AWS Marketplace

How to improve the security of your product catalog in AWS Marketplace

Improving the resilience of your AWS Marketplace products requires a comprehensive cybersecurity plan that uses all available resources. Just as AWS delivers a secure cloud computing environment to customers, the AWS Marketplace curation process helps you as sellers identify evolving security issues that could affect our shared customers.

The AWS Marketplace scanning process regularly monitors for evolving security issues with your assets, such as Amazon Machine Images (AMIs) and Container images. If AWS Marketplace discovers a security issue with a published product, we work with you to resolve the issue quickly. We then communicate the availability of these new versions to customers through notifications.

If you are unable to fix these issues, then AWS Marketplace temporarily restricts the products from new subscribers and notifies the current subscribers of any mitigating actions they can take. This process requires a shared responsibility between AWS Marketplace and sellers that list products within the catalog.

In this post, Keegan and I will show how you’re informed of security issues found on your products, methods of keeping your products up to date, and best practices when it comes to maintaining and improving the security of your catalog.

Solution walkthrough: How to improve the security of your product catalog in AWS Marketplace

A. Managing your security notifications

AWS Marketplace runs regular security scans to identify any evolving security issues in the products you have listed in our catalog. When an issue has been identified to be potentially customer-impacting, we notify you via two channels and provide a grace period to update your listings and remove any affected versions.

1. Email notification

AWS Marketplace sellers receive an email notification from no-reply-aws@amazon.com to the root email address of your AWS seller account. This notification includes a list of the affected versions and products, provides you with a clear timeline for resolution, and gives you steps for viewing the issue details in your AWS Marketplace Management Portal.

If you don’t actively monitor your AWS root account email, then we advise that you add an additional security contact in your seller portal to receive and act on these notifications in a timely manner. To do that, log in to the AWS Marketplace Management Portal and follow these steps:

    • Navigate to the Seller Settings page.
    • Select the Notifications tab and at the bottom, choose Add email address. From here, you can add up to nine additional email addresses for notifications to be sent to.

2. In the AWS Marketplace Management Portal

Additionally, when you log into your AWS Marketplace Management Portal, you’ll see a banner informing you of any scanning issues with a link to the products where the security issues were detected. The banner appears just under the top navigation in blue.

B. Understanding your security responsibilities

It is the seller’s responsibility to resolve all security issues identified within the time frame provided. If a version of your product has been identified as impacted, refer to the following table to identify the proper action to take.

Scenario

Action needed

Outcome

If you do not take action within the required time frame

Your product’s latest version has an issue.

1. Submit a new version that resolves the issue.

2. Restrict the affected version.

1. New subscribers will use the latest version.

2. Previous subscribers can continue use of the version if they want to.

3. AWS Marketplace will notify subscribers of the new version.

1. Your product will be temporarily restricted from new subscribers.

2. Current subscribers will be notified of its removal and can continue using it if they want to.

Only older versions are affected.

Restrict all affected versions.

1. New subscribers will only see the latest version.

2. Previous subscribers can continue use of the version if they want to.

3. AWS Marketplace will notify subscribers of the version restriction.

1. The version affected will be restricted from new subscribers, and current subscribers can continue use if they want to.

2. Current subscribers will be notified of its removal and can continue using it if they want to.

Your product has many versions affected including your latest version.

1. Submit a new version that resolves the issue.

2. Restrict all the affected versions.

1. New subscribers will only see the latest version.

2. Previous subscribers can continue use of the version(s) if they want to.

3. AWS Marketplace will notify subscribers of the new version and removal of the older versions.

1. Your product will be temporarily restricted from new subscribers.

2. Current subscribers will be notified of its removal and can continue using it if they want to.

C. Options for addressing an issue in your product listing

If you don’t understand, need more time to fix, or want to dispute an identified security issue, you can act via your AWS Marketplace Management portal. To do this, follow these steps:

  1. Follow the link provided in the email you received or in the top corner of the banner notification, choose the Review products button. You’ll see a list of products.
  2. In that product list, note products with a status of Public with Issues. From this list, choose the title of the affected product. This brings up the product details, along with the scanning issues identified per version of that product. The following screenshot shows the product details for one of my products that has a status of Public with issues. It shows the Overview, Product description, Promotional resources, Support information, Region availability, and Versions tab. On the Version tab, under Issue Summary, it shows a blue link labeled Scanning Issues. Under Version Name, it reads V1.0.0.

List of all affected versions for review

  1. In the Version tab under Issue Type, choose the blue link labeled Scanning issues. This shows you the specific issues identified. From here, you have two options.
    1. Option 1 I have resolved these scanning issues

To choose this option, you must first take one of the following actions by following step D.1, D.2, or D.3:

      • If latest version is affected, remove the vulnerable issue by adding a new version and removing the vulnerable version (step D.1).
      • If a previous version is affected, restrict the vulnerable version (step D.2).
      • If latest version is affected, restrict the entire product (step D.3).
    1. Option 2 – I would like to initiate a support request to request an extension or get additional support

Choose this option if you:

      • Require additional time to solve the problem and have a valid use case for requesting this.
      • Don’t understand the security problems identified and would like additional information.
      • Want to dispute a scan finding.

D. How to add new versions, restricting the entire product, or restricting the affected version

To remedy a scanning issue, refer to the chart in step B, follow steps C.1-3, and then do one or more of the following, as appropriate:

 1. How to add a new version

    1. This process applies to AMI products and Container products. Open the AWS Marketplace Management Portal and sign in to your seller account.
    2. Go to the Server products page, on the Current server product tab, then select the product that you want to modify.
    3. From the Request changes dropdown, choose Add new version. The Add a new version form appears, prepopulated with the information from your most recent version.

2. How to restrict an old version

    1. This process applies to AMI and Container products. Open the AWS Marketplace Management Portal and sign in to your seller account.
    2. Go to the Server products page, on the Current server product tab, and then select the product that you want to modify.
    3. From the Request changes dropdown, choose Restrict version.
    4. On the Restrict version page, select the version (or versions) that you want to restrict.
    5. To submit your request for review, select Submit.
    6. Verify that the Requests tab shows the Request status as Under review. When the request completes, the status is Succeeded.

3. How to restrict a product

    1. This process applies to AMI and Container products. Open the AWS Marketplace Management Portal and sign in to your seller account.
    2. Choose the Products tab, and then choose Server.
    3. On your product page, under Server products, locate the product that you want to remove. From the Actions column on the Select action menu, choose Unpublish product.
    4. On the Unpublish Product page, for Request Reason, enter the reason that you’re requesting the product’s removal.
    5. (Optional) Provide a Replacement Product ID, if there is another product that will take the place of the product you are removing.
    6. For Contact Information, enter the email address that AWS can use to contact you with any questions.
    7. Review the information for accuracy, and then choose Submit Sunset Request.

Conclusion

In summary, here are the best practices we recommend for improving the security of your listings:

  • Be proactive and scan your software periodically. If you identify the issue before AWS Marketplace does, submit a new version and restrict your old version. Review the National Vulnerability Database from NIST for the latest information on common vulnerabilities and exposures (CVEs).
  • When you receive a notification that an issue has been detected, take action immediately.
  • If your engineering or security operations team has a different email, add an additional email for these notifications.
  • Practicing good version hygiene is always beneficial to you and your customers. When adding new versions, it is always advised to restrict any older version, even if you’re not vulnerable today. This encourages your buyers to always use the latest versions when launching new instances.
  • When in doubt, reach out via the AWS Marketplace Management Portal using the Contact us webform.
  • To help ease with patching CVEs, we recommend having a patching pipeline that will not only speed CVE fixes, but also help speed up the release of new versions.

In this post, we showed one of the behind-the-scenes security features of AWS Marketplace and your responsibilities in keeping the AWS Marketplace catalog safe for our shared customers. We also walked through the key steps you should take to stay informed of any security issues with your product listings

If you have any questions, contact us via the AWS Marketplace Management Portal using the Contact us webform.

About the authors

Tuan Vo is a Marketplace Specialist Solutions Architect who focuses on supporting sellers to list their products on AWS Marketplace. He supports large enterprises and public sector customers. Outside of work, Tuan enjoys traveling, trying out new food, and going on walks.

 

 

Keegan Ackerman is a Marketplace Security Technical Product Manager who focuses on managing the AWS Marketplace security program and building secure solutions for our customers. Outside of work, Keegan enjoys spending time in the mountains on his bike, watching rugby, and spending time with family and friends.