AWS Marketplace
Setting up fine-grained permission access for AWS Marketplace sellers
AWS Marketplace now enables sellers to use fine-grained permissions within the AWS Marketplace Management Portal (AMMP). This enables AWS Marketplace sellers, including Independent Software Vendors (ISVs) and channel partners, to precisely control access to features such as Settings, Contact Us, File Upload and Insights in AWS Marketplace Management Portal. This blog tutorial helps sellers migrate to this new AWS Identity and Access Management (IAM) permissions model. As part of this update, 17 new AWS Marketplace IAM permissions are introduced and two will be deprecated. In this blog post, we will show how to adopt fine-tuned granular IAM control using these new permissions as well as announcing the deprecation of the following legacy permissions:
aws-marketplace-management:uploadFiles
aws-marketplace-management:viewSettings
You can find more information on the IAM polices discussed in this blog in the AWS Marketplace detailed management documentation.
AWS Marketplace has several managed policies you can use with the AWS Marketplace Management Portal. In addition, you can use individual permissions to create your own AWS Marketplace IAM policy. Using fine-grained access, you can create customer managed policies do the following:
- Grant other people permission to administer and use resources in your AWS account without sharing your password or access key.
- Grant granular permissions to multiple people for various resources. For example, you might allow some users access to view the Settings tab in the AWS Marketplace Management Portal. For other users, you might allow access to edit in the Settings and Contact Us.
About the new AWS IAM permissions
AWS Marketplace launched fine-grained IAM permissions to enable AWS Marketplace sellers to precisely control access to various features in AWS Marketplace Management Portal. These new permissions were introduced in May 2023, and the legacy permissions will be deprecated eventually.
AWS Marketplace sellers’ IT administration teams can write IAM permissions to control access at the granularity of individual actions in AMMP. There is no action required from sellers using AWS Marketplace managed policies, as these policies are automatically updated. However, if you do not use AWS Marketplace managed policies, you need to add new permissions to benefit from this granular access.
Our goal is to demonstrate how granular permissions permits sellers to create policies based on user function with an organization for the following personas:
- Tax officer: an individual responsible for submitting tax information during the seller registration process.
- Banking officer: an individual responsible for submitting the seller’s banking information during account registration.
- Know Your Customer (KYC) user: an individual responsible for meeting compliance requirements associated with verifying the seller information.
Prerequisites
This blog post will provide IAM permissions. You can evaluate each permission by following this guide on how to define IAM identities by attaching IAM roles to users. To implement the new permissions, you need the following prerequisites:
- An AWS account
- Access to AWS Marketplace Management Console
- Use an identity provider for your users to provide federated access to AWS accounts by assuming roles, which provide temporary credentials.
- You can temporarily assume an IAM role in the AWS Management Console by switching roles. You can assume a role by calling an AWS CLI or AWS API operation or by using a custom URL. For more information about methods for using roles, see Using IAM roles.
The following sections each show an IAM policy based on allowed user actions.
Solution overview: new permissions for AWS Marketplace sellers
The new AWS Marketplace IAM permissions covered in this blog post are:
aws-marketplace-management:PutSellerVerificationDetailsaws-marketplace-management:GetSellerVerificationDetailsaws-marketplace-management:PutBankAccountVerificationDetailsaws-marketplace-management:GetBankAccountVerificationDetailsaws-marketplace-management:PutSecondaryUserVerificationDetailsaws-marketplace-management:GetSecondaryUserVerificationDetailsaws-marketplace-management:GetAdditionalSellerNotificationRecipientsaws-marketplace-management:PutAdditionalSellerNotificationRecipientstax:PutTaxInterviewtax:GetTaxInterviewpayments:CreatePaymentInstrumentpayments:GetPaymentInstrumentaws-marketplace:ListTasksaws-marketplace:DescribeTaskaws-marketplace:UpdateTaskaws-marketplace:CompleteTasksupport:CreateCase
Solution walkthrough: Setting up fine-grained permission access for AWS Marketplace sellers
A. Deprecation of legacy permissions and what to use instead
The two legacy permissions, aws-marketplace-management:uploadFiles and aws-marketplace-management:viewSettings, that provide user access to the AWS Marketplace Management Portal, product upload and account settings menus, respectively, will be deprecated eventually. The permissions explained in subsequent sections replace these soon-to-be-deprecated IAM permissions.
1. Product upload
The product upload load form (PLF) permits a seller to request a new product or updates to an existing product in AWS Marketplace. The PLF must include all the details of the change you want to make. In lieu of aws-marketplace-management:uploadFiles, the new granular permissions permitting you to access this task is:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"aws-marketplace:ListEntities",
"aws-marketplace:DescribeEntity",
"aws-marketplace:StartChangeSet"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
2. Account settings
The account settings console permits sellers to create and manage settings for your seller account in AWS Marketplace. This includes modifying public profile, payment information (banking and tax information), notification information, and account status/summary. The following policy replaces aws-marketplace-management:viewSettings:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"aws-marketplace:ListEntities",
"aws-marketplace:DescribeEntity",
"aws-marketplace:StartChangeSet",
"aws-marketplace:DescribeChangeSet",
"aws-marketplace:ListChangeSets"
],
"Effect": "Allow",
"Resource": "arn:aws:aws-marketplace:{region}:{account-id}:AWSMarketplace/Seller/*"
}
]
}
B. New permissions
These 17 new AWS Marketplace IAM permissions help you create fine-grain access controls for individual users with limited access to tax, banking, and know your customer (KYC) consoles to access in AMMP.
1. Tax account user
You can use tax:PutTaxInterview and tax:GetTaxInterview to grant permission to modify tax information. The following IAM policy grants a user access and permissions to modify the seller’s tax information dashboard in the AMMP console:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditorTax",
"Effect": "Allow",
"Action": [
"tax:GetTaxInterview",
"tax:PutTaxInterview",
"aws-marketplace:ListEntities",
"aws-marketplace:DescribeEntity",
"aws-marketplace:StartChangeSet"
],
"Resource": "*"
}
]
}
Attaching this policy to the AWS Marketplace user allows access to the Tax information and Dashboard in the AMMP Settings and Payment information console page. The following screenshot shows the AWS Marketplace Management Portal Payment Settings page and information tab. Under Payment information are two warnings, Tax information has not been provided yet and To sell professionals services, provide additional information.
The user is restricted access to view other section of the AMMP console unless there is required permissions granted to access them.
2. Bank account user
To allow users to modify banking information, you can use the following policies:
aws-marketplace-management:PutBankAccountVerificationDetails
aws-marketplace-management:GetBankAccountVerificationDetails
payments:CreatePaymentInstrument
payments:GetPaymentInstrument
This policy also allows a user to direct how the seller can receive disbursements from Amazon Payments. Refer to the following example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"aws-marketplace-management:PutBankAccountVerificationDetails",
"aws-marketplace-management:GetBankAccountVerificationDetails",
"payments:CreatePaymentInstrument",
"payments:GetPaymentInstrument",
"aws-marketplace:DescribeEntity",
"aws-marketplace:StartChangeSet",
"aws-marketplace:ListEntities”
],
"Resource": "arn:aws:aws-marketplace:{region}:{account-id}:AWSMarketplace/Seller/*"
}
]
}
The bank account user inheriting these permissions is unable to access tax information covered in section B.1.
The following screenshot shows the AWS Marketplace Management Portal Payment Settings page and Payment information tab. Under Tax information is the notation You don’t have permission to view tax information. Contact your AWS Identity and Access Management (IAM) administrator to grant you the required permission.
You can include the tax:GetTaxInterview and tax:PutTaxInterview permissions in the bank account user policy statement to grant tax information permission. This example demonstrates the fine-grain controls the new AWS Marketplace IAM permissions provides.
3. Know Your Customer (KYC) user
The Know Your Customer (KYC) is a compliance requirement specific to EMEA (Europe, Middle East and Africa) used by financial institutions and online businesses to verify the identity of their customers. The KYC information is completed as part of the seller registration process, after the tax and banking information is provided in AMMP.
AWS Marketplace sellers from EMEA region are required to complete the KYC process. This process involves providing additional information about your company, key points of contact, beneficial ownership, and supporting documentation. To provide users access to insert this information through the AMMP console while restricting access to other sensitive areas of the AMMP console, you can use the following policies:
aws-marketplace-management:PutBankAccountVerificationDetails
aws-marketplace-management:GetBankAccountVerificationDetails
aws-marketplace-management:PutSecondaryUserVerificationDetails
aws-marketplace-management:GetSecondaryUserVerificationDetails
aws-marketplace-management:GetAdditionalSellerNotificationRecipients
aws-marketplace-management:PutAdditionalSellerNotificationRecipients
Refer to the following example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"aws-marketplace-management:GetBankAccountVerificationDetails",
"aws-marketplace-management:PutBankAccountVerificationDetails",
"aws-marketplace-management:GetSecondaryUserVerificationDetails",
"aws-marketplace-management:PutSecondaryUserVerificationDetails",
"aws-marketplace-management:GetAdditionalSellerNotificationRecipients",
"aws-marketplace-management:PutAdditionalSellerNotificationRecipients",
"aws-marketplace-management:GetSellerVerificationDetails",
"aws-marketplace-management:PutSellerVerificationDetails",
"aws-marketplace:DescribeEntity",
"aws-marketplace:StartChangeSet",
"aws-marketplace:ListEntities"
],
"Resource": "*"
}
]
}
4. Permissions for secondary users
Secondary users are individuals who can amend KYC information, control the flow of funds or refunds, and change financial information such as bank account details. Only secondary users that are KYC verified can make the aforementioned updates. These secondary users are subject to the same ongoing screening controls as the administrator user. You can enable these access controls using the following policies:
aws-marketplace-management:PutSecondaryUserVerificationDetails
aws-marketplace-management:GetSecondaryUserVerificationDetails
Refer to the following example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"aws-marketplace-management:PutSecondaryUserVerificationDetails",
"aws-marketplace-management:GetSecondaryUserVerificationDetails"
],
"Resource": "*"
}
]
}
5. Access to AWS Marketplace email contacts
Some users will require permissions to view and update email contact information for those subscribed to AWS Marketplace notifications. You can provide that using the following policies:
aws-marketplace-management:GetAdditionalSellerNotificationRecipients
aws-marketplace-management:PutAdditionalSellerNotificationRecipients
Refer to the following example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"aws-marketplace-management:GetAdditionalSellerNotificationRecipients",
"aws-marketplace-management:PutAdditionalSellerNotificationRecipients",
"aws-marketplace:ListEntities",
"aws-marketplace:DescribeEntity",
"aws-marketplace:StartChangeSet"
],
"Resource": "*"
}
]
}
6. Access to pending tasks and support tickets
You can grant users who require permission to create, edit, update, or view pending seller actions access to the necessary AMMP consoles using the following policies:
aws-marketplace:ListTasks
aws-marketplace:DescribeTask
aws-marketplace:UpdateTask
aws-marketplace:CompleteTask
support:CreateCase
Refer to the following example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"aws-marketplace:ListTasks",
"aws-marketplace:DescribeTask",
"aws-marketplace:UpdateTask",
"aws-marketplace:CompleteTask",
"support:CreateCase"
],
"Resource": "*"
}
]
}
Cleanup
To clean up IAM resources created in this tutorial, follow these steps. To perform cleanup actions, you must be logged into the AWS Administrator account that created the user.
- Remove the IAM Permission Policy attached to the user:
- Navigate to the AWS IAM.
- Select Access Management and then select Users.
- Select the user to remove.
- Choose the Delete button and confirm deletion of user.
- Remove the IAM Policy created for providing granular permission:
- Navigate to the AWS IAM.
- Select Access Management and then select Policies.
- Select the policy.
- Choose the Delete button and confirm deletion of policy.
Conclusion
In this blog post, we showed you how to adopt fine-tuned granular IAM control using AWS Marketplace fine-grained permissions. We also showed how to use policies to set up permissions for tax officers, banking officers, and Know Your Customer users. Additionally, we showed what policies to use to replace the two deprecated policies.
About the authors
 |
Marco Masciola is a Senior Partner Solutions Architect and technical lead for the Global Sustainability Partner Segment at Amazon Web Services. He works as an industry specialist helping partners tackle climate, energy and ESG challenges through technology. In this role, Marco helps AWS partners deliver their sustainability solutions through the AWS cloud. |
 |
Chandrashekar Vishweshwara is a Specialist Solutions Architect with AWS Marketplace. In this role, Chandrashekar helps sellers with onboarding products to AWS Marketplace. |