AWS Partner Network (APN) Blog
From Idea to Market: AWS Marketplace Vendor Insights for Secure SaaS
By Jenn Reed, Principal Partner Solutions Architect – AWS
By Tim Honychurch, Principal Tech BD – AWS
Organizations have limited security and engineering resources and must balance getting to market fast while earning trust with customers. So how can you provide evidence that you’re implementing security best practices?
As a former CISO (Jenn) and cloud operations leader for a software-as-a-service security organization (Tim), we have found that implementing security controls from the beginning reduces technical debt but also makes it easier to obtain a Service Organization Control Type 2 (SOC 2) audit and/or International Security Organization (ISO) 27001 certification.
Amazon Web Services (AWS) puts security first and actively maintains 140+ security and compliance standards, providing a secure base to allow companies of any size to move quickly to market with their applications that run on AWS. In researching how to get started, we found no clear roadmap to help security-minded developers go from idea to launch.
If you wanted to ensure compliance, do you need to buy compliance software before creating your own software? Are there other ways to determine if you meet security and compliance standards? One answer to these questions is AWS Marketplace Vendor Insights, which was designed to demonstrate a strong security and compliance posture by gathering and displaying related data from software vendors and making it accessible in AWS Marketplace.
In addition, AWS Marketplace Vendor Insights provides the capability to keep the security and compliance information gathered from AWS-hosted SaaS applications up-to-date via an automated process. The capabilities provided by AWS Marketplace Vendor Insights earn customer trust and simplify the vendor risk assessment process, reducing the time it takes to acquire and begin using SaaS offerings.
A challenge is knowing where and how to begin. In this post, we will provide you with a step-by-step guide on how to navigate and leverage the AWS Partner Network (APN) and AWS Marketplace, depending on where you are in your development journey. We’ll then demonstrate how your security and engineering teams can integrate continuous compliance controls and how to add compliance reports and certifications to your product profile as you obtain them.
As a final step, we’ll show the AWS customer’s experience of obtaining access to your product’s security information.
Solution Architecture
The architecture diagram in Figure 1 illustrates deployment stages that support user workflows:
- Deployment of SaaS application.
- Deployment of AWS Marketplace integration.
- Creation of the AWS Marketplace Vendor Insights profile.
- AWS Marketplace Vendor Insights access process for the customer.
Figure 1 – Solution architecture.
Prerequisites
This guide requires registration as a seller on AWS Marketplace. If you have not registered as a seller, please follow the steps to register.
As a SaaS provider, the AWS Marketplace team will have provided you with a product code and Amazon Simple Notification Service (SNS) topics for both subscriptions and entitlements. You’ll need these when you are ready to execute the AWS Marketplace integration.
Step 1: SaaS Application Development
First, build your SaaS application. By designing a secure multi-tenant application from the start, you can increase profitability through tenant density and resource utilization, decreasing your operational costs when acquiring additional customers.
Knowing how to get started can often be a challenge. This is where the APN provides guidance by connecting you with a Partner Development Manager (PDM) and Partner Solutions Architect (PSA). If your team already has experience building SaaS applications but would like to have a best practice framework, your PSA can guide you through an AWS Well-Architected Review using the Well-Architected Framework’s SaaS Lens.
For a deeper dive, your PDM can also connect you with experts from the AWS SaaS Factory program.
The foundational example application deployed in this step-by-step guide is provided by AWS SaaS Factory and the AWS Serverless SaaS Workshop. It’s provided as a guide to build your prototype SaaS application using the following AWS services: Amazon API Gateway, Amazon Cognito, Amazon DynamoDB, AWS Cloud Development Kit (AWS CDK), AWS Cloud9, AWS CodePipeline, AWS Lambda, and AWS Serverless Application Model (AWS SAM).
Once you have completed developing your prototype SaaS application with tenant isolation, throttling/quotas, and cost attribution model, you are ready to proceed with AWS Marketplace integration.
Step 2: AWS Marketplace Integration
One of the simplest ways to integrate your AWS-hosted application into AWS Marketplace is to use the AWS Partner Solutions quick start reference deployment AWS Marketplace Serverless SaaS Integration on AWS.
It will configure the following AWS services: Amazon API Gateway, Amazon CloudFront, Lambda@Edge, Amazon DynamoDB, Amazon Simple Storage Service (Amazon S3), Amazon SNS, Amazon Simple Queue Service (SQS), AWS Lambda, and AWS Marketplace.
- For governance and tracking, clone a copy of the AWS CloudFormation template into your deployment repository.
- Log in to the AWS Management Console in the AWS region where you deployed your application. In the search bar, type AWS CloudFormation and select the service you want to configure.
- On the CloudFormation page, click Create stack, keep the default setting for the template URL, and input the following for URL: https://aws-quickstart.s3.us-east-1.amazonaws.com/cloudformation-aws-marketplace-saas/templates/cloudformation-aws-marketplace-saas.template.yaml
- On the Specify stack details page, provide a stack name. When you registered, the AWS Marketplace team provided you with your 25-character product code and the Subscription and Entitlement SNS Amazon Resource Name (ARN). Those in the figure below are for demonstration purposes only.
Figure 2 – AWS Marketplace integration stack details.
- On the Configure stack options page, specify tags for resources and set advanced options.
- On the Review page, review and confirm the template settings. Under Capabilities, select both check boxes.
Figure 3 – AWS Marketplace integration stack review.
- Choose Create stack to deploy.
- Monitor the status of the stack. When the status is CREATE_COMPLETE, the deployment is ready.
When the integration is complete, you will be able to see your product listing within the AWS Marketplace Management Portal (AAMP) under SaaS products. The “Limited” status allows you to enable testing and configuration before you go live. When you click on your product, you’ll see the information you entered during registration.
Figure 4 – AWS Marketplace Seller Portal SaaS product page.
Step 3: AWS Marketplace Vendor Insights Integration
Now that you have built your SaaS application and integrated it within AWS Marketplace, you’re ready to integrate with AWS Marketplace Vendor Insights.
There are two required and one optional step when configuring AWS Vendor Insights. The first step is to navigate to the AWS Marketplace Management Portal and select your SaaS listing. In the Vendor Insights tab, complete the Contact Support for adding security profile form. The recipients identified on the form will be contacted once the AWS Marketplace Seller Operations team has created the security profile.
Next, download and complete the Vendor Insights Security Self-Assessment form, or you can upload a completed Consensus Assessment Initiative Questionnaire (CAIQ).
Along with the self-assessments, you can upload security and compliance certifications. AWS Marketplace Vendor Insights supports SOC2, ISO-27001, Federal Risk and Authorization Management Program (FedRAMP), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI-DSS), and the General Data Protection Regulation (GDPR).
With the self-assessment and product certifications, you have now created a baseline AWS Marketplace Vendor Insights profile that’s discoverable for your customers.
Optionally, you’re also able to configure the continuous-compliance capability within AWS Marketplace Vendor Insights. To do that, we’ll integrate AWS Config rules and AWS Audit Manager leveraging two CloudFormation stacks.
The first stack set creates AWS Identity and Access Management (IAM) roles that will be used when deploying the second stack set. The second stack set will configure AWS Config and AWS Audit Manager for both self and automatic assessment, Amazon S3 buckets to store AWS Audit Manager artifacts, and third-party audit reports and certificates.
- For governance and tracking, clone a copy of the CloudFormation template into your deployment repository.
- Within the AWS console, log in to the AWS Seller account and AWS region where you deployed your SaaS application. In the search bar, type AWS CloudFormation and select the service you want to configure.
- On the CloudFormation page, select Create a Stack Set, keep the default setting for the template URL, and input the following for URL: https://aws-vendor-insights.s3.amazonaws.com/vendor-onboarding-templates/v0/VendorInsightsPrerequisiteCFT.yaml
- Specify the stack name and select Next.
- On the Configure stack options page, specify tags for resources in your stack and set advanced options.
- On the Review page, review and confirm the template settings. Under Capabilities, select the check box to acknowledge the template creates IAM resources.
- Choose Create stack to deploy.
- Monitor the status of the stack. When the status is CREATE_COMPLETE, the deployment is ready.
- Once complete, you’ll deploy the second stackset; input the following for URL: https://aws-vendor-insights.s3.amazonaws.com/vendor-onboarding-templates/v0/VendorInsightsOnboardingCFT.yaml
- Enter the following on Specify stack details:
Figure 5 – AWS Marketplace Vendor Insights onboarding stack details.
- On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options.
- On the Review page, the Capabilities step acknowledges both check boxes before submission since the additional IAM roles will be created by this stackset run.
- Once the execution is completed, a new S3 bucket is created in your account (vendor-insights-audit-reports-bucket-{account number}) where you’ll store your certifications. Another S3 bucket (vendor-insights-stack-set-output-bucket-{account number}) contains output files that are used by the Vendor Insights support team to complete onboarding your product.
The completion of the integration into AWS Marketplace Vendor Insights triggers a notification to the Vendor Insights support team to validate and complete onboarding. Once this is done, the support team will notify you via email.
The security profile created by the second CloudFormation script applied security framework best practices to this application within the Seller account and primary region. This profile allows you to configure your security snapshot, which is a moment-in-time assessment of the 125 security controls. You can schedule when the snapshot is taken and how frequently, and how long it’s staged before it’s made public to your customers.
It also provides links to AWS Audit Manager for the automated self-assessment. The automated assessment is populated by AWS Config controls with industry best practices. Your team maps controls to AWS resources and regions within scope, assigns appropriate audit owners, provides evidence, and tracks that you can make available to customers.
Figure 6 – AWS Audit Manager self-assessment.
Step 4: SaaS Customer Experience
Regardless of software category, buyers need to have a risk assessment performed, causing delays in the buying process. The work you have done by choosing to integrate within AWS Marketplace Vendor Insights makes it easy for security-minded buyers to find your listing by filtering on Vendor Insights.
Additionally, they can filter for their desired compliance certifications. Security teams are freed to focus on security of the product instead of fulfilling assessment requests. All the customer needs to do is click on the View assessment data button on the upper right corner of the Marketplace listing.
This will take them to the Vendor Insights dashboard, which displays any current security certifications you hold with their expiration date. If the customer would like to view the detail of those certifications, they can click the Request Access button to allow your team to ensure an NDA is in place with requestor.
Once granted, the prospective customer will have 60-day access to certifications, self-assessments, and 125 security controls. When they purchase the product through AWS Marketplace, they’ll retain access to all of the information associated with your profile for the duration of their contract.
Figure 7 – AWS Marketplace Vendor Insights overview.
Conclusion
In this post, we have provided a step-by-step guide to navigate the AWS Partner Network and AWS Marketplace to build a secure, multi-tenant SaaS application. By leaning into security, you can stand out by establishing an AWS Marketplace Vendor Insights profile.
Earning customer trust means shifting security and compliance left with automation to operate at the speed of development. Together with AWS, you can demonstrate security first while enabling a more efficient sales process.
If you’re interested in getting started, connect with your AWS Partner Development Manager and Partner Solutions Architect.