AWS Marketplace

How to provision software available in AWS Marketplace in AWS GovCloud

Public sector customers who are looking to meet compliance mandates, such as agencies with International Traffic in Arms Regulations (ITAR) requirements or have Federal Information Processing Standards (FIPs) compliance, often choose GovCloud (US) Regions on AWS. In this post, I will give an introduction to AWS GovCloud (US), why and how to use AWS Marketplace to make your software purchases, and the benefits that come with it. In addition, I will show you how to subscribe to software available in AWS Marketplace as well as how to use AWS Marketplace in the GovCloud Regions to meet your business needs. I will also explain how managed entitlements and private offers work in AWS GovCloud (US) Regions.

About AWS GovCloud (US)

AWS GovCloud (US) are isolated AWS Regions designed to give US government customers and their partners the flexibility to architect secure cloud solutions with sensitive workloads. These Regions support the management of regulated data by restricting physical and logical administrative access and providing FIPS 140-2 endpoints. AWS GovCloud (US-East) and (US-West) Regions are operated by employees who are U.S. citizens on U.S. soil. AWS GovCloud (US) is only accessible to US entities and root account holders who pass a screening process. Customers must confirm that you will only use a U.S. user, defined as a green card holder or citizen as defined by the U.S. Department of State, to manage and access root account keys to these Regions. The AWS GovCloud (US) regions comply with the:

  • FedRAMP High baseline
  • DOJ’s Criminal Justice Information Systems (CJIS) Security Policy
  • U.S. International Traffic in Arms Regulations (ITAR)
  • Export Administration Regulations (EAR)
  • Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) for Impact Levels 2, 4 and 5
  • FIPS 140-2
  • IRS-1075

For a list of AWS services that are available in AWS GovCloud (US), visit:

About AWS Marketplace

AWS Marketplace is a curated digital catalog that customers can use to find, buy, deploy, and manage third-party software, data, and services to build solutions. AWS Marketplace simplifies procurement, provisioning, and governance of third-party software, services, and data. Over 7,500 government agencies use AWS today. AWS Marketplace service has been available in AWS GovCloud (East) since 2016 and in AWS GovCloud (West) since 2019 to help builders access commercial software in the AWS GovCloud (US) Regions. Not all products in the AWS catalog will be available in the GovCloud (US) Regions for use. There is currently support for Amazon Machine Image (AMI) and SaaS based products in the GovCloud regions.

Solution walkthrough: How to use AWS Marketplace to purchase products for use in AWS GovCloud

AWS GovCloud customers (US) are able to launch hourly pay-as-you-go, Bring your own license (BYOL), and contract products available in AWS Marketplace via the AWS GovCloud EC2 Console. Many AWS Marketplace customers prefer to use AWS Marketplace Private Offers, Consulting Partner Private Offers, and features like AWS Managed Entitlements. These offers and features are accessed from the standard AWS account linked to your AWS GovCloud account.

Background

AWS Marketplace subscriptions are managed in the standard AWS account linked to your AWS GovCloud account. To launch AWS Marketplace products in GovCloud, you must first subscribe to the product in the standard account.

When using AWS Marketplace, AWS GovCloud is viewed as two additional Regions where you can deploy your subscribed products to; it is not a separate marketplace. It’s important to understand that GovCloud accounts are always paired to a standard AWS account and that you can only subscribe to products available in AWS Marketplace from the standard account.

To begin buying and deploying products available in AWS Marketplace to GovCloud, do the following:

A. Create an AWS GovCloud account from your standard AWS account

  1. In the AWS Management Console, sign into your standard AWS account using your root credentials.
  2. To sign up for AWS GovCloud (US), follow the steps outlined in this documentation.
    If you get the following message:
    Access to the AWS GovCloud (US) Region has been denied because you did not meet one or more of the prerequisites. Please contact AWS Customer Support if you believe you received this message in error, submit a ticket with AWS customer support so your request can be reviewed.
  3. Follow the prompts to submit your request for access. You will receive an email confirmation when AWS gets your request.
  4. When approved, you will receive another email with a link and instructions to set your Administrator password.
  5. Once completed, your new GovCloud account will be linked to your standard AWS account. There can only be one GovCloud account per standard AWS account.

B. Find and subscribe to products in AWS Marketplace

  1. In the AWS Management Console, log in to your standard AWS account and navigate to AWS Marketplace.
  2. Search for products you want to deploy into the GovCloud Regions. To do this, in the search bar, enter a keyword or product name.
    1. For AMI products, to see if the AWS GovCloud (US) Regions are available, go to the product’s Pricing tab and choose the Region dropdown. Available GovCloud Regions appear at the bottom of the list. Choose the AWS GovCloud Region you prefer.
    2. You can also filter the results for products that have the AWS GovCloud (US) Regions available. To do that, in the left navigation under Refine Results, scroll down to the Region filter. If GovCloud Regions aren’t visible and there is text indicating more Regions are available, choose the blue text Show (X) more. Select the check boxes next to either (or both) AWS GovCloud (US-West) or AWS GovCloud (US-East) Regions.
  3. Review the product’s terms and conditions. To subscribe to the product, in the upper right, choose Continue to subscribe. Complete the subscription wizard.

C. Deploy your new products in AWS GovCloud (US) Regions

You can now deploy the product to your GovCloud account in two ways:

  1. If you have access to your standard AWS account, deploy using the integrated AWS Marketplace experience (easiest way).
  2. If you only have access to your GovCloud account, launch through the EC2 console.

1. If you have access to your standard AWS account, launch the product from your standard account through the AWS Marketplace Subscription service. This redirects you to log in to your GovCloud account. To deploy using this method, do the following:

  1. In the AWS Management Console, navigate to the AWS Marketplace Subscription service. To do that, in the AWS Management Console service search box, enter AWS Marketplace Subscriptions.
  2. From your list of AWS Marketplace subscriptions, select a product to deploy to a GovCloud Region. I’m choosing F5 BIIG-IP Virtual Edition.
  3. In the upper right, choose Launch new instance.
  4. On the Configure this software page, verify the delivery method, software version and deployment Region. For Delivery method, I chose 64-bit (x86) Amazon Machine Image. For Software version, I chose 17.1.0.1-0.0.4 (Apr 21, 2023). For Region, I chose us-gov-east-1. The following screenshot shows the Launch new instance page with my Configure this software choices entered.

Launching product to GovCloud region from AWS console in standard account

  1. In the lower right, choose Continue to launch through EC2. When a new tab appears, log in to your linked GovCloud account.
  2. In the EC2 launch instance wizard, configure and launch your instance.

2. For users with access only to the GovCloud account, find, configure, and launch the product in the EC2 console.

  1. Ask your admin with access to the commercial account to provide you with the name of the product or its AMI ID. You will need the exact name of the product.
  2. In the AWS Management Console, log in to your GovCloud account. Navigate to the EC2 console. In the upper right, choose Launch instances.
  3. In the left sidebar, select the AWS Marketplace tab. For Step 1: Choose an Amazon Machine Image (AMI), in the search box, enter in the product’s name or ID from step C.2.a.
  4. To select the product, to the right of the product, choose the blue Select button. In the EC2 launch instance wizard, configure and launch your instance.

How to manage entitlements in GovCloud

Managed entitlements enable you to govern, track, and distribute entitlements from a software license. You can track and manage all of your AWS Marketplace procured products within AWS License Manager. Administrators can use AWS License Manager to automate the distribution and activation of software entitlements to end users and workloads across accounts in their AWS organization.

Entitlements cannot be shared directly with your GovCloud account. Governance and entitlements are managed from your standard AWS account and are propagated to your linked GovCloud account. Managed entitlements can help distribute subscriptions to member accounts of an AWS organization that are paired to GovCloud accounts. The linked GovCloud accounts will also have access to the product. To understand more about how to use managed entitlements for AWS Marketplace with your standard AWS account, read How to use Managed Entitlements for AWS Marketplace.

How Private Offers work in GovCloud

Private offers are a purchasing program that enables sellers and buyers to negotiate custom prices and end user licensing agreement (EULA) terms for software purchases in AWS Marketplace.

Private offers and are implemented in your standard AWS account, and your linked GovCloud account inherits the entitlements and subscriptions. If you subscribe to a private offer on your standard AWS account, you will automatically receive the agreed upon pricing in your GovCloud account. To learn more, read about AWS Marketplace Private Offers.

Conclusion

In this post, I showed you how to use AWS Marketplace to purchase products to use in AWS GovCloud, both through standard account access and through GovCloud-only account access. I also explained how to manage both Private Offers and Managed Entitlements in GovCloud. To get started, subscribe to products from AWS Marketplace and deploy them in your GovCloud account. By following this tutorial, you can enjoy the benefits of AWS Marketplace while maintaining specific regulatory and compliance requirements.

About the author

Tuan Vo is a Marketplace Specialist Solutions Architect who focuses on supporting sellers to list their products on AWS Marketplace. He supports large enterprises and public sector customers. Outside of work, Tuan enjoys traveling, trying out new food, and going on walks.