Are your DevOps teams focused on delivering innovation faster, continually spinning up new services that drive the proliferation of (sometimes) unneeded cloud instances? Do your AWS resources stay active after the project is done, with the meter still running? Do you lack visibility into who, what, and why resources are provisioned? Is all of this driving up your AWS costs? If so, this blog is for you.
A study1 by 451 Research indicates that, while cloud unit costs may remain low, total cloud costs typically increase for two reasons:
- Cloud is inexpensive and easily accessible.
- Ease of access and lower costs drive developers and administrators to consume more, thereby spending more, and forgetting to control or limit consumption.
In this blog post, we’ll talk about AWS Service Catalog – what it is, how it can help you centrally manage commonly deployed AWS services and provisioned software products, and support consistent governance and compliance while optimizing costs.
We’ll describe a use case, where one of our clients trimmed 20% of their AWS costs by implementing Service Catalog. (Your mileage may vary based on the extent to which your cloud consumption needs more or less governance.)
What is AWS Service Catalog?
With AWS Service Catalog, you can create and manage catalogs of IT services that are approved for use on AWS – virtual machine images, servers, software, and databases. In practice, Service Catalog enables end users to request infrastructure and resources that are preconfigured and preapproved by the organization. The organization can grant access to a specific type of resource for a particular type of user, limit resource types and specifications, and control updates to the resources being requested.
Components of the AWS Service Catalog
What’s under the hood?
- Product: A service or application for end users. It can be made up of one or more AWS resources, and it can belong to multiple portfolios. Each product is an AWS CloudFormation script that can provision anything from a single resource to an entire infrastructure.
- Portfolio: A collection of products (up to 25 products per portfolio) that can be created, viewed, and updated in the AWS Service Catalog administrator console. A portfolio includes configuration information on:
- Which users and groups can access the portfolio at an AWS Identity and Access Management (IAM) user, IAM group, or IAM role level.
- How they can use those products.
- Catalog: A collection of products that the administrator creates by importing AWS CloudFormation templates.
- Constraints: Rules that limit how the AWS CloudFormation template for a product is deployed.
- Controls provisioning of AWS resources:
- Provides access control through AWS IAM users and groups.
- Ensures that users are launching products that are correctly configured for the organization’s needs, based on portfolio constraints and resource tags.
- Reduces AWS costs:
- Automatically shuts down rogue resources.
- Reduces idle resource uptime. Client-approved preconfigured products eliminate unnecessary resource provisioning.
- Provides self-service to end users, allowing them to provision preapproved resources defined for their use and eliminate:
- The hassle of users going through approvals and requests or asking on-call support to create resources for them.
- The possibility of human error, since the CloudFormation script is preapproved with only the parameters the client requires.
- Promotes resource standardization, compliance, and consistent service offerings across your environment by launching resources through a predefined product.
- Only provisions what your organization deems necessary.
- Portfolio can be distributed across many accounts in many Regions.
- Enhances security by implementing:
- Constraints on which IAM role should be used to provision resources.
- CloudFormation-specific IAM conditions.
- CloudFormation stack policies that protect all or specific resources in your stacks from being unintentionally updated or deleted during the update process.
Our client wanted to reduce costs, improve control, simplify provisioning, and accelerate code deployments and product delivery. Their former process to provision resources for Amazon Elastic Compute Cloud (EC2) instances was to make a request in Slack or via a ticket created in Jira, which then went to their on-call support team. The support team had to get approval, after which the resource was created manually through the EC2 console.
To accelerate resource provisioning, we created a portfolio for provisioning EC2 instances.
Using AWS CloudFormation scripts, we created two products in the portfolio: OnDemandEc2 and SpotFleetEc2.
Each product creates a script with versions that you can create including the updates to the script.
AWS CloudFormation provides control by defining:
- What gets provisioned.
- Specifications for the resources.
- Constraints required for the resource, to apply limits to products for governance or cost control.
Now, with AWS Service Catalog, since the products are already created, once the client adds the required resource values it only takes minutes to provision the complete stack. With this in place, the client decided to broaden the catalogs to provision other resources, e.g., Amazon Simple Storage Service (Amazon S3) and Amazon DynamoDB.
If your business requires rapid innovation like most of our clients then you can help your teams go faster while also providing governance. Use AWS Service Catalog as your central management hub. It can simplify access and provisioning of preapproved resources while giving you improved control over your AWS environment (e.g., resource provisioning, cost optimization, compliance, and security).
- Rogers, Owen and William Fellows. “The cloud transformation journey: Great expectations lead to a brave new world.’” 451 Research, https://go.451research.com/The-cloud-transformation-journey.html?&utm_campaign=2018_market_insight&utm_source=website_blog&utm_medium=website&utm_content=apply_for_trial&utm_term=cloud_price_index. Accessed 26 April 2019.
Need help with AWS Service Catalog? The nClouds team is here to help with that and all your AWS infrastructure requirements.