records that the current user created.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "servicecatalog:DescribeProduct", "servicecatalog:DescribeProductView", "servicecatalog:DescribeProvisioningParameters", "servicecatalog:DescribeRecord", "servicecatalog:ListLaunchPaths", "servicecatalog:ListRecordHistory", "servicecatalog:ProvisionProduct", "servicecatalog:ScanProvisionedProducts", "servicecatalog:SearchProducts", "servicecatalog:TerminateProvisionedProduct", "servicecatalog:UpdateProvisionedProduct" ], "Resource": "*", "Condition": { "StringEquals": { "servicecatalog:userLevel": "self" } } } ] }
Partial admin access to provisioned products
The two policies below, if both applied to the same user, allow what might be called a type of "partial admin access" by providing full read-only access and limited write access. This means the user can see any provisioned product or associated record within the catalog's account but cannot perform any actions on any provisioned products or records that aren't owned by that user.
The first policy allows the user access to write operations on the provisioned products that the current user created, but no provisioned products created by others. The second policy adds full access to read operations on provisioned products created by all (user, role, or account).
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "servicecatalog:DescribeProduct", "servicecatalog:DescribeProductView", "servicecatalog:DescribeProvisioningParameters", "servicecatalog:ListLaunchPaths", "servicecatalog:ProvisionProduct", "servicecatalog:SearchProducts", "servicecatalog:TerminateProvisionedProduct", "servicecatalog:UpdateProvisionedProduct" ], "Resource": "*", "Condition": { "StringEquals": { "servicecatalog:userLevel": "self" } } } ] }
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "servicecatalog:DescribeRecord", "servicecatalog:ListRecordHistory", "servicecatalog:ScanProvisionedProducts" ], "Resource": "*", "Condition": { "StringEquals": { "servicecatalog:accountLevel": "self" } } } ] }