AWS Marketplace

Best practices for receiving, accepting, and distributing Private Offers in AWS Marketplace

The AWS Marketplace seller private offer feature enables customers to receive product pricing and end user license agreement (EULA) terms that aren’t publicly available from a seller or channel partner. You negotiate pricing and terms with the seller, and the seller creates a private offer for your AWS account. Private offers enable you to foster and maintain relationships with your preferred Independent Software Vendors (ISV) or sellers. Private offers have pricing and licensing terms tailored to your organization, so you can negotiate custom terms of use for a specific price and duration. The ability to view and accept private offers is governed by your AWS Identity and Access Management (IAM) permissions.

In this blog post, I will show how to search for and select products available in AWS Marketplace. I will also show how to receive and accept private offers and how to scale your private offers using managed entitlements for AWS Marketplace through AWS License Manager. I also show how to enhance security using a delegated administrator account rather than a management account to distribute license entitlements to users in your organization.

A. Searching for and selecting products

To search for products that suit your business needs, in the AWS Marketplace main search bar, enter the seller or product name in the search field. Below the search bar, you can also filter products by category, delivery method, and pricing plans. The AWS Marketplace catalog offers products with different delivery methods, such as Amazon Machine Images (AMIs), container-based, Software as a Service (SaaS), professional services, machine learning, and data products. Alternatively, you can use the top navigation in the upper left to browse categories, delivery methods, or solutions.

A few tips when discovering and selecting products:

  • AMI, container, and data products For AMI, container, and data products, you must identify the accounts where the product will be deployed.
  • SaaS products For SaaS products, you will be granted access to the software in the seller’s AWS environment.
  • Pricing For all products, you can find the pricing dimensions and fees in the listing’s Pricing tab.
  • EULA You can find the end users license agreement (EULA) for all products in the listing on the Usage Information tab.

B. Receiving, accepting, and scaling private offers

1. Receiving private offers

Before you ask a seller for a private offer, consider the following.

Private offers to management accounts are visible to all member accounts. With certain IAM permissions, multiple member accounts can subscribe to a management account’s private offers. Each member account that accepts the private offer results in a charge of the upfront cost associated with the private offer. To avoid duplicate charges, target your private offer accordingly.

  1. Custom payment schedule If you plan to use a custom payment schedule, your AWS account must be in invoicing terms with AWS. You can get more details on switching your account to invoicing terms from this tutorial video, How do I switch a customer to invoicing terms?
  2. Know how many accounts you plan to deploy to For AMI, container-based, and data products, your ask of the seller will vary based on how many accounts you plan to deploy the product into.
    • Multiple accounts in one organization If you plan to deploy the products into multiple accounts in one organization, ask the seller to extend the private offer to a member account, which will act as delegated administrator for AWS License Manager. To set up delegated administrator, follow step C. You can then distribute license entitlements to your member accounts within your organization.
    • Multiple accounts in more than one organization If you want to deploy to accounts in more than one organization, extend the private offer to the delegated administrator account for AWS License Manager from each of the organizations. You will be billed for every private offer acceptance.
    • Single member account If you plan to deploy a product only to a member account, ask the seller to target the private offer to that member account.
  1. For SaaS products For SaaS products, you can target a member account, since entitlements are not distributed.

2. Accepting private offers

To accept private offers, do the following:

  1. Set up IAM permissions
    IAM permissions govern the acceptance of and subscription to private offers of products available in AWS Marketplace. You have two options for IAM permissions that allow you to accept private offers.
    • AWS managed policies If you are using AWS managed policies to manage subscriptions, use AWSMarketplaceManageSubscriptions. You can find out more about AWS managed policies in the reference guide.
    • Individual IAM actions If you prefer to use individual IAM actions, associate aws-marketplace:ViewSubscriptions and aws-marketplace:ListPrivateListings to view and aws-marketplace:Subscribe to subscribe to private offers.
  1. Viewing and accepting private offers
    • To view your private offer, once you have one of the permissions listed in step 1, log in to your AWS account where you received the private offer. Navigate to AWS Marketplace and then from the left sidebar, choose Private offers. This takes you to your Private offers page.
    • To access a private offer’s details, choose the Offer ID. Review the product terms and conditions, pricing, payment schedule, and other details. To accept the offer, configure the contract, if applicable, and choose Create Contract (depending on the type of product and offer, this button may be labeled Accept Contract, Accept Terms, or Subscribe). Once you accept the offer, the offer becomes an agreement.
    • To view your agreements, navigate to the Private offers page by going to the left sidebar and choosing Private offers. On the top of the center pane, choose the Accepted and expired offers tab.

3. Scaling private offers: enable managed entitlements for AWS Marketplace

For AMI, container, and data products, each AWS Marketplace subscription creates a license in AWS License Manager. If you are using AWS License Manager for the first time, you will be prompted to configure permissions for AWS License Manager. You can read more about enabling the AWS Marketplace and AWS License Manager integration in the documentation.

To view your license details, log in to your AWS account you accepted private offer in and navigate to AWS License Manager. To see your list of granted licenses, in the left sidebar, choose Granted licenses. In the center pane under the License summary tab, scroll down to the Products section.

You can then distribute these license grants to individual accounts in AWS Organizations, to your organizational units (OUs), or to your entire AWS organization. This can be done using the Managed Entitlements feature.

Managed entitlements for AWS Marketplace enables you to distribute and activate software license entitlements acquired in AWS Marketplace through AWS License Manager. Administrators can use AWS License Manager to automate the distribution and activation of software entitlements to end users and workloads across accounts in AWS Organizations. Managed entitlements makes it easier to ensure licenses are being used effectively across the organization. Further, if a license grant was distributed to an AWS organization or an organizational unit, as account(s) join (or leave) the AWS organization and organizational unit, accounts automatically gain or lose access to the product.

To enable this feature, do the following:

  1. Log into your AWS Organizations management (payer) account.
  2. Navigate to the AWS Marketplace console Settings page.
  3. On the top right, select Configure integration for AWS Organizations integration.
  4. Check the box next to Enable trusted access across your organization and AWS Marketplace license management service-lined role for this account. In the lower right, choose Create integration.

This integration creates a trust between AWS Organizations and AWS License Manager to AWS Marketplace to distribute licenses for your subscriptions across all accounts in your organization.

C. To distribute licenses from member account, enable Delegated Administrator feature

Delegated Administrator is a feature that enables license administrators to manage and distribute licenses across AWS accounts, organization, or organizational units from a delegated member account in the organization. Enabling this also enhances security by minimizing use of your management account. For those reasons, I recommend using delegated administrator for AWS License Manager.

To enable delegated administrator, do the following:

  1. Log into your AWS Organizations management account.
  2. Navigate to the AWS License Manager Settings page.
  3. On the top right, select Register delegated administrator.
  4. For Account ID, choose the member account you want act as delegated administrator. Check the box next to I grant AWS License Manager permissions to enable service across in AWS Organizations.
  5. In the lower right, choose Register.

You can now manage, activate, and distribute license entitlements through your member account rather than your management account.

D. Distributing license entitlements

To distribute, activate software license entitlements in an organization, do the following:

  1. Log in to your delegated administrator member account. Navigate to the Granted licenses page in AWS License Manager.
  2. In the center pane under the License summary tab, scroll to the Products section. Choose the Product SKU line item for which you want to distribute licenses.
  3. From the Aggregated licenses tab, choose the License ID.
  4. In the lower right, choose Create grant.
  5. Enter name of grant and choose a member AWS account ID, an AWS Organizations ID, or an AWS organizational Unit.
  6. Choose Create grant.

Once you distribute an entitlement to an account, the product description page shows a banner that a license entitlement has been shared to that account. The following screenshot shows an entitlement banner indicating that the account has access to a product. It also has links for the user to view their subscriptions and share access to it through AWS License Manager.

You have now successfully shared license entitlement to AWS account(s) and users with right IAM permission can continue to subscribe and configure the product.

Conclusion

In this blog post, I showed how to search for and select products available in AWS Marketplace and how to receive and accept private offers. I also showed how to scale your private offers using managed entitlements and how to enhance security using a delegated administrator account to distribute license entitlements.

Next steps

To learn more about product offer upgrades, renewals and, modifying exiting private offers you can refer to the AWS Marketplace Buyers guide.

To associate a purchase order to ensure your AWS invoices for AWS Marketplace purchases reflect the proper purchase, you can use purchase order features. Learn about enabling and using the feature in this Managing your AWS Marketplace spend with purchase order features blog post.

About the author

soumya-vangaSoumya Vanga is a Specialist Solutions Architect focusing on AWS Marketplace helping customers govern their cloud environments. Outside of work, she enjoys building Legos and cycling with her kids.