AWS Marketplace

Controlling access to a well-architected Private Marketplace using IAM and AWS Organizations

At re:Invent 2018, AWS announced Private Marketplace, a feature that helps customers govern third-party software procurement from AWS Marketplace. In this post, I share some best practices that help you follow the principle of least privilege and implement access control using IAM and service control policies (SCPs) in AWS Organizations to set up a well-architected Private Marketplace.

To create a Private Marketplace, you must enable AWS Organizations with all features. After you set up your Private Marketplace, all the accounts in your organizations redirect to your Private Marketplace when they visit the AWS Marketplace page.

An example of a well-architected Private Marketplace

This post shares an example using AWS Organizations set up with three organizational units for shared services, retail, and technology. Each organizational unit contains a shared services account with an IAM role called procurement-manager, which administers the company’s Private Marketplace. The following diagram shows the account access relationships for such a well-architected Private Marketplace.

This  IAM managed policy setup provides the procurement-manager role with the AWSPrivateMarketplaceAdminFullAccess to perform functions such as enabling or disabling the Private Marketplace, adding or removing products in Private Marketplace, and changing the visual appearance of the Private Marketplace page for your company.

Applying an SCP

As an additional control, I applied an SCP to all the organizational units in this example organization to restrict Private Marketplace administration access to an IAM role called procurement-manager. This prevents other IAM roles, users, or groups from accessing the Private Marketplace administration page, even administrators in any of these organizational units’ accounts.

The following sample SCP applies to each organizational unit in this example to restrict Private Marketplace administration access:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ProcurementPolicy",
      "Effect": "Deny",
      "Action": [
        "aws-marketplace:CreatePrivateMarketplace",
        "aws-marketplace:AssociateProductsWithPrivateMarketplace",
        "aws-marketplace:CreatePrivateMarketplaceProfile",
        "aws-marketplace:DescribePrivateMarketplaceProducts",
        "aws-marketplace:DescribePrivateMarketplaceProfile",
        "aws-marketplace:DescribePrivateMarketplaceStatus",
        "aws-marketplace:DisassociateProductsFromPrivateMarketplace",
        "aws-marketplace:ListPrivateMarketplaceProducts",
        "aws-marketplace:StartPrivateMarketplace",
        "aws-marketplace:StopPrivateMarketplace",
        "aws-marketplace:UpdatePrivateMarketplaceProfile"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringNotLike": {
          "aws:PrincipalARN": "arn:aws:iam::*:role/procurement-manager"
        }
      }
    }
  ]
}

This approach helps divide duties between the procurement teams and the developer teams. The procurement team adds or removes products from Private Marketplace. Developers can use the self-service software deployment of approved products.

Add an approval workflow for every software purchase from your Private Marketplace

At AWS re:Inforce 2019, we announced the Procurement System Integration. This feature lets you integrate AWS Marketplace with procurement systems through an industry-standard open communication protocol, Commerce XML (cXML). With this feature, builders can find, buy, and deploy from thousands of solutions quickly, and procurement teams can streamline approvals and manage spend directly from their procurement system.

You can watch this demo from re:Inforce 2019 to learn how this integration works with Coupa Software.

Restrict every software purchase from your Private Marketplace to a procurement manager

In some rare cases, customers ask if AWS can restrict the purchases of approved software to the procurement manager as well. This approach can lead to developer friction due to the limits on self-service. However, if required, you can add the following permissions to your organizational SCP mentioned in the previous section:

aws-marketplace:subscribe

aws-marketplace:unsubscribe

In this case, your developers can deploy software from AWS Marketplace only when a procurement-manager role purchases the software in the developer’s account.

Best practices for managing organizations

The preceding techniques help you build a well-architected Private Marketplace, but make sure to also follow these best practices in your organizations to provide a well-architected setup:

  • Monitor activity of the master account using AWS CloudTrail. The root user of the master account is immune to SCPs.
  • Do not add roles such as Private Marketplace administrator in the master account unless necessary.
  • Follow the principle of least privilege for all IAM entities.
  • Test controls on a single AWS account first.
  • Avoid mixing allow and deny SCPs. (I used deny in the preceding example.)

Conclusion

In this post, I showed how to implement a well-architected Private Marketplace to add governance and controls for software procurement in your organization and manage access control using AWS IAM and organizational SCPs.

If you have questions about implementing any of the solutions described in this post, start a new thread on the AWS Marketplace Discussion Forum or contact AWS Support.

About the author

sagar khasnisSagar Khasnis is a Partner Solutions Architect focusing on AWS Marketplace, AWS Service Catalog, and AWS Control Tower. He is passionate about building innovative solutions using AWS services to help customers achieve their business objectives.