Private Marketplace allows customers to curate catalogs of approved products from AWS Marketplace. AWS Marketplace now provides private marketplace support for Organizational units (OUs), allowing you to create, manage, and govern private marketplace catalogs for OUs within your AWS Organizations. Previously, you were limited to governing private marketplace catalogs at the AWS account level or for your entire organization. This launch enhances private marketplace functionality, allowing you to scale your software governance across your organization while increasing agility and enabling faster software procurement.

You can now gain a comprehensive view of your organization’s private marketplace structure and governance, enabling them to create unique catalogs for different OUs. This capability supports distinct product catalogs per business unit or development environment, empowering your organizations to align software procurement with specific needs. Additionally, you can designate a trusted member account as a delegated administrator for private marketplace administration, reducing the operational burden on management account administrator. With this launch, organizations can procure more quickly by providing administrators with the agile controls they need to scale their procurement governance across distinct business and user needs.

In this post, we will guide you through the fundamentals of private marketplace, key personas and illustrate step by step how to create and manage private marketplace at scale for your organization. We will also address best practices for private marketplace implementation.

Private Marketplace key personas and permissions

1. Management account administrator – Only an administrator persona in the management account can enable a private marketplace for their organization. After enabling the private marketplace, they can delegate private marketplace administration to a delegated member account. The management account administrator has the AWSPrivateMarketplaceAdminFullAccess, AWSOrganizationsFullAccess, and IAMFullAccess policies, which allows them to enable, create, delegate, and manage the private marketplace. Management account administrators can perform private marketplace administrative tasks, such as creating experiences, updating branding settings, associating or disassociating audiences, adding or removing products, and approving or declining product requests.
2. Delegated account administrator – The administrator persona in a delegated account can create and manage the private marketplace. This persona has the AWSPrivateMarketplaceAdminFullAccess policy, which grants them the permissions to perform private marketplace administrative tasks. This includes creating experiences, updating branding settings, associating or disassociating audiences, adding or removing products, and approving or declining product requests.
3. End user – The end user is the key persona who subscribes to AWS Marketplace products within the private marketplace. End users have the ability to request AWS Marketplace products that may not currently be on their organization’s approved products list. For end users to request products, they must be assigned the AWSPrivateMarketplaceRequests policy. Additionally, to subscribe to AWS Marketplace products, end users require the AWSMarketplaceManageSubscriptions policy.

Solution Walkthrough: Streamline Software Procurement with Private Marketplace

A private marketplace provides you with a broad catalog of products available in AWS Marketplace, along with fine-grained control of those products. With AWS Organizations, you can centralize management of all your accounts, group accounts into OUs, and attach different access policies to each OU. You can create one or more private marketplace experiences that are associated with your entire organization. You can also create one or more OUs or accounts in your organization, each with its own set of approved products. Your AWS administrators can also apply company branding to each private marketplace experience with your company or team’s logo, messaging, and color scheme.

Creating a private marketplace

To set up a private marketplace, ensure the following prerequisites are met:

• Your AWS organization must have all features enabled.
• Your private marketplace administrator should have AWSPrivateMarketplaceAdminFullAccess, AWSOrganizationsFullAccess, IAMFullAccess AWS Identity and Access Management (IAM) policies attached to their administrator role in the management account. This policy provides the necessary permissions to create and manage the private marketplace.

Step 1: Enable private marketplace for your organization

1. From your AWS management account, navigate to Private Marketplace and choose Getting started with Private Marketplace.
2. Next, choose the option to Enable trusted access across organization. Trusted access allows the management account of an organization to provide or revoke access for their AWS Organizations data for an AWS service. Enabling trusted access is critical for the private marketplace to integrate with AWS Organizations and designate the private marketplace as a trusted service in your organization.
3. Choose the option to Enable a private marketplace service-linked role for this account. This will create the AWSServiceRoleForPrivateMarketplaceAdmin role in your management account, allowing the private marketplace service to access data from your AWS Organization.
4. Choose Enable private marketplace to complete the setup process.

Figure 1 shows enabling trusted access for AWS Organization to get started with Private Marketplace

 Figure 1. Enable trusted access with Private Marketplace

Step 2: Register a delegated administrator for your private marketplace

Once you have enabled a private marketplace for your organization, you can register a trusted member account to act as a delegated administrator and manage private marketplace experiences for your organization. This minimizes the need to use the management account for security reasons.

To register a delegated administrator for your private marketplace:

1. On the private marketplace settings page, choose the option to Register a new administrator.
2. Enter the 12-digit AWS member Account ID for the account you want to designate as the delegated administrator.
3. Once you’ve entered the account ID, choose Register.

Figure 2 shows adding a trusted member account to act as a delegated administrator.

Figure 2. Adding a delegated administrator

Step 3: Create an experience, curate products and set experience to live

Your private marketplace is made up of one or more private marketplace experiences. Experiences are a subset of products and associated branding that can have one or more associated audiences.

Follow these steps to create an experience and associate an audience:

1. Navigate to the Experiences tab in your private marketplace and choose Create Experience.
2. Configure the experience details – For Experience title, enter a name for the experience. You can also optionally add a description in the Experience description section.
3. Choose Create experience. Follow the steps listed in Step 4 to associate audience for the experience.
4. Once created, choose the experience and in the Products tab, you can see All AWS Marketplace products. You can use the various search dimensions, such as vendor name, delivery method, or free trial, to find the products you want to add to the experience.
5. Select the products you want to add to the experience and choose Add products.
6. On the Settings tab, you can change the private marketplace experience status to Live (enabled) to have the accounts in the experience governed by your private marketplace.

You can also add multiple products to multiple experiences at one time by choosing Bulk add/remove products from the left navigation pane.

Step 4: Associate audience to experience

An audience is an organization or a group of OUs or accounts that you can associate with a private marketplace experience. You can associate one or more audiences to an experience. When you associate or disassociate an audience, it will change the governing experience of child OUs and accounts.

1. Choose the experience and choose View details.
2. Choose the Associated audience tab to associate the audience to this experience.
3. In the Associate audience section, choose Add additional audience. This will open your AWS Organizations structure. You can choose one or more OUs, nested OUs, individual accounts, or organization to associate with the experience.
4. In the Review and associate page, review the selected audience and choose Associate with experience.

The Organization structure page also allows you to view the hierarchical structure of your organization, including the governance applied at each level. Each node in the hierarchy is populated with details like the governing experience, the relationship (associated or inherited), and the ID of the principal (Organization id, Organization unit id(s), or account number(s)). You can select rows with an Associated relationship and choose to either Disassociate from experience to remove the association or Edit association to modify the association.

This governance model allows you to apply different experiences to various hierarchical units within your organization. The governing experience is determined based on the closest active experience associated to a node. Note that rows with an inherited relationship type are disabled since they inherit permissions from their parent nodes.

Figure 3 shows the governing experience and relationship for each node.

Figure 3. Experience association hierarchy

End user view

End users in member accounts that are governed by your private marketplace can access the AWS Management Console and choose the Approved products filter to refine the results to only show for approved products in their organization.

If an end user tries to subscribe to a product that has not been approved in their private marketplace, they will see a banner stating the product is not approved for procurement by your private marketplace administrator. The end user can create a request for the product to be added to the private marketplace by choosing Create request and providing a reason for the request. The private marketplace administrator will then be able to view this request in their dashboard and decide whether to approve or decline the request.

Best practices

1. Create a default experience – Create a default experience and associate it with the entire organization by providing the organization ID as the audience. This practice ensures that any OU or account that does not have an explicitly assigned experience will automatically fall under the governance of this default experience.
2. Register a delegated administrator – The management account administrator can register a trusted member account to act as a delegated administrator and to manage private marketplace experiences for your organization. This minimizes the need to use the management account for security reasons.
3. Leverage organizational units – For easier maintenance, create experiences at the OU level when applicable. This allows you to apply specific approved product lists to relevant parts of your organization’s hierarchy.
4. Customize individual accounts governance – Customize experiences by associating individual accounts to a specific experience if the approved products don’t align with the overarching organization or OU experience. This flexibility ensures tailored governance based on specific account requirements.
5. Regularly audit experiences – Conduct regular audits of experiences, their associated audiences, and the list of approved products to prevent outdated products from lingering in the approved list. Periodic reviews help maintain the relevance and security of the private marketplace setup.

Conclusion

In this post, we guided you through the process of creating and managing a private marketplace for your organization at scale, using the AWS organizational units and delegated administrator capability. Administrators can create and customize curated digital catalogs of approved products that align with your in-house policies. Your end users can quickly find, buy, and deploy the AWS Marketplace products they need while you maintain procurement controls and governance.

If you have any questions about implementing the solutions described in this post, we encourage you to start a new thread on the AWS Marketplace Discussion Forum or reach out to AWS Support for further assistance.

Next steps

• Start by signing in to the management account in AWS Organizations and enable the private marketplace feature.
• To learn more, try the AWS Marketplace lab to build a catalog of approved products. For additional information, refer to AWS Marketplace Buyer Guide.
• For information on managed policies for various IAM actions, you can refer to the managed policies documentation in the Buyer Guide
• For programmatically managing your private marketplace, you can refer to the AWS Marketplace Catalog API.

About the author

Soumya Vanga is a solutions architect with expertise in designing and implementing scalable solutions for complex business problems. Outside of work, she enjoys audiobooks, building Legos and road trips with her family.

Radhika Vuyyuru is a Senior Product Manager at AWS Marketplace, where she builds and manages products and features that enhance customer purchasing experiences within AWS Marketplace. She is dedicated to launching products that enable customers to govern and personalize their AWS Marketplace journey. Outside of work, Radhika enjoys traveling, cooking, reading, spending time with her family, and exploring new fitness activities.