AWS Marketplace

Creating a curated digital catalog of AWS Marketplace products in a secured multi-account environment

The enterprise customers I work with use AWS Control Tower to set up and govern their secure multi-account AWS environments. They want to enable their technology users to find, buy, and immediately start using software from AWS Marketplace to run on their environments. At the same time, they also want to restrict AWS Marketplace purchases to only allow software approved by their legal, procurement, and security teams. The Private Marketplace enables administrators specify which AWS Marketplace software products technology users are allowed to subscribe to.

The administrator of a Private Marketplace can centrally manage this private digital catalog from their master account in AWS Control Tower. Any accounts within the Control Tower environment inherit your Private Marketplace. Your end users can only subscribe to products that have been preapproved by the administrator.

In this blog post, I walk you through the steps to create your own Private Marketplace in an AWS Control Tower environment. I show how you can enable a curated digital catalog in your secure, multi-account AWS environment built using AWS Control Tower. The curated digital catalog includes approved software products from AWS Marketplace. I also show how to grant permissions to an existing end user to subscribe to a product from a list of approved software products. If you want details on how to set up AWS Control Tower or accessing the multi-account environment, refer to AWS Control Tower – Set up and Govern a Multi-Account AWS Environment.

With AWS Control Tower, you can enable federated access to the accounts using AWS Single Sign-On (AWS SSO). During AWS Control Tower setup, AWS SSO is configured automatically. You create a new user, group, and permission sets in AWS SSO. This allows the administrator to manage your Private Marketplace and the end user to subscribe to and use approved software.

Additional terminologies used:

  • AWS Organizations helps you centrally govern your environment as you grow and scale your workloads on AWS.
  • An Organizational Unit (OU) is a container for a set of AWS accounts.
  • The Master Account, also called Root of the Organizations, is the account that creates the organization. It is responsible for paying all the charges accrued by the member accounts.
  • The Child Account, also called a “member account,” belongs to an organization.
  • AWS Single Sign-On (SSO) is a cloud SSO service that makes it easy to centrally manage SSO access to multiple AWS accounts and business applications.


  • An AWS Control Tower Administrator is responsible for setup and governance of a secure multi-account environment. This includes the creation of federated users with proper access controls.
  • An AWS Private Marketplace Administrator is responsible for creation and maintenance of the Private Marketplace. This administrator also manages the approved list of software products for subscription across the organization.
  • The end user finds, buys, and uses software products in their individual accounts.

Solution overview:

Step 1 – Create your Private Marketplace: The AWS Control Tower Administrator uses AWS SSO to create an AWS Private Marketplace Administrator. Using this Administrator account, you can select products to be added to your Private Marketplace. Finally, you can grant permissions to end user to find, buy, and use the products from your Private Marketplace.

Step 2 – Enable your Private Marketplace: The AWS Private Marketplace Administrator enables Private Marketplace and curates the digital catalog for the rest of their organization.

Step 3 – Use your Private Marketplace: A technology or end user can find, buy, and use software products from the allowed list.

Step 1: Configure users in AWS SSO

AWS Control Tower enables federated access to the AWS accounts in your organization using AWS SSO.

In this section, you create an administrator group to manage your organizations’ Private Marketplace settings. You also grant permissions to end users to subscribe and unsubscribe from the approved list of AWS Marketplace software products.

Create an administrator group to manage Private Marketplace

Creating an AWS SSO user and granting appropriate permissions to that user involves the following three steps:

  1. Configure a permission set with required policies attached.
  2. Create an AWS SSO user and a group.
  3. Assign the permission set to the user or group.

Following are the step-by-step instructions.

1. Configure a permission set to manage Private Marketplace

  • Log in to your master account as AWS Control Tower Administrator and select the Region in which you launched the AWS Control Tower. Under Find Services, search for SSO and select AWS Single Sign-On.
  • On the left sidebar, select AWS accounts, select the Permission sets tab, and choose Create permission set.
  • Under How do you want to create your permission set? section, select Create a custom permission set.
  • Type in PrivateMarketplaceAdmin for Name, AWS Private Marketplace Administrator Role for Description.
  • Leave default Session duration of 1 hour. Under Relay state, type in The relay state redirects the user directly to Private Marketplace when they log in to the account.
  • Under What policies do you want to include in your permission set?, choose Attach AWS managed policies.
  • Scroll down to Attach AWS managed policies section. In the Search bar, type in PrivateMarketplace, select AWSPrivateMarketplaceAdminFullAccess, and select Create.

2. Create an AWS SSO user/group

  • On the left sidebar, select Directory, and select the Groups tab.
  • Choose Create group. Under Group Name, type in PrivateMarketplaceAdminGroup and under Description, type in Admin rights to Private Marketplace.
  • Select the Users tab and choose Add user to create a new user.
  • Fill up the form as needed and choose Next: Groups.
  • Check the newly created Group PrivateMarketplaceAdminGroup and select Add user.
  • Depending on the options selected, the login details, including the temporary password, are displayed on the screen or sent to users registered email-id. Write down this information for future reference.

3. Assign the permission set to a group

  • On the left sidebar, select AWS accounts.
  • In AWS organization tab, choose Root, select the AWS Control Tower administrator, and select Assign users.
  • In Select users or groups screen, select the Groups tab, select PrivateMarketplaceAdminGroup, and choose Next: Permission sets.
  • In Select permission sets screen, select PrivateMarketplaceAdmin and choose Finish to complete the operation.

You successfully created an AWS SSO user, group, and permission set. Also, you assigned appropriate permissions for the AWS SSO user to create and manage your Private Marketplace.

Grant permissions to end users

In this section, you grant permissions to an existing AWS SSO user to subscribe, unsubscribe, or view the subscriptions. Creating an AWS SSO user group and permission set is out of scope for this blog. Please refer to How to create and manage users within AWS Single Sign-On to create a user group and permission set called AWSMarketplaceUsers. Refer to How to create and manage users within AWS Single Sign-On for additional help with creating users.

  • While you are still logged in to AWS SSO Console as AWS Control Tower Administrator, on the left side bar, choose AWS accounts.
  • In the AWS Accounts screen, select Permission sets tab and choose the permission set that you want to grant permissions to. In this case, I am using AWSMarketplaceUsers.
  • Under the Permissions tab, select Attached managed policies.
  • In Attach AWS managed policies screen Search bar, type AWSMarketplaceManageSubscriptions.
  • Select the listed policy and choose Attach policies.
  • Select AWS Account to select all listed AWS Accounts, click on Reprovision, and wait for the Complete screen to appear.

You successfully granted permissions to an existing AWS SSO user. That user can now subscribe, unsubscribe, or view subscriptions from your approved list of AWS Marketplace products. The user now has these permissions to all the AWS accounts they access through this permission set.

Step 2: Enable Private Marketplace and select products

In this section, you create, enable, and configure your Private Marketplace.

Log in as Private Marketplace Administrator and enable Private Marketplace.

  • Log in to the AWS environment as Private Marketplace Administrator using information you noted down in Step 1 under Create an AWS SSO user/group section. Reset the password if prompted.
  • On the AWS SSO home page, select AWS Account(1) and then select <AWS-ACCOUNT-ID>(Master) to expand the options available.
  • Next to PrivateMarketplaceAdmin, select Management Console. This opens a new browser tab and redirects to the Private Marketplace home page.
  • Select the orange Create a Private Marketplace button below the description of Private Marketplace, as shown in the following screenshot.
  • On the right side of the Private Marketplace home page, toggle the switch on Private Marketplace status from Not live to Live, as shown in the following screenshot.

  • Wait for the green banner with the message Congratulations! Your Private Marketplace is now live for your organization to appear.

All your accounts in your AWS Organization now see Private Marketplace when they navigate to AWS Marketplace.

Configure your Private Marketplace

  • On the Private Marketplace home page, under Your Private Marketplace products section, select Get Started.
  • In the Search bar, type the name of an AWS Marketplace product you’d like to add to your Private Marketplace. As an example, type in CIS Benchmarking to list all available AWS Marketplace offerings.
  • Select the products you want to add. For this demo, I selected two products CIS Windows Server 2012 Benchmark - Level 1 and Level 2. Then choose Add to Private Marketplace.
  • Adding selected products to Private Marketplace could take a few minutes. If you choose more products, it could take longer.

Step 3: Find, buy, and use an approved product as an end user

In this section, you can see how the end user can find products from the approved list of products in your Private Marketplace.

  • Log in to one of the end-user accounts using AWS SSO. Use the credentials you granted in Step 1 under Grant permissions to end user section.
  • Type in in your browser.
  • Choose Explore your Private Marketplace.
  • On the left side bar, under Filters, Procurement, the Approved products option is selected by default. You will see only the list of approved products.
  • The approved products are marked as Approved for procurement to the right of the product description. The following example screenshot shows how approved products appear.

  • Subscribe and start using the product.

Follow the instructions in the AWS Marketplace Getting Started documentation for additional information on how to find, subscribe to, and launch products from AWS Marketplace.


In this post, I showed how to enable a Private Marketplace in a secure, multi-account AWS environment built using AWS Control Tower. I showed how to create your own Private Marketplace with a list of products that comply with your organizations’ legal, procurement, and security policies. I also showed how to configure AWS SSO. AWS SSO is preconfigured with AWS Control Tower to enable a user or group to manage the catalog and subscriptions. And I showed how your end users subscribe to products in your Private Marketplace.

About the author


Kishore Vinjam is a Partner Solutions Architect focusing on AWS Marketplace, AWS Control Tower, and AWS Service Catalog. He is passionate about working in cloud technologies and working with and building solutions for customers. While not working, he likes spending time with family, hiking, playing volleyball, and playing ping-pong.