Which set up would achieve these goals?

By:
In: SAP-C01
Tagged:
With: 1 Comment
A company has an application that uses Amazon EC2 instances in an Auto Scaling group.The Quality Assurance (QA) department needs to launch a large number of short-lived environments to test the application.The application environments are currently launched by the Manager of the department using an AWSCloudFormation template.To launch the stack, the Manager uses a role with permission to use CloudFormation, EC2, and Auto Scaling APIs.The Manager wants to allow testers to launch their own environments, but does not want to grant broad permissions to each user.

Which set up would achieve these goals?

Upload the AWS CloudFormation template to Amazon S3. Give users in the QA department permission to assume the Manager’s role and add a policy that restricts the permissions to the template and the resources it creates. Train users to launch the template from the CloudFormation console.

Create an AWS Service Catalog product from the environment template. Add a launch constraint to the product with the existing role. Give users in the QA department permission to use AWS Service Catalog APIs only. Train users to launch the templates from the AWS Service Catalog console.

Upload the AWS CloudFormation template to Amazon S3. Give users in the QA department permission to use CloudFormation and S3 APIs, with conditions that restrict the permission to the template and the resources it creates. Train users to launch the template from the CloudFormation console.

Create an AWS Elastic Beanstalk application from the environment template. Give users in the QA department permission to use Elastic Beanstalk permissions only. Train users to launch Elastic Beanstalk environment with the Elastic Beanstalk CLI, passing the existing role to the environment as a service role.

Explanations:

While allowing users to assume the Manager’s role may seem appropriate, it would grant broader permissions than necessary. This option does not effectively restrict the permissions to just the resources needed for the CloudFormation stack, potentially exposing other resources. Moreover, training users to use the CloudFormation console might not be as streamlined as a more controlled service.

Creating an AWS Service Catalog product allows for better management and control over the environments. By adding a launch constraint with the existing role, it limits permissions to only what is necessary for launching the environment. Users would only need permission to use AWS Service Catalog APIs, making it a secure and efficient method for allowing testers to create their own environments.

Although this option gives users access to CloudFormation and S3 APIs, it does not restrict permissions effectively to the necessary resources created by the template. The conditions in IAM policies can be complex and may not cover all use cases, leading to potential security risks. Also, training users to launch via the CloudFormation console does not provide the streamlined experience that Service Catalog offers.

This option involves using AWS Elastic Beanstalk, which is not necessary for the environment deployment described. It requires giving users permission to use Elastic Beanstalk, which might allow access to more resources than intended. Additionally, the environment setup is not optimized for the QA department’s needs as described, as it relies on a CLI and a service role rather than the more user-friendly AWS Service Catalog.

2025-10-21

1 Comment

  1. Judy
    Author

    From my point of view, the answer is:
    Create an AWS Service Catalog product from the environment template. Add a launch constraint to the product with the existing role. Give users in the QA department permission to use AWS Service Catalog APIs only. Train users to launch the templates from the AWS Service Catalog console.

Leave a Reply

Your email address will not be published. Required fields are marked *

four × five =