Building VPC, S3, EC2, and RDS Products with AWS Service Catalog

1m setup · 120m access · 120m completion
Connection Details

Warning: Do not transmit data into the AWS Console that is not related to Qwiklabs or the lab you are taking.

1 Credit

This lab costs 1 Credit to run. You can purchase credits or a subscription under My Account.


Building VPC, S3, EC2, and RDS Products with AWS Service Catalog

SPL-176 - Version 1.2.1

© 2018 Amazon Web Services, Inc. and its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited.

Errors or corrections? Email us at

Other questions? Contact us at


In this lab, you will leverage service catalog to build a development VPC product and add EC2, RDS, and S3 products into that VPC.

You will start by creating a AWS Service Catalog ("SC") portfolio that contains four products. Each SC product is backed by an AWS CloudFormation template, which is supplied as part of the lab. The first product is a VPC environment for end user development purposes which will be the destination you build your other products into. The second product will be an EC2 Linux instance. The third product will be an RDS MySQL database deployment. Lastly you will build an S3 product which is restricted by IAM user and IP address range of your VPC.

As an AWS Service Catalog Administrator, you will create and assign Template and Launch constraints for the SC products that you create. You will set tags for both the products and portfolio that you will create, and assign AWS IAM (Identity and Access Management) users to be able to leverage the newly created portfolio.

You will be assigned two IAM users; the first IAM user (referred to as admin user) will be assigned the role of an AWS Service Catalog admin (not an AWS admin) which will only have the ability to create portfolios and products in AWS Service Catalog, but no direct access to other services. The second IAM user (referred to as developer user) will mimic an end-user experience and will only have the ability to launch AWS Service Catalog products.

You will be leveraging four IAM roles throughout the lab. The IAM roles have their trusted entity set to the Service Catalog service which allows Service Catalog to launch AWS services in the environment such as VPC, EC2, RDS and S3. This mechanism is used instead of granting direct access to AWS services to the end-user (developer in this lab), but still give them the ability to launch those services in a defined, governed and pre-approved way. You will be using four IAM roles, for VPC (SC-VPC-ROLE), for EC2 (SC-EC2-ROLE), for RDS (SC-RDS-ROLE), and for S3 (SC-S3-ROLE).

In a typical deployment scenario, the admin user will be an automation or deployments team or a business unit AWS admin who does not have control of the entire AWS environment. The developer user will be either a developer, a business owner or an operations team member who is not concerned with the underlying AWS infrastructure and is more of a consumer of the final AWS services. We call this model the Consumer, Creator process.

Topics covered

By the end of this lab, you will be able to:

  • Create a Service Catalog Portfolio
  • Create a Service Catalog VPC Product
  • Create a Service Catalog EC2 Product
  • Create a Service Catalog RDS Product
  • Create a Service Catalog S3 Product
  • Create a Service Catalog Launch Constraints
  • Create a Service Catalog Template Constraints
  • Launch your newly created Service Catalog VPC Product
  • Launch your newly created EC2, RDS, and S3 Products within your VPC Product

Start Lab

Notice the lab properties below the lab title:

  • setup - The estimated time to set up the lab environment.
  • access - The time the lab will run before automatically shutting down.
  • completion - The estimated time the lab should take to complete.
  1. Click START LAB to launch your lab. If you are prompted for a token, use the one distributed to you (or credits you've purchased).

    A status bar shows the progress of the lab environment creation process (the AWS Management Console is accessible during lab resource creation, but your AWS resources may not be fully available until the process is complete).

  2. Click OPEN CONSOLE, which will automatically log you in to the AWS Console.

Please do not change the Region unless instructed.

Common login errors

Error : Federated login credentials

If you see this message:

  • Close the browser tab to return to your initial lab window
  • Wait a few seconds
  • Click Open Console again

You should now be able to access the AWS Management Console.

Error: You must first log out

If you see this message:

  • Click To logout, click here
  • Close the browser tab to return to your initial Qwiklabs window
  • Click Open Console again

Join Qwiklabs to read the rest of this lab...and more!

  • Get temporary access to the Amazon Web Services Console.
  • Over 200 labs from beginner to advanced levels.
  • Bite-sized so you can learn at your own pace.
Join to Start This Lab