Manage CloudFormation Stacks with AWS CloudFormation
Question
A big supermarket has maintained lots of applications in AWS developed with CloudFormation stacks.
In the company, there are many development teams with various roles such as Developer, UI, QA, etc.
Different roles should have different access to create, modify and delete those stacks.
The DevOps team needs a centralized AWS tool to manage all these CloudFormation stacks as products.
And the team can also manage the product provisioning by granting access to IAM users and groups.
Which AWS tool should the team use?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - C.
There are some key concepts in AWS Service Catalog:
1, portfolio: a collection of products, together with configuration information.
2, product: a service that users want to make available for deployment on AWS, which is defined by AWS CloudFormation template.
Details can be found in.
https://docs.aws.amazon.com/servicecatalog/latest/adminguide/what-is_concepts.htmlOption A is incorrect: Because Trusted Advisor cannot manage CloudFormation templates or grant access to IAM users and groups.
Option B is incorrect: Because Systems Manager mainly manages EC2 instances and it does not deal with CloudFormation stacks.
Option C is CORRECT: Because Service Catalog can meet the requirement.
Refer to the below for an example of portfolio.
In the portfolio, there is a product which can be managed in the Service Catalog:
Option D is incorrect: Because CloudFormation can only manage stacks themselves however it cannot manage the access for IAM users or groups.
The AWS tool that the DevOps team should use to manage CloudFormation stacks as products and manage product provisioning by granting access to IAM users and groups is AWS Service Catalog.
AWS Service Catalog allows organizations to create and manage a catalog of IT services that are approved for use on AWS. It provides a centralized location to manage catalogs of services, launch products, and control access. With Service Catalog, administrators can create and manage portfolios of products, which can be CloudFormation stacks, AMIs, and Lambda functions, among others.
In this case, the DevOps team can create a Service Catalog portfolio that contains all the CloudFormation stacks for the various applications that the supermarket has developed. Different access levels can be granted to different roles within the development teams. For example, developers can be granted permission to launch stacks, but only the QA team can modify or delete them. The UI team may be granted permission to view the stacks but not modify them.
By using Service Catalog, the DevOps team can centrally manage and distribute the CloudFormation stacks as products, ensuring that the stacks are consistent and meet the organization's standards. Additionally, it provides an efficient mechanism to manage and provision resources on AWS by controlling access to the Service Catalog portfolio.
In conclusion, the appropriate AWS tool for the DevOps team to manage CloudFormation stacks as products and manage product provisioning by granting access to IAM users and groups is AWS Service Catalog.