AWS Marketplace

Simplifying buyer procurement workflow integration with AWS Marketplace

Organizations often configure workflows to establish who can procure products and when, what, and how they can manage their procure-to-pay processes. As organizations grow, so does the complexity of processes, people, and systems. Controls are necessary to establish governance around procurement processes for cost management and capacity utilization and to reduce organizational risk.

In this post, we share an approach using selected AWS features that help govern how buyers use your organization’s procurement workflows for their AWS Marketplace subscriptions. We show you how to integrate these features into your procurement workflow with AWS Marketplace subscriptions with minimal effort.

Prerequisites

We assume that an organization implementing the suggested approach will adhere to the following tenets:

  1. Your organization has separation of duties to differentiate between personnel who negotiate and approve procurement contracts, and those who use the products and services subscribed to through AWS Marketplace.
  2. Procurement contracts with significant operational, financial, or legal risk are approved using standardized workflows before subscribing through AWS Marketplace.
  3. The organization permits limited self-service subscription capabilities on specified products in AWS Marketplace to non-procurement AWS users, such as engineers or developers.

Solution walkthrough: Simplifying buyer procurement workflow integration with AWS Marketplace

Step 1: Assign IAM policies to personnel authorized to contract through AWS Marketplace

In this step, assign AWS Identity and Access Management (IAM) policies to personnel from procurement and finance to accept seller contracts for products and services through AWS Marketplace. AWSMarketplaceManageSubscriptions is an AWS managed policy, which grants permissions to subscribe and unsubscribe to AWS Marketplace products.

Following the principle of least privilege, you can assign AWSMarketplaceRead-only IAM policy to your legal, finance, IT, and line of business teams. This lets them view products, private offers, and subscriptions in AWS Marketplace without having subscription permissions.

For AWS Organizations, associate these IAM policies with identities at the management account level and any other AWS member accounts where AWS Marketplace subscriptions reside.

You can create an IAM user role called procurement-manager and add permissions so that multiple procurement users can assume this role. For federated access to AWS accounts in your AWS organization, use AWS IAM Identity Center (successor to AWS Single Sign-On) to manage IAM permissions and policies for federated users and roles.

Step 2: Set up a private marketplace to create a catalog of approved products

AWS Marketplace Private Marketplace lets you control which products and IAM identities in your AWS account can procure from AWS Marketplace. It is a feature of AWS Marketplace that lets private marketplace administrators create curated digital catalogs of products that conform to your procurement workflows. You can create one or more private marketplaces in your organization with approved products.

You will create a pmp-administrator IAM role for private marketplace administrators and attach the AWS managed policy named AWSPrivateMarketplaceAdminFullAccess. You can also create custom policies for private marketplace administrators to limit each administrator to a subset of tasks. The configuration of the IAM roles and associated IAM policies should be reviewed with the IT security team to validate compliance with the organzation’s access and security policies.

If your AWS account is part of AWS Organizations, then your private marketplace administrator must create the first private marketplace from the management (payer) account. You can learn more about private marketplace creation from Creating and managing a private marketplace in the AWS Marketplace Buyer Guide.

Prior to creation, your private marketplace administrator must complete two other activities:

  • Identify and add existing products that are in use to the relevant private marketplace to minimize disruption.
  • Attach AWSPrivateMarketplaceRequests IAM policy to user identities if you would like to allow them to request a product be added to the private marketplace.

Step 3: Create a control step in your procurement workflow to authorize your private marketplace administrator to add a product to a private marketplace

This is a business process step that your procurement team must implement to let your private marketplace administrator maintain the private marketplace. This integrates your procurement approval workflow with the process of accepting seller contracts through AWS Marketplace. You will create a control step for your private marketplace administrator to determine how a product is authorized to be added to the relevant private marketplace. A decision tree will help identify if the product requested is to be contracted through a self-service public offer or through a private offer.

a. Self-service public offers

Self-service offers require you to subscribe to a product using the publicly available prices and terms available to any AWS Marketplace buyer, without any modifications or negotiations. For self-service public offers, the private marketplace administrator can directly add the product to the relevant private marketplace.

b. Seller private offers

The AWS Marketplace seller private offer feature lets you receive product pricing and agreement terms that aren’t publicly available from a seller. You negotiate pricing and terms with the seller, and the seller creates a private offer for the AWS account that you designate. For private offers, the private marketplace administrator must determine whether the requester has obtained the relevant approvals following your procurement workflow before adding the product.

Once a private marketplace administrator has added a product to a private marketplace, the product requester can subscribe to the relevant offer if they have AWS Marketplace subscription permissions. Otherwise, the private marketplace administrator must accept the relevant offer.

Step 4: Enable organization-level restrictions to prevent unauthorized users from adding a product to a private marketplace

Steps 1 through 3 do not limit the ability of users with IAM policy AdministratorAccess attached to their IAM identities to circumvent the controls created above. For example, multiple admin users in the management account can add products to a private marketplace even if only one of them is authorized to perform AWS Marketplace transactions. You can restrict this by implementing a service control policy (SCP). SCPs are available only in an organization that has all features enabled.

In this case, you will implement an SCP at the management account level. It will block the ability of administrators who are not part of the pmp-administrator IAM role from adding products to a private marketplace. Here is a sample SCP to restrict access:

{
   "Version":"2023-07-31",
   "Statement":[
      {
         "Sid":"ProcurementPolicy",
         "Effect":"Deny",
   "Action": [
"aws-marketplace:AssociateProductsWithPrivateMarketplace",
"aws-marketplace:DisassociateProductsFromPrivateMarketplace",
],
         "Resource":[
            "*"
         ],
         "Condition":{
            "StringNotLike":{
               "aws:PrincipalARN":"arn:aws:iam::*:role/pmp-administrator"
            }
         }
      }
   ]
}

Ongoing maintenance

An important aspect of implementing this approach is the continued review and maintenance of the catalog for products approved for the private marketplace. The private marketplace administrator should have a documented process to review and remove previously authorized products in a private marketplace catalog. We also recommend that the scope of IAM identities included in the procurement-manager and pmp-administrator IAM roles be periodically reviewed for least privilege access.

Public offer products not used within a defined time period (for example, 6 months) should be removed by the marketplace administrator and the procurement team notified. Private offer products should be reviewed periodically by a marketplace administrator to identify which products have expiring subscriptions. For subscriptions that are within 3 months from the date of expiry, the private marketplace administrator should remove the product from the catalog to prevent renewal without proper approval. Once the approvals are obtained, the procurement team can request the private marketplace administrator to add the product back to the private marketplace catalog.

Conclusion

In this blog post, Soumya and I showed how to use IAM policies, private marketplace, and SCPs to integrate your procurement workflow with product subscription in AWS Marketplace. This helps reduce operational workload and conflict between your procurement workflow and AWS Marketplace processes. It also reduces the risk that unauthorized users may contract for products through AWS Marketplace without proper approval from your procurement organization.

For more information about AWS Marketplace and demonstrations on implementing this approach, contact your AWS account team for a meeting with your AWS Marketplace customer advisor.

About Authors

Kaushik Raha

Kaushik is a Business Development Manager and AWS Marketplace Customer Advisor. He supports a portfolio of customers, including digital native businesses, startups, and enterprise companies. He enjoys helping customers strategize and adopt AWS Marketplace to digitally transform their procurement functions. In his spare time, he enjoys programming, sailing, and is a wine aficionado.

Soumya Vanga

Soumya is a Specialist Solutions Architect supporting AWS Marketplace. She helps sellers list their products in AWS Marketplace and customers with the governance of their cloud environments. Outside of work, she enjoys building Legos and cycling with her kids.