How AWS Marketplace features help you govern and manage software purchases for your organization

With the launch of Managed entitlements and multiple Private Marketplace catalogs, AWS Marketplace administrators can improve your procurement governance and license tracking. In this blog post, Murphy and I discuss how you can use Private Marketplace and Managed entitlements together to centralize your purchasing and license distribution in AWS Marketplace.

Private Marketplace provides granular governance by enabling administrators to create unique sets of approved products available in AWS Marketplace. Administrators can approve products to purchase for different AWS accounts in their AWS Organizations. Users can find and deploy products that have been approved for their use. For products not approved, users can submit requests directly in AWS Marketplace. Those requests ask their administrator to add the product to their list of approved products for subscription. Private Marketplace can be managed from the AWS Marketplace website or via APIs.

Managed entitlements for AWS Marketplace help buyers automatically create licenses corresponding to product subscriptions across the AWS Marketplace catalog of more than 8,000 offerings. This gives buyers account-level visibility to your licenses procured in AWS Marketplace. It also provides the ability to manage and distribute access rights or entitlements to Amazon Machine Images (AMIs), containers, and machine learning (ML) licenses. Customers can manage your license entitlements in the Granted Licenses section of the AWS License Manager console or via APIs.

Using Private Marketplace and Managed entitlements together provides organizations the flexibility to layer control and governance in AWS Marketplace. You can use the features to govern subscriptions and distribute entitlements resulting from the subscription to align to your organization’s policies and structure. Whether you’re an organization with a centralized cloud governance team or have a distributed governance model across your business units or teams, you can separate duties across your organization’s users. This flexibility in governance removes the need for blanket permissions and policies to approve and subscribe in AWS Marketplace. It empowers users to act within their responsibilities in AWS Marketplace.

Solution overview

This solution walks you through how to use Private Marketplace and Managed entitlements together to meet your organization’s software governance needs. We provide a detailed example of a fictitious organization to describe how to use these features in practice in centralized and distributed governance models.

The following list describes the user roles in the example. In your organization, an individual might be responsible for one or more of these roles.

• Private Marketplace administrator – Creates and curates Private Marketplace catalogs, including adding and removing approved products from the AWS Marketplace catalog. For more information, see Creating a private marketplace administrator in the AWS Marketplace Buyer Guide.
• AWS Marketplace purchaser – Subscribes in AWS Marketplace to create and complete a subscription of a product. When making the subscription, the AWS Marketplace purchaser is agreeing to the provider’s terms (the end user license agreement or EULA) and pricing. An AMI, container, ML, or SaaS product subscription automatically creates a license. A license represents your subscription and entitlement (right to use a product) to an AWS Marketplace product in AWS License Manager after subscribing. For more information, see Controlling access to AWS Marketplace subscriptions in the AWS Marketplace Buyer Guide.
• License grantor –Manages, tracks, and enables access to AMIs, containers, and ML products for end users. A license grantor creates a grant by sharing license entitlement access to other accounts in their AWS Organization. This gives other accounts the ability to activate and use the license. This user operates in the account that receives a license from the corresponding subscription and can subsequently grant entitlements to that license to other accounts in their AWS Organization. For more information, see Sharing subscriptions in an organization in the AWS Marketplace Buyer Guide.
• End user – Requests an AWS Marketplace product within Private Marketplace to build and innovate on behalf of their organization. For more information, see Actions, resources, and condition keys for AWS Private Marketplace in the Service Authorization Reference.

You can manage user and account access through a set of IAM permissions as well as service control policies (SCPs). To learn more about using SCPs in Private Marketplace, see Controlling access to a well-architected Private Marketplace using IAM and AWS Organizations on the AWS Marketplace blog.

Using these controls, users’ permissions are tailored to their specific needs. We recommend using the AWS management account to subscribe and grant entitlements to access additional governance features enabled for entitlement distribution.

With Private Marketplace and Managed entitlements, you have the flexibility to tailor these features to the governance needs of your organization. The following chart shows the permissions associated with each role, with the roles on the y axis and the permissions on the x axis. The chart shows the following:

1. Creates Private Marketplace – A Private Marketplace administrator can manage one or more Private Marketplace catalogs, each with the ability to be tailored with sets of approved products specific to the needs of the associated AWS accounts.
2. Requests software for approval – End users using Private Marketplace can easily find the products approved for their use and request AWS Marketplace products to be approved in their Private Marketplace catalog.
3. Approves software and adds product to Private Marketplace – A Private Marketplace administrator approves, adding it to the Private Marketplace catalog.
4. Accepts terms and makes purchases – An AWS Purchaser, who can also be the end user, depending on IAM permissions, subscribes to the approved product.
5. Grants license to end user – Once an AWS Marketplace subscription occurs, License grantors can manage license access (via UI or API) by granting entitlements to end user accounts. They can also view and track licenses across those granted accounts based on activation status.
6. Product enabled for use – End user accounts who receive a granted license can launch software without the need for additional subscription and approvals.

Example scenario

In this section, we show how you can use Private Marketplace and Managed entitlements to meet an organization’s software governance needs.

In our example, the organization manages software and infrastructure by using a structure of development, test, and production accounts. The software procurement and governance postures vary based on the intended environments. The development and test environments have fewer limitations, approvals, or constraints, allowing for more experimentation with free trials and proof of concepts. The software procurement and deployments in a production environment require strict governance and approvals.

Step 1: Identify your Private Marketplace administrator

In this example, product approval is managed centrally by the Private Marketplace administrator, who ensures that the products approved in each environment’s Private Marketplace adhere to the organization’s policies. This Private Marketplace administrator can be an individual in your procurement, sourcing, cloud center of excellence, or another governing team. Our Private Marketplace administrator for this scenario is Priya. Here’s how to create a Private Marketplace administrator.

Step 2: Have your Private Marketplace administrator set up multiple Private Marketplaces

Each Private Marketplace contains approved products specific to your development, test, and production environments. For example, your development and test Private Marketplace catalogs might contain a larger list of approved products compared to your production Private Marketplace, which contains a smaller subset of the approved products that have been vetted and approved for the production environment. Here’s how to create and manage your Private Marketplaces.

In our scenario, Priya set up Private Marketplace catalogs for her development and test environments. They each contain free, free trial, and bring your own license (BYOL) products. The Private Marketplace catalog for Priya’s production environment contains the approved products vetted in development and test environment. This includes paid products that might contain a private offer that includes the organization’s custom terms and pricing.

Step 3: Identify your AWS Marketplace purchaser or purchasers

An AWS Marketplace purchaser has permissions to subscribe to products that are made available through your Private Marketplaces. You can define a single AWS Marketplace purchaser across all environments or allow individual purchasers to subscribe as needed across environments. Here’s how to create permissions and control access to your Private Marketplaces.

In our scenario, Priya permissioned end users working in the development and test environments to subscribe to the products approved in their governing Private Marketplace catalogs. In the production environment, Priya limited the AWS purchaser to just four individuals, Lily, Ken, Fatima, and Abe. In our scenario, these four purchasers in production are procurement managers who act as officers of the organization, authorized to transact and accept legal terms on its behalf.

Using this model, Priya’s end users gain autonomy to use products approved in their Private Marketplace while her central governing team maintain controls over AWS Marketplace purchases.

Step 4: Identify your license grantor

License grantors can create grants for AMIs, containers, and ML products to end-user accounts across development, test, and production environments. A license grantor typically resides on the central IT team and is responsible for account and infrastructure management. Here’s how to share and grant licenses to end-user accounts.

A license grantor grants necessary base AWS Marketplace products such as operating systems and security firewalls across all accounts in development, test, and production. This ensures that every account has been centrally set up and provisioned with the appropriate software. Then the license grantor can work alongside the AWS Marketplace purchaser in the production environment to track, manage, and govern who gets access to additional licenses across their production accounts. Managed entitlements simplify the processes by offering a set of APIs that enable programmatic license access and provisioning. In our scenario, Chris is the license grantor from IT.

Using this model, license grantors can maintain governance and management over the repeatable software deployed across all accounts.

Step 5: Manage end-user software requests

Using the Private Marketplace software request functionality, end users in each environment can request software to be added to the Private Marketplace catalog governing the specific environment that they’re working in. In our scenario, Priya receives the request in the Private Marketplace administrator portal. She can provide access in one of two ways:

• The product requested is new, and the vendor or product needs to be approved. In our scenario, Priya adds it to the Private Marketplace. The Lily, Ken, Fatima, or Abe can then proceed with the software subscription.
• The product requested is already procured, and Chris can simply grant the license to the requesting account.

Priya benefits from directing the end user to the correct testing process. In our scenario, an end user requests a product to be added to her Private Marketplace in the production environment. Priya can direct the end user to vet the product in the development and test environment first. She gives the end user permission to subscribe in the development environment. When the product is vetted for production, Lily, Ken, Fatima, or Abe can subscribe on behalf of the organization.

Step 6: Layer purchasing permissions

You could add an additional layer of purchasing control by using a single Private Marketplace to create a curated catalog for all AWS Marketplace subscriptions. You could enable three AWS Marketplace purchasers to make purchases on behalf of each environment. Then, using Managed entitlements, a license grantor distributes licenses across the accounts within each environment. This model adds a layer of purchasing controls while also empowering distributed teams to own purchasing and distribution of AWS Marketplace products for their specific environments.

As shown in the scenario, we used Private Marketplace and Managed entitlements to ensure governance of AWS Marketplace purchases while also empowering end users to obtain products to innovate. Each feature provides flexibility in controls. For example, if you don’t have a centralized governance team, such as a procurement department, or want to distribute product approval throughout your business units, you can set up multiple Private Marketplace administrators to govern their specific area of responsibility.

Using out APIs for programmatic approvals

Additionally, both Private Marketplace and Managed entitlements offer APIs for programmatic approval and license distribution. Using the APIs, you can connect to your existing approval or ticketing systems to enable greater visibility of approved product to end users and streamline new requests and approvals using your system of choice. Using the managed entitlement APIs, you can automate distribution of entitlements. For example, upon account creation, linked accounts are automatically be granted AWS Marketplace entitlements, reducing the wait time and increasing agility for end users.

Conclusion

AWS Marketplace continues to innovate to help you govern and manage access to your product purchases. Whether your organization is working in a centralized or distributed governance model or a combination of both, you can optimize flexibility and control using Private Marketplace and Managed entitlements for your various users. Those users include Private Marketplace administrator, AWS Marketplace purchaser, license grantor, and end users. The Private Marketplace administrator, AWS Marketplace purchaser, and license grantor can work together to define their governance strategy and implement the strategy for their accounts and end users. This way, you can flexibly implement these governance controls across your organizations while allowing end users to get access to software more quickly and efficiently.

About the authors

Shu He, Senior Product Manager – Tech, AWS Marketplace

Shu He is a product manager based in Seattle, WA. She works with customers to design and develop products and features that make AWS Marketplace their ‘go-to’ place to find, test, buy, and use software, services, and data products. Outside of work she enjoys traveling, hiking and DIY craft/home improvement projects.

Murphy Tiggelaar, Senior Product Manager – Tech, AWS Marketplace

Murphy Tiggelaar builds and manages products and features that help customers purchase in AWS Marketplace. She loves building and launching products that enable customers to govern and customize their experience in AWS Marketplace. Murphy is located in Austin, TX, and enjoys traveling, cooking, and exploring all the great food, music, and nature that Austin has to offer.