AWS Service Catalog Users?

Hi all, I am interested in AWS Service Catalog. Has anyone used it for provisioning production workloads in a large-ish organization? For me, it’s always tough giving different teams different IAM access and democratizing IaC. Because, they will ALWAYS hit IAM snags and require more permissions to be added. I first looked into a way to discover what IAM policy a CFN template would need to create least privilege roles in advance, but that capability does not seem to exist. AWS service catalog seems to fix this by defining product CFN stacks and giving teams access to those stacks so you don’t have to worry about the minutia of IAM policies and keeping it least privilege.

Some things I worry about with service catalog - how flexible are the products? If I have a lambda api/microservice product (as an example) and I wanted to bolt on an sns topic, could I do that? Also I never like using the aws cloud formation deploy cli command as it creates a Chang set and deploys it without giving you a chance to investigate the effects. In CICD I always set it up like: create changeset, manual approval, execute changeset. Is this supported when deploying products and updates to products?

As I’m typing this I’m realizing this should just be an AWS support ticket, lol. Anyways still looking forward to anyones experience.

submitted by /u/Ghostdogtheman
[link] [comments]