Governance with Service Catalog
At the beginning of this chapter, we looked at identity-based policies that permit actions for individual entities. We unpacked how permissions work through authentication and authorization. Then, we looked at permission boundaries, primarily in the form of SCPs that are applied to an AWS account or multiple AWS accounts via an OU. These SCPs define the permission boundaries that impact all users and roles associated with the AWS account, the OU, and perhaps the entire AWS Organization.
Another way of governing access to AWS resources is by providing a pre-approved list of resources that users can launch with AWS Service Catalog. You can think of Service Catalog as a vending machine of goods – users choose which resource they want to consume. And since you’re the one placing the items in the machine for users to vend, as long as you know the items that you place are secured, compliant, and approved for use, you can operate with the assurance...