AWS Marketplace

Managing Private Marketplace across multiple AWS Organizations

A multi-account strategy is Amazon Webs Services (AWS) recommended practice for achieving higher isolation of resources in AWS. It also helps you to meet regulatory and compliance needs, track operational costs, and add an extra layer of security by reducing the scope of a security incident. AWS Control Tower helps companies to set up a multi-account environment using a single organization within AWS Organizations. Many customers (e.g. multinationals, consortia, and government entities) are architecting their AWS environment using multiple AWS organizations. This helps to match their structure as a group of individual entities or companies following common sets of directives and compliances. Multiple AWS Organizations also provides simplified cost allocation and chargebacks.

AWS Marketplace is a digital catalog of third-party software, services, and data that makes it easy to find, buy, deploy, and manage software you need to build solutions and run your business on AWS. Private Marketplace is a feature built on top of AWS Marketplace and enables administrators to create and customize curated digital catalogs or experiences of approved products that conform to in-house policies. Users only subscribe to approved products, ensuring that all procured products comply with the policies and standards of the organization

Private Marketplace works within the boundaries of a single organization. In this post, I introduce a distributed serverless solution that enables you to keep Private Marketplace experiences in multiple organizations synchronized and manage them from a central management organization.

These terms are used throughout the blog post:

  1. Experience: A catalog of approved and rejected products
  2. Management organization: The organization that manages all experiences centrally
  3. Member organization: An organization whose experiences are managed from the management organization
  4. Management experience: A catalog of approved and rejected products defined in the management organization that manages one or many member experiences
  5. Member experience: A catalog of approved and rejected products in the member organization that is kept synchronized with its management experience

Prerequisites

  1. Administrator access to the management account of the management organization
  2. Administrator access to a member account of the management organization
  3. Administrator access to the management account of the member organization(s)
  4. Administrator access to a member account of the member organization(s)

Solution overview

This distributed serverless solution provides a centralized way for managing Private Marketplace across multiple organizations. There are 2 scenarios for the implementation:

  1. A management experience manages all member experiences in a single- or multiple-member organization.
  2. A management experience manages selected member of experiences in a single- or multiple-member organization. In this use case, you can also create nonmanaged member experiences that are managed locally in your member organizations.

The steps below address the first use case but the solution is flexible enough to address the second scenario as well.

You can create multiple management experiences, so you can manage member organizations independently from each other. In the following diagram, you can see a visual representation of the use cases I have described.

Solution Overview

The solution has two components.

  1. The Private Marketplace cross-organization management component, which gets deployed in the management organization.
  2. The Private Marketplace cross-organization member component, which gets deployed in one or more member organizations.

You must deploy both components in the appropriate AWS Organizations for each member organization that you need to centrally manage. The component in the management organization monitors the management experience provided by you as a parameter, and it triggers the second component in the member organizations in an hourly interval. The second component makes sure that the experiences in the member organizations are identically set up as the management experience in the management organization. Once the member experiences are synchronized, the component updates the synchronization timestamp in the management organization. The synchronization timestamp logs the synchronized experience ids and when it happens. This is done to provide observability.

The following architecture diagram illustrates both components deployed in the management organization and the member organization.

In the management organization:

  1. An Amazon EventBridge rule runs hourly and triggers an AWS Lambda
  2. The Lambda function reads the approved and rejected products from the management experience.
  3. The Lambda function writes the approved and rejected products to Amazon DynamoDB
  4. The Lambda function sends a notification through Amazon Simple Notification service (Amazon SNS).

In the member organizations:

  1. The notification is received by an Amazon Simple Queue Service (Amazon SQS)
  2. The queue triggers the synchronization Lambda function to read the products from DynamoDB in the management organization.
  3. The Lambda function synchronizes the member experiences.
  4. The Lambda function updates the DynamoDB table in the management organization with the finished synchronization timestamp.

simplify solution architecture diagram

Solution walkthrough: Managing Private Marketplace across multiple organizations

Step 1: Create a private marketplace experience in every organization and delegated administration

To use Private Marketplace, you first must enable it in each of your organizations.

It is security best practices to avoid using your management account as much as possible. For that purpose, you identify in each organization an account other than your management account to activate Private Marketplace delegated administration and deploy the components of this solution. Take note of those AWS account ID because you need it to grant AWS Organizations delegated administration to it.

  1. Sign in as administrator to each management account.
  2. Visit the Private Marketplace
  3. To access the full functionality of Private Marketplace, acknowledge Enable trusted access across your organization and Enable a private marketplace service-linked role for this account.
  4. Select Enable private marketplace. It takes one minute.
  5. In the Private Marketplace administration, in the left menu, select Settings.
  6. In the Delegated administrator section, select Register a new administrator.
  7. Enter the account ID that you identified to be your delegated administration account and select Register.

Repeat these steps in each organization.

Step 2: Create an experience in each member organization to be managed centrally

In this step, you create the member experiences that will be kept in synchronized with the management experience in the management organization. To make this experience and govern all accounts in your organization, you must associate the experience with your AWS Orgnizations root node.

  1. Sign in as administrator to your member organization’s designated administrator account.
  2. Visit the Private Marketplace administration
  3. From the left menu, select Experiences. On the right menu, choose Create experience.
  4. Enter a name and a description for your experience, and choose Create experience. Takes one minute to create the experience.
  5. Select the experience, and from the tabs on top, choose Associate audience.
  6. Select Add additional audience, mark your organization root node and select Next.
  7. Verify that the Type is Organization and select Associate with experience. It takes one minute to associate the experience.

The solution only synchronizes live experiences, so you must set the experience to live. Keep in mind that at the moment you set the experience to live, all accounts will be governed and will only be able to subscribe to products approved in the experience. Already subscribed products are not affected.

  1. From the left menu, select Experiences.
  2. Select the experience, and from the top tabs, choose Settings.
  3. Change the Experience mode to Live.
  4. Scroll to the bottom and choose Save. It will take a minute for the experience to become live, but you can already move to the next member organization and repeat all the points.

Step 3: Create an experience in the management organization to centrally manage member experiences

You must create an experience in your management organization to manage a single or multiple member experiences. Just as in the member organizations, you will log in in the Private Marketplace delegated administration account you identify in Step 1 for your your management organization.

  1. Sign in as administrator to your management organization’s delegated administrator account.
  2. Visit the Private Marketplace administration
  3. From the left menu, select Experiences. On the right menu, choose Create experience.
  4. Enter a name and description for your experience. Think about a naming convention to easily identify the managed member organization(s).
  5. Choose Create experience. It takes one minute to create the experience.
  6. You need the experience-id because you will use it to deploy the solution in the next step. To find the id, select the experience.
  7. After the page reloads, in your browser address bar, copy the last segment of the URL after the last slash. That is the experience id.

Step 4: Deploy the management component of the solution

In this step, you will deploy the management component in the account you would like to use to manage your management experiences.

  1. Visit the AWS CloudShell
  2. On the top right, verify that you are in the AWS Region you would like to use to deploy the solution.
  3. In the terminal, execute the following commands, substituting the <placeholders> with the correct values. Note that the value for MEMBER_ORG_MEMBER_ACCOUNT_ID is the AWS account id where you will deploy the member component of the solution.
MANAGEMENT_EXPERIENCE_ID=<management_experience_id>
MEMBER_ORG_DELEGATED_ACCOUNT_ID=<member_org_delegated_account_id>
STACK_NAME=<stack_name>
git clone https://github.com/aws-samples/pmp-cross-org-support.git
cd pmp-cross-org-support/management
sam build
sam deploy --stack-name $STACK_NAME --resolve-s3 --capabilities CAPABILITY_NAMED_IAM \
--parameter-overrides \
ParameterKey=ManagementExperienceId,ParameterValue=$MANAGEMENT_EXPERIENCE_ID \
ParameterKey=MemberOrgAccountId,ParameterValue=$MEMBER_ORG_DELEGATED_ACCOUNT_ID  \
ParameterKey=OnlyCrossAccountAccessRole,ParameterValue=no

This will take a couple of minutes to deploy. After the deployment is complete, you will see the outputs. You will need these values to run the deployment of the member component in the next step.

Step 5: Deploy the member component of the solution

Now that you have the output parameters, you can deploy the member component in your member organization.

  1. Sign in as administrator in the member organization’s delegated administrator account you used as <MEMBER_ORG_DELEGATED_ACCOUNT_ID> in the previous step.
  2. Visit the AWS CloudShell
  3. On the top right, verify that you are in the AWS Region you would like to use to deploy the solution.
  4. In the terminal, execute the following commands:
git clone https://github.com/aws-samples/pmp-cross-org-support.git
cd pmp-cross-org-support/member
sam build

Before issuing the next command, please substitute the <output_step_4> with the corresponding value you obtained in Step 4.

Note: If you want to restrict the synchronization to only specific member experiences, set those experience ids as a comma separated list in the MEMBER_EXPERIENCE_IDS environment variable. Otherwise, all available live experiences will be synchronized.

CROSS_ACCOUNT_ACCESS_ROLE_ARN=<output_step_4>
SNS_TOPIC_ARN=<output_step_4>
APPROVED_TABLE_NAME=<output_step_4>
REJECTED_TABLE_NAME=<output_step_4>
SYNC_TIMESTAMPS_TABLE_NAME=<output_step_4>
MEMBER_EXPERIENCE_IDS=””

sam deploy --stack-name member --resolve-s3 --capabilities CAPABILITY_NAMED_IAM \
--parameter-overrides \
ParameterKey=CrossAccountAccessRoleARN,ParameterValue=$CROSS_ACCOUNT_ACCESS_ROLE_ARN \
ParameterKey=SNSTopicARN,ParameterValue=$SNS_TOPIC_ARN \
ParameterKey=ApprovedTableName,ParameterValue=$APPROVED_TABLE_NAME \
ParameterKey=RejectedTableName,ParameterValue=$REJECTED_TABLE_NAME \
ParameterKey=SyncTimestampsTableName,ParameterValue=$SYNC_TIMESTAMPS_TABLE_NAME \
ParameterKey=MemberExperienceIds,ParameterValue=$MEMBER_EXPERIENCE_IDS

This will take some minutes to deploy.

If you want to govern an additional member organization with the same management experience, you need to repeat Steps 4 and 5. In Step 4, change the value of the OnlyCrossAccountAccessRole to “yes.” Doing this will only deploy the resources necessary for an additional synchronization and not the complete management component. Use the new output values in Step 5.

Step 6: Validate that the solution is working properly

The synchronization gets triggered automatically every hour, but you don’t need to wait for this to be triggered. You can manually trigger the synchronization and validate that the member experience(s) are being updated.

First, add a product to the management experience.

  1. Sign in as administrator in the management organization’s delegated administrator account (delegated administrator Step 4).
  2. Visit the Private Marketplace administration
  3. From the left menu, select Experiences.
  4. Choose the management experience.
  5. On the top tabs, select Products.
  6. In the bottom pane, select the All AWS Marketplace products
  7. Check a product and select Add and confirm selecting Add product. This will take a minute.

You need to wait until your product has been successfully added. Afterwards, you can trigger the synchronization process manually.

  1. Visit the AWS Lambda
  2. On the top right, verify that you are in the AWS Region where you deployed the solution.
  3. Use the filter bar to search for “SyncPMPManagement.”
  4. Check the Lambda function, and on the top right, select Actions -> Test.
  5. Scroll down and add an event name and select Test. You should see a success banner.

Adding and removing products from an experience is a slow and serial process. If you are reusing an existing experience with many products, the first synchronization can take several minutes to end. Later, only the deltas are processed, so the synchronizations should be a lot quicker.

  1. Wait for some minutes and visit the DynamoDB console.
  2. From the left menu, select the Explore items.
  3. Search for “SyncTimestamps.”
  4. Select the table and see the entry for the last synchronization.

 You can also sign in to a member organization and visit AWS Marketplace. You should be able to see that the Private Marketplace is active and see your product with the Approved Product tag.

This post set up a single management experience. If you want to have more management experiences, repeat the steps for every new management experience. Note that the enabling of Private Marketplace only needs to be done once.

Cleanup

If you decide to deactivate the solution, you will need to delete the resources you created to avoid ongoing charges. You can do this by visiting the CloudFormation console in each account where you deployed the solution and deleting the stacks created. Start with the member organization(s) and leave the management organization for last. If you want to restore the availability of all products, you need to archive the Private Marketplace experiences you created in Step 2. To do this, you can follow the instructions Archiving and reactivating a private marketplace experience.

Conclusion

This is a serverless distributed solution that allows you to govern Private Marketplace experiences across multiple organizations from a central account of your choosing. Private Marketplace offers the delegated administrator functionality, so you can be sure that your member experiences can only be managed by the central management organization or by explicitly assigned delegated administrator accounts on the member organizations. In this way, you can ensure that the products available for procurement are governed from the central location. The solution also offers you visibility into the managed state of every organization. Orgnizations in highly regulated industries use this solution fullfill their requiremetns and reduce overheard related to managing and gorverning their software procurement.

About the author

Author's Portrait

Oscar Carrasquero is a specialist solution architect based in Germany. He is passionate about technology and enjoys a mixture of business and technology to create solutions that address his customers’ needs.