Make your software available for use in AWS GovCloud (US) via AWS Marketplace

AWS Marketplace is a curated digital catalog that makes it easy for customers to find, test, buy, and deploy third-party software, data products, and services. It also enables software providers to shorten sales cycles using several different pricing models to make their software available for AWS users to buy on demand. You can also extend customized private offers directly to specific buyers or sell through one of hundreds of Consulting Partners and Solution Providers participating in AWS Marketplace Channel Programs.

In this post, I will define AWS GovCloud (US) and outline the reasons to make your software application available to users in GovCloud Regions via AWS Marketplace. I will provide reference links to the general how-to guides for the supported product types, AMI, and SaaS. I will also show how to make your applications available in the AWS GovCloud (US) Regions.

I will also provide introductory information regarding Authority to Operate (ATO) on AWS, which supports software providers seeking to achieve authorization for government organizations such as FedRAMP (Federal Risk and Authorization Management Program), FISMA (Federal Information Security Management Act), NIST RMF (National Institute of Standards and Technology Risk Management Framework), and CMMC (Cybersecurity Maturity Model Certification). While these compliance regimes are not prerequisites to make your application available in AWS GovCloud (US) Regions, there are AWS customers who are obligated to comply with these and other regulations. Those customers may need your software to meet these standards in order to procure and deploy your application.

What is AWS GovCloud (US)?

AWS GovCloud (US) gives government customers, their partners, and users in other highly regulated industries the flexibility to architect secure cloud solutions that comply with government policies. Such policies include the FedRAMP High baseline; the DOJ’s Criminal Justice Information Systems (CJIS) Security Policy; US International Traffic in Arms Regulations (ITAR); Export Administration Regulations (EAR); Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) for Impact Levels 2, 4, and 5; FIPS 140-2; and IRS-1075.

AWS GovCloud (US) Regions help customers address compliance at every stage of their cloud journey, including:

• Controlled Unclassified Information (CUI)
• Personally Identifiable Information (PII)
• sensitive patient medical records
• financial data
• law enforcement data
• export-controlled data
• other forms of CUI.

Why use AWS Marketplace to distribute software in AWS GovCloud (US) Regions?

The AWS GovCloud (US) Regions represent a highly regulated environment. They are operated by AWS employees who are US citizens on US soil. AWS GovCloud (US) is only accessible to US entities and root account holders who pass a screening process. Customers must confirm that they will only use a US person to manage and access root account keys to these Regions. That person is defined as a green card holder or citizen as defined by the US Department of State.

While not all government customers or their ancillary partners require this level of regulation for all their deployments, there are use cases where it is critical to their compliance and security standards. In those cases, it’s helpful to think of the AWS GovCloud (US) Regions as a specialized tool to be deployed strategically. I highly recommend that  before making the necessary effort to list your application for use in AWS GovCloud (US), you should do preliminary market research to determine if there is a demand for your applications among AWS GovCloud (US) users. For those that conclude that there is a market for your software among AWS GovCloud (US) users, AWS Marketplace represents an opportunity to expedite the procurement process. It can enable users to use their existing AWS accounts and agreements to complete the transaction.

How to make your AMI or SaaS application available to AWS GovCloud (US) via AWS Marketplace

Prerequisites

• If you are not yet registered as an AWS Marketplace seller, begin by reviewing the AWS Marketplace Seller Guide and registering as a seller for AWS Marketplace.
• If you have not yet registered an AWS GovCloud (US) account, do so at AWS GovCloud (US) Sign Up. This account doesn’t have to be associated with your AWS Marketplace seller account. However, if the two accounts are not associated, be sure to include a note in your submission that includes your AWS GovCloud (US) account. This way, the AWS Marketplace Ops team can verify that you meet this prerequisite.

AMI-based applications

Including AWS GovCloud (US) Regions on a new single AMI application

If this is your first AMI product listing with AWS Marketplace, pay close attention to the AMI-based products portion of the AWS Marketplace Seller Guide.

Once you’ve completed the prerequisites, you can use the AWS Marketplace Management Portal to submit your product and include the AWS GovCloud (US) Regions.

Begin by signing in to the AWS Marketplace Management Portal interface. To do that, follow these steps:

1. From the Products dropdown in the upper-left corner of the screen, select Server.
2. Select the pricing model you’ll be using for your product from the Create server product dropdown menu in the upper-right corner.

• • Paid monthly and Paid usage pricing options redirect you to download an Excel document to populate your product’s metadata. If you are using one of these pricing models and submit your product via the Excel spreadsheet, be sure to enter TRUE in the us-gov-west-1 Availability and us-gov-east-1 Availability columns when designating Region availability for your product.
  • The AMI with contract pricing model is not currently supported in in the AWS GovCloud (US) Regions.

3. To create your product listing, enter all required values to the input user interface (UI). You must opt in to make your application available in the AWS GovCloud (US) Regions. To opt in, under the Regions tab in the UI, select the radio buttons next to us–gov-east-1 US-East and us-gov-west-1 US-West.

Adding AWS GovCloud (US) Regions to an existing single AMI application

1. If you are updating an existing product listing rather than creating a brand-new product listing, follow these steps: Sign in to the AWS Marketplace Management Portal. In the upper left corner, choose the Products dropdown and select Server.
2. Select the product title you wish to update from the menu.

• • If you are updating Paid monthly or Paid usage pricing options, you will see a button that prompts you to Download product load form. Download the form and when designating Region availability for your product, enter TRUE in the us-gov-west-1 Availability and us-gov-east-1 Availability
  • The AMI with contract pricing model is not currently supported in in the AWS GovCloud (US) Regions.

3. In the resulting screen, from the Request changes dropdown menu, select Update Regions and pricing.
4. At the top of the page, select Edit Regions. In the resulting screen, to move from the read-only view into an editing view, select the blue Edit Regions button.
5. Select the radio buttons next to us-gov-east-1 US East and us-gov-west-1 US West. In the lower left corner of the screen, select Save.
6. From the menu at the top of the screen, select Notes & Notifications.
7. If your AWS GovCloud (US) account is associated with an AWS account other than your AWS Marketplace seller account, enter that account ID in the notes field. Enter the email address where the Managed Catalog Operations (MCO) team can reach you for questions and notify you when the work is complete.

Your next steps will differ slightly depending on whether your product is a standalone AMI or uses CloudFormation for deployment.

Including AWS GovCloud (US) Regions on new single-AMI with CloudFormation stack and multi-AMI with CloudFormation stack applications

1. If your application uses a CloudFormation template to deploy a stack into the user’s environment, you must download an Excel document to populate your product’s metadata. Within the Excel spreadsheet, when designating Region availability for your product, you must enter TRUE in the columns for the relevant us-gov-west-1 Availability and us-gov-east-1 Availability columns.
2. Your CloudFormation template must also include the AWS GovCloud (US) Regions in the RegionMap for the AWS GovCloud (US) Regions. This is in addition to any other Regions you may choose to support. To do this, edit the RegionMap section of your Cloud Formation Template as in the following example. For more information about Mappings values in Cloud Formation templates, please reference the AWS CloudFormation User Guide.

EXAMPLE

Mappings:
RegionMap:
us-east-1:
ImageId: ami-0123456789abcdef0
us-west-1:
ImageId: ami-xxxxxxxxxxxxxxxxx
eu-west-1:
ImageId: ami-xxxxxxxxxxxxxxxxx
us-gov-west-1:
ImageId: ami-xxxxxxxxxxxxxxxxx
us-gov-east-1:
ImageId: ami-xxxxxxxxxxxxxxxxx

Adding AWS GovCloud (US) Regions to existing Single-AMI with CloudFormation stack and multi-AMI with CloudFormation stack applications

1. If your application uses a CloudFormation template to deploy a stack into the user’s environment, you will be prompted to download product load form. Within the Excel spreadsheet, when designating Region availability for your product, update the us-gov-west-1 Availability and us-gov-east-1 Availability columns to TRUE.
2. You must also update your CloudFormation template to include the AWS GovCloud (US) Regions in the RegionMap for the AWS GovCloud (US) Regions. This is in addition to any other Regions you may choose to support. To do this, edit the RegionMap section of your Cloud Formation template as in the following example. For more information about Mappings values in Cloud Formation templates, please reference the AWS CloudFormation User Guide.

EXAMPLE

Mappings:
RegionMap:
us-east-1:
ImageId: ami-0123456789abcdef0
us-west-1:
ImageId: ami-xxxxxxxxxxxxxxxxx
eu-west-1:
ImageId: ami-xxxxxxxxxxxxxxxxx
us-gov-west-1:
ImageId: ami-xxxxxxxxxxxxxxxxx
us-gov-east-1:
ImageId: ami-xxxxxxxxxxxxxxxxx

This mapping holds true for CloudFormation products that use multiple AMIs. However, the AWS Marketplace Management Portal interface does not currently show multi-AMI product in the products menu. You must maintain the Excel form for this product type independently.

SaaS applications

Additional prerequisites for SaaS products

1. Complete the items listed in the prerequisites section.
2. Additionally, SaaS providers who wish to make their application available to AWS GovCloud (US) users must host the application within one of the two AWS GovCloud (US) To do that, do the following:

• • If your SaaS application is not already hosted in one of these Regions, I recommend you review the list of available Services in AWS GovCloud (US) Regions. Provided the AWS tools your application uses are included in this list, you should be able to replicate your solution stack from a non-GovCloud Region.
  • If this is your first SaaS product listing with AWS Marketplace, pay close attention to the Software as a service (SaaS)–based products portion of the AWS Marketplace Seller Guide. The Best practices guide to successfully list your SaaS contract solution in AWS Marketplace is also helpful.

Once you’ve completed the prerequisites, you are ready to use the AWS Marketplace console to submit your SaaS product for AWS GovCloud (US).

Enabling your product listing exclusively for AWS GovCloud (US) customers

1. Within the AWS Marketplace console, in the upper-right corner Products menu, select SaaS.
2. On the resulting screen, from the Create SaaS product dropdown menu, select the SaaS pricing model you’ll be using, either New SaaS Contract or New SaaS Subscription.
3. In the resulting Onboarding screen, verify that you’ve registered a bank account and the appropriate tax form with AWS Marketplace. Enter all the relevant product metadata. Under the Pricing tab, select the Enable to offer exclusively to AWS GovCloud (US) customers only radio button.

Unlike AMI product listings, a SaaS offering for AWS GovCloud (US) must be exclusive to AWS GovCloud (US). If you would like to offer your product for use in both commercial Regions and AWS GovCloud (US) Regions, you should create two listings: Product Name and Product Name for AWS GovCloud (US).

4. Once you’ve populated all required fields, you are ready to review and submit your new product listing. Select the Notes tab and enter any relevant instruction in the Notes field. Enter the appropriate email contact to receive follow-up questions and notifications. Select Review.

To expedite your product listing, with your initial product submission, copy and paste the following questions and your answers to them into the Notes field.

• • Is a portion of your application hosted in an AWS account you own?
  • Which components are hosted with AWS?
  • What is the AWS account ID that is hosting the application?

5. When you’ve completed your review, select Submit for Review. This opens a case with the AWS Marketplace MCO team. They will follow up with a preview of your product detail page and any questions they may have regarding your submission. They will also support you as you work through the details of accessing the AWS Marketplace Metering and Entitlement Service APIs, which will include use of AWS Marketplace Serverless SaaS Integration if you are using SaaS Contract pricing.

FedRamp, DOD SRG for Impact Levels, and other compliance regimes

While AWS GovCloud (US) is an important tool in providing AWS Marketplace sellers the flexibility to build solutions that adhere to a variety of compliance regimes, the Regions themselves do not impart any authorization to operate within these regimes.

These regimes apply to the environment, not to any one application hosted in that environment. As such, if your product is deployed into the user’s environment via AMI, there is nothing you need to do to seek a specific level of compliance authorization. The responsibility for compliance belongs to the host of the environment.

SaaS providers should consider whether your user base requires a specific level of authorization to use your application. For sellers who do need this authorization, AWS offers the Authority to Operate (ATO) on AWS Program. ATO on AWS supports workloads for government organizations such as FedRAMP, FISMA, the RMF, and CMMC.

Conclusion

In this post, I defined AWS GovCloud (US) and outlined the reasons to make your software available to users in these Regions via AWS Marketplace. I showed how to successfully list your AMI or SaaS solution in AWS Marketplace and offered specific guidance on making applications available in the AWS GovCloud (US) Regions.

I also provided introductory information regarding ATO on AWS for SaaS providers looking for more information on how to achieve authorization for government organizations such as FedRAMP, FISMA, the RMF, and CMMC.

Getting answers

If you have questions on listing and getting started, use the following resources:

• Get registered as a seller. In the management console, use the Contact Us form to request to speak with a member of our AWS Marketplace Business Development team.
• Contact your AWS Account Manager and have them get in contact with the AWS Marketplace Emerging Tech Business Development Team.

About the author

James Kilpatrick is a Customer Advisor with the AWS Marketplace public sector team. His focus is on helping GovTechs transact smoothly via AWS Marketplace. He is also a subject matter expert regarding the intersection of AWS Marketplace and the AWS GovCloud (US) Regions and the AWS Marketplace for the U.S. Intelligence Community (IC). In his previous role as a Technical Business Development Manager, he provided Independent Software Vendors (ISVs) with the best practices to take their current solutions, pricing, and sales motions and build a successful listing in AWS Marketplace targeted at AWS users in the public sector. James is located in Seattle, WA and enjoys spending time with his family and collecting music in any and all physical formats.