AWS Service Catalog: What It Is and When to Use It
Definition
AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS. It solves the problem of balancing developer agility with corporate governance by providing a self-service portal for users to provision resources from pre-approved, standardized templates, ensuring compliance and controlling costs.
How It Works
AWS Service Catalog acts as a governance and provisioning layer on top of Infrastructure as Code (IaC) tools like AWS CloudFormation and HashiCorp Terraform. The workflow involves two primary roles: administrators and end users.
Administrators (typically central IT or platform engineering teams) are responsible for defining the catalog.
- Create a Product: A product is a blueprint for an IT service. The administrator creates a product by defining it with an IaC template, such as an AWS CloudFormation template or a Terraform configuration. This template specifies the AWS resources to be deployed (e.g., an EC2 instance with a specific Amazon Machine Image, or a multi-tier web application).
- Organize into Portfolios: A portfolio is a collection of products, along with configuration information. Administrators group related products into portfolios, often tailored to specific teams or user types (e.g., a "Developer Sandbox" portfolio or a "Data Science Environment" portfolio).
- Apply Constraints: Constraints are a critical governance feature. They control how products can be deployed. For example, a Launch Constraint specifies an AWS Identity and Access Management (IAM) role that Service Catalog must use to provision the product's resources. This allows end users to provision resources they don't have direct IAM permissions to create, enforcing the principle of least privilege. Other constraints can enforce tagging policies or restrict available instance types.
- Grant Access: The administrator grants IAM users, groups, or roles access to specific portfolios.
End Users (such as developers, data scientists, or engineers) interact with the catalog to deploy services.
- Browse and Launch: The end user logs into the AWS console and sees a simple, curated list of products they are authorized to use.
- Provision Product: The user selects a product, provides any necessary launch parameters (e.g., project name, instance size from an allowed list), and launches it. Service Catalog then provisions the underlying AWS CloudFormation stack or Terraform resources, which is called a Provisioned Product.
This process allows end users to get the resources they need quickly and independently, while administrators maintain central control over architecture, security, and costs.
Key Features and Limits
- Infrastructure as Code (IaC) Support: Natively supports AWS CloudFormation and integrates with HashiCorp Terraform (both Community Edition and Cloud).
- Portfolios and Products: Organizes IaC templates into version-controlled products and groups them into portfolios for different user personas.
- Constraints: Enforces governance through launch constraints (for IAM roles), template constraints (to restrict user parameters), and tagging constraints.
- Self-Service Portal: Provides a simplified interface for end users to discover and provision approved resources without needing deep AWS expertise or broad IAM permissions.
- Multi-Account Sharing: Portfolios can be shared from a central hub account to thousands of spoke accounts across an AWS Organization, enabling centralized governance at scale.
- Service Actions: Allows administrators to define custom operational tasks (like reboots or snapshotting) that end users can perform on their provisioned products via AWS Systems Manager Automation documents.
- AppRegistry: Provides a central repository to define and manage your applications and their metadata, helping to track resources and costs associated with specific applications.
Service Quotas (as of 2026):
- Portfolios per region: 100
- Products per portfolio: 100
- Versions per product: 50
- Constraints per product per portfolio: 100
- Service actions per region: 200 These are default quotas and may be adjustable upon request.
Common Use Cases
- Enforcing Governance and Compliance: Organizations in regulated industries use Service Catalog to ensure that all deployed infrastructure (e.g., databases, servers) adheres to strict security and compliance standards (e.g., specific encryption settings, VPC subnets, and IAM roles).
- Developer Self-Service: A platform team can create a portfolio of approved architectures—such as a standard three-tier web application, a serverless API, or a containerized microservice on Amazon ECS—allowing development teams to provision environments on-demand without waiting for central IT.
- Multi-Account Vending and Standardization: In a large enterprise with hundreds of AWS accounts, a central IT team can use the hub-and-spoke model to share a single, standardized portfolio of core services (e.g., networking, logging, security agents) to all member accounts, ensuring consistency across the organization.
- Cost Control: By using template constraints, administrators can limit the instance types and sizes that users can select, preventing the accidental provisioning of expensive resources and helping to manage budgets.
- Managed Service Provider (MSP) and SaaS Offerings: MSPs can use Service Catalog to provide their customers with a curated catalog of approved services and solutions, simplifying environment provisioning and management.
Pricing Model
AWS Service Catalog has a free tier and a pay-as-you-go model with no minimum fees or upfront commitments.
- Free Tier: The first 1,000 API calls per account per region each month are free. Additionally, all API calls related to the AppRegistry feature (creating applications, associating resources, managing tags) are always free.
- Pay-per-use: After the free tier is exhausted, you are charged per API call made to the Service Catalog service. The price per API call varies by region.
It's important to note that you pay for the AWS resources (like EC2 instances, RDS databases, etc.) that are provisioned by Service Catalog, just as you would if you created them manually. The Service Catalog pricing is for the management and governance layer it provides.
Pros and Cons
Pros:
- Improved Governance: Centralizes control and enforces compliance, security, and tagging standards across the organization.
- Increased Agility: Empowers end users with self-service capabilities, reducing their dependence on central IT and accelerating deployment times.
- Consistency and Standardization: Ensures that resources are deployed using well-architected, pre-approved templates, reducing configuration drift and operational errors.
- Least Privilege Access: Enables users to provision complex infrastructure without granting them extensive underlying IAM permissions.
- Scalability: Effectively manages deployments across hundreds or thousands of AWS accounts using portfolio sharing.
Cons:
- Administrative Overhead: Requires a dedicated effort from a platform or cloud center of excellence (CCoE) team to create, manage, and version the products and portfolios.
- Complexity: Introduces another layer of abstraction. Administrators need proficiency in an IaC language (CloudFormation or Terraform) to define products.
- Less Flexibility for Developers: By design, it restricts what developers can provision. If the catalog is not comprehensive, it can become a bottleneck rather than an accelerator.
- Potential for Catalog Sprawl: Without proper management, the number of products and versions can become difficult to maintain.
Comparison with Alternatives
-
AWS Service Catalog vs. Direct AWS CloudFormation: AWS CloudFormation is an IaC service for provisioning resources, while Service Catalog is a management and governance layer that uses CloudFormation templates. Using CloudFormation directly gives developers maximum flexibility but lacks the centralized control, governance guardrails, and self-service portal that Service Catalog provides. Service Catalog is for organizations that need to govern how CloudFormation is used by end users.
-
AWS Service Catalog vs. AWS Control Tower: These services are complementary. AWS Control Tower provides a high-level, automated way to set up a secure, multi-account AWS environment (a "landing zone") with best-practice guardrails. Control Tower actually uses AWS Service Catalog for its "Account Factory" feature, which provisions new, compliant AWS accounts based on a standardized template. Control Tower sets up the foundational environment; Service Catalog governs the ongoing deployment of services within that environment.
-
AWS Service Catalog vs. Terraform Cloud/Enterprise: Terraform Cloud also provides a way to manage and govern infrastructure as code with features like a private module registry and policy as code (Sentinel). The key differentiator for Service Catalog is its deep, native integration with the AWS ecosystem, particularly AWS IAM for launch constraints and AWS Organizations for multi-account sharing. Service Catalog now also directly supports Terraform configurations, allowing organizations to use it as a single pane of glass for both CloudFormation and Terraform-based products.
Exam Relevance
AWS Service Catalog is a key governance service and frequently appears on several AWS certification exams, particularly those focused on architecture, operations, and governance.
- AWS Certified Solutions Architect - Associate (SAA-C03) & Professional (SAP-C02): Candidates should understand Service Catalog's core purpose: enabling self-service while enforcing organizational standards. Key concepts to know are the relationship between Products, Portfolios, and Constraints, and its role in a multi-account strategy.
- AWS Certified DevOps Engineer - Professional (DOP-C02): This exam may test on how Service Catalog can be used to standardize deployment pipelines and environments for development teams.
- AWS Certified SysOps Administrator - Associate (SOA-C02): Focuses on the operational aspects, such as how to manage portfolios, grant user access, and troubleshoot provisioned products.
For all exams, it is crucial to understand that Service Catalog provides a layer of governance on top of CloudFormation or Terraform and is not simply a repository for templates.
Frequently Asked Questions
Q: What is the difference between a Product and a Portfolio in AWS Service Catalog?
A: A Product is a single, version-controlled blueprint for deploying a set of AWS resources, defined by an IaC template like CloudFormation or Terraform. A Portfolio is a collection of one or more products that you manage and distribute to end users. You grant user access at the portfolio level, not the individual product level. This allows you to create curated collections of services for different teams or roles.
Q: Can I use Terraform with AWS Service Catalog?
A: Yes. AWS Service Catalog supports both HashiCorp Terraform Community Edition and Terraform Cloud. Administrators can create products based on their existing Terraform configurations and make them available to end users through the Service Catalog portal. This allows organizations to use Service Catalog as a single tool to govern both CloudFormation and Terraform deployments.
Q: Does AWS Service Catalog cost anything to use?
A: AWS Service Catalog has a free tier that includes 1,000 API calls per month, per region. Beyond the free tier, you pay a small fee for each API call made to the service. You are also responsible for the full cost of the underlying AWS resources (e.g., EC2 instances, S3 buckets) that are provisioned through the catalog.
This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS documentation before making production decisions.