Controlling access to a well-architected Private Marketplace using IAM and AWS Organizations
At re:Invent 2018, AWS announced Private Marketplace, a feature that helps customers govern third-party software procurement from AWS Marketplace. In this post, I share some best practices that help you follow the principle of least privilege and implement access control using IAM and service control policies (SCPs) in AWS Organizations to set up a well-architected Private Marketplace.
To create a Private Marketplace, you must first enable it for your organization. To do so, log in to your AWS management account. This is the only step in the Private Marketplace setup that requires you to use your AWS management account. You can perform all other actions using any AWS account with the necessary AWS Identify and Access permissions.
Navigate to the Private Marketplace getting started page. In the middle of the page, choose Create Private Marketplace. If your organization already has a Private Marketplace enabled, you are automatically redirected to the Private Marketplace administrator’s page.
An example of a well-architected Private Marketplace
This post shares an example using AWS Organizations set up with three organizational units (OU) for shared services, workloads, and deployments. The shared services and deployments OU contain a shared services account with an IAM role called procurement-manager, which administers the Private Marketplace. The team under the deployments OU have different requirements and toolkits and require different sets of curated AWS Marketplace products. Therefore, their admin assigned their account group a specific Private Marketplace experience curated for their use.
The following diagram shows the account access relationships for such a well-architected Private Marketplace. It depicts the application of different Private Marketplace experiences in the organization.
This IAM managed policy setup provides the procurement-manager role with the AWSPrivateMarketplaceAdminFullAccess to perform functions such as creating one or more Private Marketplaces. It also enables that role to enable or disable the Private Marketplace experience, add or remove products in the Private Marketplace experience, and change the visual appearance of the Private Marketplace page for your company.
Manage multiple Private Marketplace catalogs
AWS Marketplace enables administrators to create unique sets of distinct curated, third-party products for different AWS Marketplace accounts in their organization. This expands the Private Marketplace functionality by empowering administrators to scale their software governance for diverse teams. This increases agility and enables a faster software procurement process for their users.
Due the specific AWS Marketplace solutions requirements of the different distributed teams, administrators can create a separate AWS Private Marketplace experience. A single Private Marketplace experience can govern one or more accounts in your organization. To manage this, you can create account groups and associate them with a Private Marketplace experience.
In our example, the organization’s procurement administrator creates two separate Private Marketplace experiences.
The general Private Marketplace experience is associated with account group containing the root account ID. That makes it the default experience for all of the accounts in your organization that are not associated with any other account group.
The DevOps Tools Marketplace experience contains a list of preapproved products from the AWS Marketplace catalog for the teams under the deployment’s OU.
This approach helps divide responsibilities between the procurement teams and the builder teams. The procurement team adds or removes products from the Private Marketplace. Developers and operations staff can use the self-service software deployment of approved products. They can also request for new products to be added using the manage user requests functionality.
Applying an SCP
As an additional control, I applied an SCP to all the organizational units in this example organization to restrict Private Marketplace administration access to an IAM role called procurement-manager. This guardrail prevents other IAM roles, users, or groups from accessing the Private Marketplace administration page, even administrators in any of these organizational units’ accounts.
The following sample SCP applies to each OU in this example to restrict Private Marketplace administration access:
This approach helps divide responsibilities between the procurement teams and the builder teams. The procurement team adds or removes products from Private Marketplace. Developers and Operations can use the self-service software deployment of approved products and request for new products to be added using the manage user requests functionality.
Add an approval workflow for every software purchase from your Private Marketplace
At AWS re:Inforce 2019, we announced the Procurement System Integration. This feature lets you integrate AWS Marketplace with procurement systems through an industry-standard open communication protocol, Commerce XML (cXML). With this feature, builders can find, buy, and deploy from thousands of solutions quickly, and procurement teams can streamline approvals and manage spend directly from their procurement system.
You can configure the integration of AWS Marketplace and your Coupa or SAP Ariba procurement software. You can watch this demo from re:Inforce 2019 to learn how this integration works with Coupa Software.
Restrict every software purchase from your Private Marketplace to a procurement manager
In some rare cases, customers ask if AWS can restrict the purchases of approved software to the procurement manager as well. This approach can lead to developer friction due to the limits on self-service. However, if required, you can add the following permissions to your organizational SCP mentioned in the previous section:
In this case, your developers can deploy software from AWS Marketplace only when a procurement-manager role purchases the software in the developer’s account.
Best practices for managing organizations
The preceding techniques help you build a well-architected Private Marketplace, but make sure to also follow these best practices in your organizations to provide a well-architected setup:
- Monitor activity of the management account using AWS CloudTrail. The root user of the master account is immune to SCPs.
- Do not add roles such as Private Marketplace administrator in the management account unless necessary.
- Follow the principle of least privilege for all IAM entities.
- Test controls on a single AWS account first.
- Avoid mixing allow and deny SCPs. (I used deny in the preceding example.)
In this post, I showed how to implement a well-architected Private Marketplace to add governance and controls for software procurement in your organization and manage access control using AWS IAM and organizational SCPs.
About the author
Sagar Khasnis is a Partner Solutions Architect focusing on AWS Marketplace, AWS Service Catalog, and AWS Control Tower. He is passionate about building innovative solutions using AWS services to help customers achieve their business objectives.