Profile Applicability:

  • Level 1

Description:

AWS Service Catalog allows organizations to create, manage, and distribute catalogs of IT services that are approved for use on AWS. Portfolios in Service Catalog allow you to organize collections of products and grant access to specific users and groups.

When creating or managing portfolios in AWS Service Catalog, it is essential to ensure that these portfolios are only shared within your AWS Organization. Sharing portfolios outside your AWS Organization can result in security risks and unauthorized access to your products and services.

This SOP ensures that Service Catalog portfolios are shared within the AWS Organization only, which limits access to approved users and accounts, ensuring tighter control over the usage of AWS resources.

Rationale:

Sharing Service Catalog portfolios outside the organization exposes sensitive IT services and configurations to unauthorized or untrusted external accounts. By restricting portfolio sharing to within the AWS Organization:

  • Security: Limits access to only those users or accounts within your AWS Organization, preventing the potential misuse of resources by unauthorized external parties.

  • Control: Ensures that your organization retains complete control over which accounts or users have access to the portfolios.

  • Compliance: Meets various industry compliance and regulatory requirements that mandate data segregation and restricted access to sensitive resources.

  • Auditing: Easier to audit and track who has access to your resources, ensuring that only authorized personnel can modify or consume services from your portfolio.

Impact:

Pros:

  • Enhanced Security: Limits access to portfolios within the organization, reducing the risk of unauthorized access.

  • Compliance: Ensures compliance with best practices for cloud resource management.

  • Simplified Management: Provides clearer and more straightforward access control, reducing the complexity of managing external access.

  • Reduced Risk of Data Exposure: By restricting access to the internal organization, sensitive information is better protected.

Cons:

  • Limited Flexibility: Restricting portfolio sharing within the organization may limit flexibility for collaboration with external stakeholders.

  • Administrative Effort: May require additional configuration to ensure that the sharing settings are correctly applied and managed.

Default Value:

By default, AWS Service Catalog portfolios are not shared outside of the AWS Organization. However, an administrator could accidentally change sharing settings, which would allow portfolios to be shared externally. It is crucial to review and configure sharing settings properly.

Pre-requisite:

  • AWS IAM Permissions:

    • servicecatalog:UpdatePortfolio

    • servicecatalog:DescribePortfolio

    • servicecatalog:ListPortfolios

    • servicecatalog:AssociatePrincipalWithPortfolio

    • servicecatalog:SharePortfolio

  • AWS CLI installed and configured.

  • AWS Organizations must be set up and linked to the AWS accounts for portfolio sharing.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS Service Catalog under Services.

  3. In the Service Catalog Dashboard, select Portfolios.

  4. Check the sharing settings for each portfolio:

    • For each portfolio, click on the portfolio name.

    • Under the Share Portfolio section, ensure that portfolio sharing is only enabled for the AWS Organization.

  5. If a portfolio is shared outside the organization, modify the sharing settings to restrict it to within the organization:

    • In the Share Portfolio settings, remove any external account IDs that may be listed and ensure that only the AWS Organization is selected.

  6. Save the changes and verify that the portfolio is no longer shared with external accounts.

Using AWS CLI:

To check if a portfolio is shared outside your AWS Organization, run:

aws servicecatalog list-portfolios --query 'Portfolios[*].Id'

To describe a specific portfolio and check its sharing status, run:

aws servicecatalog describe-portfolio --id <portfolio-id>

To ensure that the portfolio is shared only within the AWS Organization, ensure the ShareStatus field is WithinOrganization. If external accounts are listed, run the following command to remove them:

aws servicecatalog update-portfolio --id <portfolio-id> --remove-share-principal <external-principal-id>

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to AWS Service Catalog.

  2. In the Service Catalog Dashboard, click on Portfolios.

  3. Select the portfolio you want to review or modify.

  4. Under the Share Portfolio section, review the shared accounts.

    • Ensure that the portfolio is only shared with the AWS Organization.

  5. To restrict the sharing to only within the AWS Organization, modify the sharing settings by removing any external accounts and selecting only the AWS Organization.

  6. Click Save to apply the changes.

Using AWS CLI:

To list the portfolios, run:

aws servicecatalog list-portfolios --query 'Portfolios[*].Id'

To describe the portfolio and check its sharing configuration:

aws servicecatalog describe-portfolio --id <portfolio-id> --query 'Portfolio.ShareDetails'

If the portfolio is shared outside the organization, remove external principals by running:

aws servicecatalog update-portfolio --id <portfolio-id> --remove-share-principal <external-principal-id>

Verify that the portfolio is now shared only with the AWS Organization:

aws servicecatalog describe-portfolio --id <portfolio-id> --query 'Portfolio.ShareDetails'

Backout Plan:

Console Process

  1. Go to AWS Service Catalog:

    • Open the AWS Service Catalog in the Management Console.

  2. Share Portfolio:

    • Select the portfolio you want to share.

    • Use the Share option to share the portfolio.

    • Choose Organization or Organizational Units (OUs) to restrict sharing within your AWS organization.

CLI Process

Share Portfolio:

aws servicecatalog create-portfolio-share \
--portfolio-id <portfolio-id> \
--organization-node-type ORGANIZATION

  1. Verify Sharing:

    aws servicecatalog list-portfolio-shares --portfolio-id <portfolio-id>

Note:

  • Automation: To simplify the management of portfolio sharing settings, consider using AWS Config to monitor and ensure that Service Catalog portfolios remain only shared within the organization.

  • Alerting: Set up CloudWatch Alarms to notify you if any portfolio is shared externally.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.