Sharing a Portfolio - AWS Service Catalog

Sharing a Portfolio

To enable a AWS Service Catalog administrator for another AWS account to distribute your products to end users, share your AWS Service Catalog portfolio with them using either account-to-account sharing or AWS Organizations.

When you share a portfolio using account-to-account sharing or Organizations, you are sharing a reference of that portfolio. The products and constraints in the imported portfolio stay in sync with changes that you make to the shared portfolio, the original portfolio that you shared.

The recipient cannot change the products or constraints, but can add AWS Identity and Access Management access for end users.

Note

You cannot share a shared resource. This includes portfolios that contain a shared product.

Account-to-account sharing

To complete these steps, you must obtain the account ID of the target AWS account. You can find the ID on the My Account page in the AWS Management Console of the target account.

To share a portfolio with an AWS account
  1. Open the Service Catalog console at https://console.aws.amazon.com/servicecatalog/.

  2. In the left navigation menu, choose Portfolios and then select the portfolio you want to share. In the Actions menu, select Share.

  3. In Enter account ID enter the account ID of the AWS account that you are sharing with. (Optional) Select TagOption Sharing. Then, choose Share.

  4. Send the URL to the AWS Service Catalog administrator of the target account. The URL opens the Import Portfolio page with the ARN of the shared portfolio automatically provided.

Importing a Portfolio

If a AWS Service Catalog administrator for another AWS account shares a portfolio with you, import that portfolio into your account so that you can distribute its products to your end users.

You do not need to import a portfolio if the portfolio was shared through AWS Organizations.

To import the portfolio, you must get the portfolio ID from the administrator.

To view all imported portfolios, open the AWS Service Catalog console at https://console.aws.amazon.com/servicecatalog/. On the Portfolios page, select the Imported tab. Review the Imported Portfolios table.

Sharing with AWS Organizations

You can share AWS Service Catalog portfolios using AWS Organizations.

First, you must decide if you're sharing from the management account or a delegated administrator account. If you don't want to share from your management account, register a delegated admin account that you can use for sharing. For more information, see Register a delegated administrator in the AWS CloudFormation User Guide.

Next, you must decide who to share to. You can share to the following entities:

  • An organization account.

  • An organizational unit (OU).

  • The organization itself. (This shares with every account in the organization.)

Sharing from a management account

You can share a portfolio with an organization when you use your organizational structure or input the ID of an organizational node.

To share a portfolio with an organization by using the organizational structure
  1. Open the AWS Service Catalog console at https://console.aws.amazon.com/servicecatalog/.

  2. On the Portfolios page, select the portfolio that you want to share. In the Actions menu, select Share.

  3. Select AWS Organizations and filter into your organizational structure.

    You can select the Root node to share the portfolio with your entire organization, a parent Organizational Unit (OU), a child OU, or an AWS account within your organization.

    Sharing to a parent OU shares the portfolio to all accounts and child OU's within that parent OU.

    You can select View AWS accounts only to see a list of all of the AWS accounts in your organization.

To share a portfolio with an organization by entering the ID of the organizational node
  1. Open the AWS Service Catalog console at https://console.aws.amazon.com/servicecatalog/.

  2. On the Portfolios page, select the portfolio that you want to share. In the Actions menu, select Share.

  3. Select Organization Node.

    Select whether you want to share with your entire organization, an AWS account within your organization, or an OU.

    Input the ID of the organizational node you selected, which you can find within the AWS Organizations console at https://console.aws.amazon.com/organizations/.

Sharing from a delegated administrator account

The management account of an organization can register and de-register other accounts as delegated administrators for the organization.

A delegated administrator can share AWS Service Catalog resources in their organization the same way a management account can. They are authorized to create, delete, and share portfolios.

To register or de-register a delegated administrator, you must use the API or CLI from the management account. For more information, see RegisterDelegatedAdministrator and DeregisterDelegatedAdministrator in the AWS Organizations API Reference.

Note

Before you can designate a delegate , the administrator must call EnableAWSOrganizationsAccess.

The procedure for sharing a portfolio from a delegated administrator account is the same as sharing from a management account, as seen above in Sharing from a management account.

If a member is de-registered as a delegated administrator, the following occurs:

  • Portfolio shares that were created from that account are removed.

  • They can no longer create new portfolio shares.

Note

If the portfolio and shares created by a delegated administrator do not get removed after the delegated administrator is de-registered, register and de-register the delegated administrator again. This action removes the portfolio and shares created by that account.

Moving accounts within your organization

If you move an account within your organization, the AWS Service Catalog portfolios shared with the account might change.

Accounts only have access to portfolios shared with their destination organization or organizational unit.

Sharing TagOptions when sharing portfolios

As an administrator, you can create a share to include TagOptions. TagOptions are key-value pairs that enables administrators to:

  • Define and enforce the taxonomy for tags.

  • Define tag options and associate them to products and portfolios.

  • Share tag options associated with portfolios and products with other accounts.

When you add or remove tag options in the main account, the change automatically appears in recipient accounts. In recipient accounts, when an end user provisions a product with TagOptions, they must choose values for tags that become tags on the provisioned product.

In recipient accounts administrators can associate additional local TagOptions to their imported portfolio to enforce tagging rules that are specific to that account.

Note

To share a portfolio, you need the the consumer's AWS account ID. Find the AWS account ID in My Account in the console.

Note

If a TagOption has a single value, AWS automatically enforces that value during the provisioning process.

To share TagOptions when sharing portfolios
  1. In the left navigation menu, choose Portfolios.

  2. In Local portfolios, choose and open a portfolio.

  3. Choose Share from the list above and then choose the Share button.

  4. Choose to share with another AWS account or organization.

  5. Enter the 12 digit account ID number, select Enable, and then choose Share.

    The account you shared displays in the Accounts shared with section. It indicates whether TagOptions were enabled.

You can also update a portfolio share to include TagOptions. All TagOptions that belong to the portfolio and product now share to this account.

To update a portfolio share to include TagOptions
  1. In the left navigation menu, choose Portfolios.

  2. In Local portfolio, choose and open a portfolio.

  3. Choose Share from the list above.

  4. In Accounts shared with, choose an account ID and then choose Actions.

  5. Select Update unshare or Unshare.

    When you select Update unshare, choose Enable to initiate sharing TagOptions. The account you shared displays in the Accounts shared with section.

    When you select Unshare, confirm you no longer want to share the account.

Sharing Principal Names when sharing portfolios

As an administrator, you can create a Portfolio share that includes Principal Names. Principal Names are names for groups, roles and users that administrators can specify in a Portfolio, and then share with the portfolio. When you share the portfolio, AWS Service Catalog verifies if those Principal Names already exist. If they do exist, AWS Service Catalog automatically associates the matching IAM Principals with the shared Portfolio to grant access to users.

Note

When you associate a principal with portfolio, a potential privilege escalation path may occur when that portfolio is then shared with other accounts. For a user in a recipient account who is not a AWS Service Catalog Admin, but still has the ability to create Principals (Users/Roles), that user could create an IAM Principal that matches a principal name association for the portfolio. Although this user may not know which principal names are associated through AWS Service Catalog, they may be able to guess the user. If this potential escalation path is a concern, then AWS Service Catalog recommends using PrincipalType as IAM. With this configuration, the PrincipalARN must already exist in the recipient account before it can be associated.

When you add or remove Principal Names in the main account, AWS Service Catalog automatically applies those changes in the recipient account. Users in recipient account can then perform tasks based on their role:

  • End users can provision, update, and terminate the portfolio's product.

  • Administrators can associate additional IAM Principals to their imported portfolio to grant access to end users specific to that account.

Note

Principal Name Sharing is only available for AWS Organizations.

To share Principal Names when sharing portfolios
  1. In the left navigation menu, choose Portfolios.

  2. In Local portfolios, choose the portfolio you want to share.

  3. In the Actions menu, choose Share.

  4. Select an organization in AWS Organizations.

  5. Select the entire organization root, an organization unit (OU), or an organization member.

  6. In Share settings, enable the Principal sharing option.

You can also update a portfolio share to include Principal Name sharing. This shares all Principal Names that belong to that portfolio with the recipient account.

To update a portfolio share to enable or disable Principal Names
  1. In the left navigation menu, choose Portfolios.

  2. In Local portfolio, choose the portfolio you want to update.

  3. Choose the Share tab.

  4. Select the share you want to update, and then chose Share.

  5. Choose Update share, and then choose Enable to initiate Principal sharing. AWS Service Catalog then shares Principal Names in recipient accounts.

Disable Principal sharing if you want to stop sharing the Principal Names with recipient accounts.

Using wildcards when sharing Principal Names

AWS Service Catalog supports granting portfolio access to IAM principals (user, group or role) names with wildcards, such as ‘*’ or ‘?’. Using wildcard patterns enables you to cover multiple IAM principal names at one time. The ARN path and principal name allow unlimited wildcard characters.

Examples of an acceptable wildcard ARN:

  • arn:aws:iam:::role/ResourceName_*

  • arn:aws:iam:::role/*/ResourceName_?

Examples of an unacceptable wildcard ARN:

  • arn:aws:iam:::*/ResourceName

In the IAM Principal ARN format (arn:partition:iam:::resource-type/resource-path/resource-name), valid values include user/, group/, or role/. The "?" and "*" are allowed only after the resource-type in the resource-id segment. You can use special characters anywhere within the resource-id.

The "*" character also matches the "/" character, allowing paths to be formed within the resource-id. For example:

arn:aws:iam:::role/*/ResourceName_? matches both arn:aws:iam:::role/pathA/pathB/ResourceName_1 and arn:aws:iam:::role/pathA/ResourceName_1.