Fatskills
Practice. Master. Repeat.
Study Guide: TECH **AWS Service Catalog & License Manager: Zero-Fluff Study Guide**
Source: https://www.fatskills.com/aws-certified-solutions-architect-associate/chapter/tech-aws-service-catalog-license-manager-zero-fluff-study-guide

TECH **AWS Service Catalog & License Manager: Zero-Fluff Study Guide**

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~9 min read

AWS Service Catalog & License Manager: Zero-Fluff Study Guide

For AWS Solutions Architect – Associate (SAA-C03) and Real-World Deployments


1. What This Is & Why It Matters

You’re a cloud engineer at a mid-sized company. Your CIO just mandated: - No more "shadow IT" – developers can’t spin up random EC2 instances or RDS databases without approval.
- Compliance audits are coming – you must prove every AWS resource follows corporate security policies.
- License costs are out of control – someone deployed 50 Windows Server VMs with SQL Server Enterprise, but only 10 licenses were purchased.

AWS Service Catalog lets you create pre-approved, templated cloud resources (like "golden AMIs" or "secure RDS clusters") that teams can deploy without needing deep AWS expertise. Think of it like a corporate app store for cloud infrastructure – users get self-service access, but you control what’s available and how it’s configured.

AWS License Manager tracks software licenses (Windows, SQL Server, Oracle, etc.) across your AWS and on-premises environments. It prevents over-provisioning (saving $$$) and ensures compliance (avoiding audit fines). Without it, you’re flying blind on license usage.

Why this matters in production:
- Without Service Catalog: Teams waste time manually configuring resources, security policies are inconsistent, and costs spiral from unapproved deployments.
- Without License Manager: You risk license violations (e.g., deploying 100 SQL Server instances when you only own 50 licenses) or overpaying for unused licenses.
- With both: You enforce governance, reduce operational overhead, and pass compliance audits with minimal effort.


2. Core Concepts & Components


AWS Service Catalog

  • ? Product
    A deployable resource (e.g., an EC2 instance, RDS cluster, or Lambda function) defined by a CloudFormation template or Terraform template.
    Production insight: If your template doesn’t include mandatory tags (e.g., CostCenter, Owner), you’ll lose track of who deployed what.

  • ? Portfolio
    A collection of Products grouped for a specific team or use case (e.g., "Dev Team Portfolio" or "Finance Department Portfolio").
    Production insight: Portfolios can be shared across AWS accounts (e.g., central IT shares a "Security-Compliant Portfolio" with all departments).

  • ? Constraints
    Rules that limit how a Product can be deployed (e.g., "Only allow t3.medium instances" or "Require encryption for all EBS volumes").
    Production insight: Without constraints, users might deploy p4d.24xlarge instances and bankrupt your cloud budget.

  • ? Launch Role
    An IAM role that Service Catalog assumes to deploy resources on behalf of users.
    Production insight: If the role lacks permissions (e.g., no ec2:RunInstances), deployments will fail silently.

  • ? Provisioned Product
    An actual deployed instance of a Product (e.g., a running EC2 instance created from a Service Catalog template).
    Production insight: Use CloudFormation stack names to track provisioned products (e.g., sc-1234567890abcdef0).

  • ? Service Catalog API
    Programmatic access to deploy/manage products (e.g., CreateProvisionedProduct, DescribeProduct).
    Production insight: Automate deployments via CI/CD pipelines (e.g., GitHub Actions deploys a Service Catalog product after approval).


AWS License Manager

  • ? License Configuration
    A rule set defining how a license is consumed (e.g., "1 vCPU = 1 SQL Server license" or "1 physical core = 2 Oracle licenses").
    Production insight: Misconfigured rules can lead to under-licensing (compliance risk) or over-licensing (wasted money).

  • ? License Tracking
    Monitors license usage across AWS and on-premises (via AWS Systems Manager or AWS Config).
    Production insight: Without tracking, you won’t know if you’re compliant until an audit happens.

  • ? License Enforcement
    Automatically stops non-compliant deployments (e.g., "Block EC2 launch if it would exceed SQL Server license count").
    Production insight: Enforcement is not retroactive – it only applies to new deployments.

  • ? License Reporting
    Generates reports for audits (e.g., "Show all Windows Server 2022 instances and their license status").
    Production insight: Reports can be exported to S3 or AWS Security Hub for compliance dashboards.

  • ? AWS Organizations Integration
    Centralizes license management across multiple AWS accounts.
    Production insight: Without this, you’ll manually track licenses in spreadsheets (error-prone and time-consuming).


3. Step-by-Step Hands-On: Deploy a Service Catalog Product + Track Licenses


Prerequisites

  • AWS account with admin IAM permissions (or at least ServiceCatalogAdminFullAccess and LicenseManagerMaster).
  • AWS CLI installed and configured (aws configure).
  • A CloudFormation template for a simple EC2 instance (example below).


Step 1: Create a Service Catalog Product (EC2 with License Tracking)

1.1 Write a CloudFormation Template

Save this as ec2-with-license.yaml:


AWSTemplateFormatVersion: '2010-09-09'
Description: 'EC2 instance with Windows Server 2022 and SQL Server Standard'
Parameters:
  InstanceType:
Type: String
Default: t3.medium
AllowedValues: [t3.medium, t3.large] Resources: EC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-0abcdef1234567890 # Replace with latest Windows Server 2022 AMI in your region
InstanceType: !Ref InstanceType
Tags:
- Key: Name
Value: ServiceCatalog-Windows-SQL
- Key: License
Value: SQLServerStandard

1.2 Create a Service Catalog Product

# Create a product in Service Catalog
aws servicecatalog create-product \
  --name "Windows-SQL-Server" \
  --owner "IT-Team" \
  --description "Windows Server 2022 with SQL Server Standard" \
  --product-type "CLOUD_FORMATION_TEMPLATE" \
  --provisioning-artifact-parameters \
Name="v1.0",Info={LoadTemplateFromURL=https://s3.amazonaws.com/your-bucket/ec2-with-license.yaml},Type=CLOUD_FORMATION_TEMPLATE

Expected output:


{
  "ProductViewDetail": {
"ProductViewSummary": {
"ProductId": "prod-1234567890abc",
"Name": "Windows-SQL-Server"
} } }

1.3 Create a Portfolio and Add the Product

# Create a portfolio
aws servicecatalog create-portfolio \
  --display-name "IT-Approved-Resources" \
  --description "Pre-approved resources for internal teams"

# Associate the product with the portfolio
aws servicecatalog associate-product-with-portfolio \
  --product-id prod-1234567890abc \
  --portfolio-id port-1234567890abc

1.4 Add a Launch Constraint (IAM Role)

# Create an IAM role for Service Catalog
aws iam create-role \
  --role-name ServiceCatalogLaunchRole \
  --assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"Service": "servicecatalog.amazonaws.com"},
"Action": "sts:AssumeRole"
}] }' # Attach permissions (adjust as needed) aws iam attach-role-policy \ --role-name ServiceCatalogLaunchRole \ --policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess # Add the constraint to the portfolio aws servicecatalog create-constraint \ --portfolio-id port-1234567890abc \ --product-id prod-1234567890abc \ --parameters '{
"RoleArn": "arn:aws:iam::123456789012:role/ServiceCatalogLaunchRole" }' \ --type LAUNCH


Step 2: Deploy the Product (Self-Service)

2.1 Grant User Access

# Create an IAM policy for users
aws iam create-policy \
  --policy-name ServiceCatalogUserAccess \
  --policy-document '{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"servicecatalog:ListPortfolios",
"servicecatalog:DescribeProduct",
"servicecatalog:ProvisionProduct"
],
"Resource": "*"
}] }' # Attach the policy to a user/group aws iam attach-user-policy \ --user-name dev-user \ --policy-arn arn:aws:iam::123456789012:policy/ServiceCatalogUserAccess

2.2 Deploy the Product (via CLI)

aws servicecatalog provision-product \
  --product-id prod-1234567890abc \
  --provisioning-artifact-id artifact-1234567890abc \
  --provisioned-product-name "Dev-Windows-SQL-01" \
  --provisioning-parameters Key=InstanceType,Value=t3.medium

Expected output:


{
  "RecordDetail": {
"ProvisionedProductId": "pp-1234567890abc",
"Status": "UNDER_CHANGE" } }

2.3 Verify Deployment

# List provisioned products
aws servicecatalog list-provisioned-products

# Check CloudFormation stack (created by Service Catalog)
aws cloudformation describe-stacks \
  --stack-name "sc-1234567890abc"


Step 3: Track Licenses with License Manager

3.1 Create a License Configuration

aws license-manager create-license-configuration \
  --name "SQL-Server-Standard" \
  --description "Tracks SQL Server Standard licenses" \
  --license-counting-type vCPU \
  --license-count 10  # You own 10 licenses

Expected output:


{
  "LicenseConfigurationArn": "arn:aws:license-manager:us-east-1:123456789012:license-configuration:lic-1234567890abc"
}

3.2 Associate the License with the EC2 Instance

# Tag the EC2 instance (created by Service Catalog)
aws ec2 create-tags \
  --resources i-1234567890abcdef0 \
  --tags Key=License,Value=SQL-Server-Standard

# Associate the license configuration with the instance
aws license-manager associate-license-configuration \
  --license-configuration-arn arn:aws:license-manager:us-east-1:123456789012:license-configuration:lic-1234567890abc \
  --resource-arn arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0

3.3 Check License Usage

aws license-manager list-usage-for-license-configuration \
  --license-configuration-arn arn:aws:license-manager:us-east-1:123456789012:license-configuration:lic-1234567890abc

Expected output:


{
  "LicenseConfigurationUsageList": [
{
"ResourceArn": "arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0",
"ConsumedLicenses": 2 # t3.medium = 2 vCPUs
} ], "TotalConsumedLicenses": 2, "TotalAvailableLicenses": 8 # 10 total - 2 used }


4. ? Production-Ready Best Practices


Security

  • Least privilege for launch roles: Only grant the minimum permissions needed (e.g., ec2:RunInstances but not iam:CreateRole).
  • Tag everything: Enforce tags like CostCenter, Owner, and Environment in Service Catalog templates.
  • Encrypt secrets: Use AWS Secrets Manager or Parameter Store for database passwords in templates.

Cost Optimization

  • Use constraints to limit instance sizes (e.g., block p4d.24xlarge).
  • Set budgets on portfolios to alert when usage exceeds thresholds.
  • Use License Manager to avoid over-provisioning (e.g., block deployments if license count is exceeded).

Reliability & Maintainability

  • Version your products: Use CreateProvisioningArtifact to update templates without breaking existing deployments.
  • Automate updates: Use AWS CodePipeline to deploy new product versions when templates change.
  • Tag provisioned products with ServiceCatalog:ProvisionedProductId for easy tracking.

Observability

  • Monitor Service Catalog API calls with AWS CloudTrail.
  • Set up CloudWatch alarms for failed deployments.
  • Export License Manager reports to S3 for long-term compliance tracking.


5. ⚠️ Common Mistakes & Traps

Mistake Symptom Fix/Prevention
No launch constraints Users deploy p4d.24xlarge instances, blowing up costs. Add a LAUNCH constraint with an IAM role that restricts instance types.
Missing tags in templates Can’t track who deployed what or why. Enforce mandatory tags (e.g., CostCenter) in all templates.
License Manager not integrated with Service Catalog Deployments succeed even when licenses are exhausted. Use License Manager enforcement to block non-compliant deployments.
No versioning for products Updating a template breaks existing deployments. Use CreateProvisioningArtifact to version products.
Launch role lacks permissions Deployments fail with AccessDenied. Test the role with aws sts assume-role before attaching it.


6. ? Exam/Certification Focus (SAA-C03)


Typical Question Patterns

  1. "How do you enforce governance for developers deploying EC2 instances?"
  2. Answer: Use Service Catalog with constraints (e.g., allowed instance types) and IAM launch roles.
  3. Trap: "Just use IAM policies" – this doesn’t provide self-service or pre-approved templates.

  4. "How do you prevent over-provisioning of SQL Server licenses?"

  5. Answer: Use License Manager with enforcement to block deployments when licenses are exhausted.
  6. Trap: "Use AWS Config" – Config can track but not enforce.

  7. "How do you share a Service Catalog portfolio across accounts?"

  8. Answer: Use AWS Organizations or SharePortfolio API.
  9. Trap: "Just copy the template" – this doesn’t maintain a single source of truth.

Key Distinctions

  • Service Catalog vs. AWS Marketplace:
  • Service Catalog = Internal corporate app store (your own templates).
  • Marketplace = Public AWS-approved vendor products (e.g., Datadog, Splunk).
  • License Manager vs. AWS Config:
  • License Manager = Tracks and enforces license usage.
  • AWS Config = Tracks resource configurations (but doesn’t enforce licenses).


7. ? Hands-On Challenge

Challenge:
Deploy a Service Catalog product that launches a t3.micro EC2 instance with Amazon Linux 2, but block deployments if the user tries to use a t3.large. Use a constraint to enforce this.

Solution:


# Create a constraint to limit instance types
aws servicecatalog create-constraint \
  --portfolio-id port-1234567890abc \
  --product-id prod-1234567890abc \
  --parameters '{
"Rules": "{\"Rule1\":{\"Assertions\":[{\"Assert\":{\"Fn::Contains\":[{\"Fn::GetAtt\":[\"EC2Instance\",\"InstanceType\"]},[\"t3.micro\"]]},\"AssertDescription\":\"Only t3.micro allowed\"}]}}" }' \ --type TEMPLATE

Why it works:
The TEMPLATE constraint uses a CloudFormation rule to validate the InstanceType parameter before deployment.


8. ? Rapid-Reference Crib Sheet


Service Catalog

Command/Concept Notes
aws servicecatalog create-product Creates a deployable resource (CloudFormation/Terraform).
aws servicecatalog create-portfolio Groups products for a team/use case.
aws servicecatalog associate-product-with-portfolio Links a product to a portfolio.
aws servicecatalog create-constraint --type LAUNCH Restricts deployments via IAM role.
aws servicecatalog create-constraint --type TEMPLATE Validates CloudFormation parameters.
Default launch role permissions None – you must attach policies manually.
⚠️ Exam trap: "Service Catalog replaces IAM" No – it uses IAM roles for deployments.

License Manager

Command/Concept Notes
aws license-manager create-license-configuration Defines license rules (e.g., "1 vCPU = 1 license").
aws license-manager associate-license-configuration Links a license to a resource (EC2, RDS, etc.).
aws license-manager list-usage-for-license-configuration Shows current license usage.
Default enforcement Disabled – you must enable it.
⚠️ Exam trap: "License Manager works for all software" No – only AWS-provided licenses (e.g., Windows, SQL Server) or BYOL.


9. ? Where to Go Next

  1. AWS Service Catalog Documentation
  2. AWS License Manager Documentation
  3. AWS Service Catalog Workshop (Hands-on lab)
  4. AWS Well-Architected Framework – Governance Pillar (Best practices for compliance)


ADVERTISEMENT