Self-Service ML/AI Environments via AWS Service Catalog

For a major tech conference, I was tasked with designing and building a self-service tool that allowed attendees to provision their own secure, customized EC2 instances for Machine Learning and AI workloads. The goal was to eliminate manual setup and provide a consistent, powerful environment for every user, regardless of their prior AWS experience. As the sole engineer on this project, I was responsible for the entire lifecycle, from architecture design to final implementation.

Technologies Used

• AWS Services: AWS Service Catalog, AWS CloudFormation, AWS Lambda, Amazon EC2, AWS IAM (including SCPs), AWS Secrets Manager, AWS KMS, Amazon VPC
• Languages: Python
• Infrastructure as Code: CloudFormation

The Solution & Architecture

The core of the solution is an AWS Service Catalog product based on a single, powerful CloudFormation template. This approach provides a simple, wizard-like interface for users while handling all the complex orchestration in the background.

The provisioning workflow is fully automated:

1. User-Friendly Customization: Through the Service Catalog interface, users can select their desired instance size (g4dn.4xlarge or g4dn.12xlarge) and choose from a curated list of popular ML/AI frameworks, libraries (e.g., for NLP, data analysis, visualization), and IDEs.

2. Dynamic Configuration: A Python-based Lambda function, triggered as a CloudFormation Custom Resource, dynamically finds the subnet with the most available IP addresses to ensure resilient deployments. It also automatically fetches the latest Ubuntu 24.04 AMI ID.

3. Automated Software Installation: The initial Lambda function also aggregates all the user’s software selections and compiles them into a single installation script. This script is passed to the EC2 instance via UserData.

4. Secure Credential Management: A new KMS key and a Secret in AWS Secrets Manager are created for each deployment. The EC2 instance is granted permission to retrieve its own credentials from Secrets Manager via an instance profile, ensuring the password is never exposed.

5. Instance Provisioning: The EC2 instance is launched with a bootstrap script (ConfigSets) that handles prerequisite installations like the Ubuntu Desktop environment, xRDP, and Nvidia drivers. It then executes the custom installation script generated in step 3.

6. Automated Tagging & Governance: A final Lambda function updates the EC2 instance’s tags to reflect the owner’s email address, simplifying tracking and cost allocation. This operates within a strict Service Control Policy (SCP) that limits user access to only the necessary services (Service Catalog and their own EC2 resources), securing the environment.

Challenges & Lessons Learned

The primary technical challenge was the dynamic installation of a wide variety of software packages. My initial approach—using a single Lambda function to generate a complex shell script—proved difficult to maintain as the number of libraries grew. The script became brittle, and debugging installation failures was time-consuming.

If I were to re-architect this, I would use EC2 Image Builder to create a “golden AMI” that already includes the most common frameworks and drivers. The UserData script would then only need to install the smaller, user-selected libraries, leading to faster provisioning times and a more reliable, scalable solution.

Outcomes & Impact

• Empowered 100+ Users: Enabled over 100 conference attendees to become productive within minutes.
• Zero Manual Intervention: The solution was 100% self-service, requiring no manual support from the event staff during the conference.
• Enhanced Security: Provided each user with a sandboxed environment, preventing unauthorized access to other resources and ensuring secure credential handling.

• 2025 4