Streamlining and fast-tracking vendor risk assessments with AWS Marketplace Vendor Insights

Vendor risk assessment for organizations

Organizations, including those in regulated industries or those working with defense and security agencies, must validate that their software supply chains comply with the relevant information security, data privacy, and risk management frameworks. To manage their own software supply chain risk, organizations must assess a software vendor’s risk profile, including security.

During software procurement, to assess the vendor’s risk profile, organizations collect security and other information from a vendor. They continue to monitor that risk profile while using the vendor’s products and services. This process of collecting the vendor risk assessment information is manual, involving spreadsheets and back-and-forth communication between the buyer and the vendor. This can add 8–10 weeks to the procurement process and impacts the speed and agility with which your business units can procure and deploy software products.

A recent Forrester Consulting thought leadership study sponsored by AWS involving a survey of 725 global respondents notes that more than 60 percent of respondents indicated that risk management was still manual. They reported it was difficult to know if the organization was in compliance with policies and regulatory requirements because their organization didn’t have the right tools and technologies. Additionally, 40 percent of the respondents believe that procurement’s processes for evaluating risk and compliance are insufficient.

In this post, I show you how to use AWS Marketplace Vendor Insights to access security profiles associated with vendor products listed in AWS Marketplace. The AWS Marketplace Vendor Insights dashboard presents compliance artifacts and security control information for software products to help buyers complete their vendor risk assessment. You can access the dashboard through the AWS Marketplace Console.

Overview of the AWS Marketplace Vendor Insights dashboard

AWS Marketplace Vendor Insights helps streamline third-party software risk assessments by compiling evidence relevant to a vendor’s security risk in a unified dashboard accessible to buyers on AWS Marketplace. The dashboard reduces your effort to access and update this information while you use the vendor’s products.

The AWS Marketplace Vendor Insights dashboard provides information on 125 security and compliance controls in 10 control categories for software-as-a-service (SaaS) product vendors. These include data privacy, application security, and access control. For further insights into control categories, refer to this control categories documentation. AWS Marketplace compiles the information for each vendor using evidence from up to three sources. These sources include:

• Automated evidence refreshed from the vendor’s production AWS accounts using AWS Config and AWS Audit Manager.
• Third-party assessment reports provided by the vendor that are compliant with industry standard frameworks. These frameworks include the International Organization for Standardization (ISO) Standard for Information Security Management (ISO/IEC 27001) and the American Institute of Certified Public Accountants (AICPA) System and Organization Controls for Service Organizations: Trust Services Criteria (SOC 2).
• Self-attested answers provided by the vendor in response to standardized controls questionnaires.

You can access the AWS Marketplace Vendor Insights dashboard from any product’s AWS Marketplace product detail page. You can use AWS Marketplace Vendor Insights even if you don’t procure the software through AWS Marketplace. You can request access to and view the AWS Marketplace Vendor Insights profile during pre-procurement assessments. To continually monitor changes to security controls, you can also subscribe to email notifications after procurement.

Who can access AWS Marketplace Vendor Insights on the buyer side

AWS recommends that you use AWS Identity and Access Management (IAM) identities and apply AWS managed policies to provide your users permissions to access and manage AWS Marketplace subscriptions. You can also create your own policies with the required permissions. All users who have an IAM identity to access an AWS account can access the AWS Marketplace Vendor Insights dashboard if they have the relevant permissions attached to their IAM identity.

There are no limitations on the number of users who can access AWS Marketplace Vendor Insights. For more information on AWS managed policies for buyers on AWS Marketplace, visit AWS managed policies for AWS Marketplace buyers.

New managed policies

AWS Marketplace is launching two new AWS managed policies specifically for AWS Marketplace Vendor Insights:

• AWSVendorInsightsAssessorFullAccess – This policy grants full access for viewing AWS Marketplace Vendor Insights resources and managing AWS Marketplace Vendor Insights subscriptions.
• AWSVendorInsightsAssessorReadOnly – This policy grants read-only access for viewing entitled AWS Marketplace Vendor Insights resources.

Buyer organizations should use the preceding AWS managed policies in conjunction with following existing AWS managed policies for buyers:

• AWSMarketplaceFullAccess – This policy grants administrative permissions that allow full access to AWS Marketplace and related services, both as a buyer and a vendor.
• AWSMarketplaceManageSubscriptions – This policy grants permissions that allow subscribing and unsubscribing to AWS Marketplace products.
• AWSMarketplaceRead-only – This policy grants read-only permissions that allow viewing products and subscriptions on AWS Marketplace.

How to apply least privilege to Vendor Insights access

Least privilege is one of many AWS Well-Architected best practices that help you build securely in the cloud. The availability of read-only policies enables you to create segregation of duty through different access privileges. This enables you to provide different access to procurement users who manage product subscriptions and compliance users who manage subscriptions to AWS Marketplace Vendor Insights.

• For example, a procurement user can have the AWSMarketplaceManageSubscriptions and AWSVendorInsightsAssessorReadOnly policies attached to their IAM identity. This enables the procurement user to subscribe to products on AWS Marketplace and view the AWS Marketplace Vendor Insights dashboard information. However, they cannot manage subscriptions on AWS Marketplace Vendors Insights.

• Similary, a compliance user can have the AWSMarketplaceRead-only and the AWSVendorInsightsAssessorFullAccess policies attached to their IAM identity. This allows compliance users to manage subscriptions on AWS Marketplace Vendor Insights but not manage subscriptions to vendor products in AWS Marketplace.

How to access the AWS Marketplace Vendor Insights security profile of a vendor

You can discover products with AWS Marketplace Vendor Insights profiles. To do this, do the following:

1. In the AWS Management Console, navigate to the AWS Marketplace search page.
2. Filter by Vendor Insights and Security Profiles. If you want to narrow the search results to products with certifications such as ISO/IEC 27001 or AICPA SOC 2 Type 2, you can further filter by Product Certificates.
3. Choose product that you’re interested in. To navigate to the product details page, choose the product title.
4. Go to the AWS Marketplace Vendor Insights profile by choosing View assessment data. Alternatively, you can locate the Vendor Insights section and choose View all profiles for this product.

How to navigate the AWS Marketplace Vendor Insights security profile

The Overview tab

The AWS Marketplace Vendor Insights profile page has a high-level Overview tab that shows the certifications the vendor has received and their expiration dates. The vendors also provide other information that is helpful during the vendor selection process. This may include data residency, a link to their security feed where you can browse the historical security events, and a link to their service availability status.

The Security and compliance tab

The Security and compliance tab contains detailed evidence for 125 security and compliance controls. The summary at the top of the tab provides you information on the number of controls that have pre-validated evidence from production workloads running on AWS or an audit report. It also provides the number of controls with self-reported evidence and whether any controls are noncompliant.

How to subscribe to a product’s security profile

You can view the evidence in the Security and compliance tab after the vendor has approved your access request. To request access to the security profile of a vendor’s product, at the top of the page, choose Request access and submit your contact information.

The vendor will contact you directly to complete a nondisclosure agreement (NDA) and will notify AWS Marketplace when you complete it. At that point, AWS Marketplace will provide you access to the detailed AWS Marketplace Vendor Insights information and will notify through email that you have subscribed to the security profile.

Controls compliance criteria

Controls compliance is determined by three sources of evidence:

• Workloads on AWS validated by using AWS Config and AWS Audit Manager. These are production workloads and are updated weekly.
• Third-party ISO/IEC 27001 and AICPA SOC 2 Type 2 assessment reports.
• Information from the vendor’s self-assessment.

You can navigate to control groups in each control category and further drill down to the individual controls in each control group. You can review the evidence compiled for each control, the control status, and any annotation on why the control is compliant.

Profile subscriptions and update notifications

With AWS Marketplace Vendor Insights, when you subscribe to a product’s security profile, you can continuously monitor the security profile of that product. When there is a change or update to a vendor’s security profile, AWS Marketplace Vendor Insights automatically notifies you of the changes via email.

You can download the profile information at any time through the Download link on the page in CSV or JSON format and then import the data into your existing vendor risk management tools. Vendors can also securely store and share with you their certifications from accreditation bodies, including their ISO/IEC 27001 and AICPA SOC 2 Type 2 reports, through AWS Artifact third-party reports (Preview).

Unsubscribing to a product’s security profile

If you no longer want access to the security profile for a vendor’s product, you can unsubscribe from the product’s assessment data. To unsubscribe, navigate to the AWS Marketplace Vendor Insights console, choose the relevant product, and then choose Unsubscribe. A success message appears, which indicates that you have unsubscribed from the vendor’s security profile.

Conclusion

In this post, I showed you how to streamline and fast-track your vendor risk assessment process by accessing and navigating the AWS Marketplace Vendor Insights dashboard. After the vendor has granted you access to the detailed profile on completion of their NDA, you can access the dashboard at any time. You can review the vendor evidence directly on the dashboard or download the vendor profile information for further analysis. For continuous monitoring, you can subscribe to the security profile of a vendor’s product for email notifications of profile updates. You can also stop your subscription at any time.

Next steps

For more information about accessing security profiles of AWS Marketplace vendors using Vendor Insights, check out the video Simplify SaaS Risk Assessment with AWS Marketplace Vendor Insights.

If you need any assistance onboarding AWS Marketplace Vendor Insights as part of your procurement transformation journey, please contact AWS Marketplace at vendor-insights-support@amazon.com.

About the author

Author’s Photo

Kaushik Raha is a Business Development Manager and AWS Marketplace Customer Advisor. He supports a portfolio of customers, including digitally native businesses, startups, and enterprise companies. He enjoys helping customers strategize and adopt AWS Marketplace to digitally transform their procurement functions. With a background in vendor risk management and compliance, he is excited to help AWS customers fast-track vendor risk assessments through AWS Marketplace Vendor Insights. In his spare time, he enjoys programming and sailing and is a wine aficionado.