AWS Marketplace
Using AWS Private Marketplace to govern access to AWS Marketplace products in AWS GovCloud (US) Regions
Customers in AWS GovCloud (US) Regions often need to control subscriptions and manage access to products available in AWS Marketplace. AWS Private Marketplace enables organizations to build and manage catalogs of approved products in AWS Marketplace that comply with internal policies and requirements in terms of security and compliance. AWS Private Marketplace also provides centralized management of custom catalogs of approved products that can be inherited by AWS GovCloud (US) Region accounts. This gives organizations selection, speed, and agility for simplified purchase and deployment for public sector, government, education, and other regulated customers.
In this post, I show you how to create a Private Marketplace experience in an AWS account in a standard AWS Region. A Private Marketplace experience includes your curated list of approved AWS Marketplace products as well as branding elements, including title, description, color and logo customization. Once you create a Private Marketplace experience, you can use it to govern access to AWS Marketplace products in the associated AWS GovCloud (US) Region account. I will also demonstrate how to deploy approved products from the AWS GovCloud (US) Region account and show how non-approved products will fail.
Solution walkthrough: Using AWS Private Marketplace to govern access to AWS Marketplace products in AWS GovCloud (US) Regions
This solution walks through the following steps:
- Create a Private Marketplace experience in an account in a standard Region.
- Find and add a product available for the AWS GovCloud (US) Regions.
- Customize and enable the Private Marketplace experience.
- Deploy an approved product from the associated AWS GovCloud (US) Region account.
- Deploy a non-approved product from the associated AWS GovCloud (US) Region account.
Prerequisites
For this walkthrough, you need the following prerequisites:
Every account in the AWS GovCloud (US) Region has an associated account in the standard Region where billing occurs for both accounts. The marketplace restrictions placed on this standard AWS region account will be enforced on the associated AWS GovCloud (US) region account.
Step 1: Create a Private Marketplace experience
To create a Private Marketplace experience, you must log in to an account in a standard AWS Region. This account must be associated with the AWS GovCloud (US) Region account that you want to govern access to AWS Marketplace products. If your account is part of an AWS Organizations account structure, you must create the first Private Marketplace experience from the management account. You do not have to enable this Private Marketplace experience; you must only create it.
A. Create the Private Marketplace experience
To create your Private Marketplace experience, do the following:
- Log in to the account in the standard Region with a Private Marketplace administrator role.
- Navigate to Private Marketplace administrator’s page.
- In the navigation pane, choose Experiences.
- On the Experiences page, choose Create experience.
- Enter a title and description for the experience.
- Choose Create experience. The following screenshot shows the Experiences page with a new Experience called Private Marketplace Experience.
B. Create an account group for the Private Marketplace experience
To create an account group for your new Private Marketplace experience, do the following:
- In the navigation pane, choose Account groups.
- On the Account groups page, choose Create account group.
- Enter a title and description for the account group.
- Under Associate AWS account, enter the account number for the account in the standard Region (in Prerequisites) and choose Add.
- Under Associate experience, use the search bar to select the experience that you just created.
- Choose Create account group.
Step 2: Find and add the product available for the AWS GovCloud (US) Regions
To add products to your Private Marketplace experience, you must search for and add AWS Marketplace products available in AWS GovCloud (US) Regions. This enables users in the specified account group to subscribe to and deploy those products.
A. Find a product
- In the navigation pane, choose Experiences.
- On the Experiences page, choose the experience that you created in step 1A.
- On the experience details page, choose Products and then choose All AWS Marketplace products.
- Search for a product of interest. For example, in the search bar, enter CentOS 7 (x86_64) – with Updates HVM By Centos.org. The following screenshot shows six products that result from this search.
- Choose the product. This opens the product overview page in a new browser window or tab.
B. Verify the product’s availability in AWS GovCloud (US) Regions and add it to the experience
To verify the product’s availability in Aws GovCloud (US) Regions and add it to your experience, do the following:
- In the new browser window or tab, under Pricing, select the Region radio button. It should list AWS GovCloud (US) East, AWS GovCloud (US) West, or both.
- In the original browser window or tab, choose the product.
- Choose Add.
To verify that the product was added to the experience, on the experience details page, choose Approved products. The added product is listed there.
Step 3: Customize and enable the Private Marketplace experience
You can configure the Private Marketplace’s branding settings such as your organization logo, title, and color scheme. Then you can enable the Private Marketplace experience to go live.
A. Customize the experience
- In the navigation pane, choose Experiences.
- On the Experiences page, choose the experience that you created.
- On the experience details page, choose Settings.
- Under Profile settings, configure Logo, Name and Description, and Theme Color.
- Choose Update and wait until the customization completes. The status appears at the top of the page.
B. Enable the experience
- Under Status and requests, toggle the slider to enable or disable Software requests. This setting allows users in to create requests for software.
- Once all customization is complete, toggle the Experience status to Live (enabled). This might take a minute to complete.
- To disable the Private Marketplace, toggle the status to Not Live.
The following screenshot shows the Settings page of my sample experience, with my logo file uploaded, my name and description entered, and my theme color selected. I’ve also toggled Experience status to Live and Software requests to Requests on.
Step 4: Launch the approved product from the associated AWS GovCloud (US) Region account
Now you can test deployment of the approved CentOS 7 (x86_64) – with Updates HVM product. To do this, do the following:
- Log in to the associated AWS GovCloud (US) Region account as an end user.
- Open the Amazon EC2 console.
- Choose Launch instance.
- Under Choose an Amazon Machine Image (AMI), select AWS Marketplace.
- For Search AWS Marketplace Products, enter CentOS 7 (x86_64) – with Updates HVM By Centos.org.
- Select the product and choose Continue.
- Choose Review and Launch.
This subscribes the product and deploys it. This might take a minute to complete. After the product is deployed, you can confirm the subscription in the account in the standard Region under Manage Subscriptions.
Step 5: Verify that a product not listed in the Private Marketplace doesn’t deploy
To verify that a product not listed in the Private Marketplace experience fails to deploy, do the following:
- On the Amazon EC2 console, choose Launch instance.
- Under Choose an Amazon Machine Image (AMI), select AWS Marketplace.
- For Search AWS Marketplace Products, enter Kali Linux.
- Select the product and choose Continue.
- Choose Review and Launch. You should receive the Launch Failed message This product isn’t currently available for Private Marketplace. Refer to the following screenshot.
Cleaning up
To avoid incurring future charges, delete the resources that you created in this walkthrough.
A. Terminate the approved product’s EC2 instance
- Navigate to the Amazon EC2 console.
- Choose the Running Instance ID that is associated with CentOS 7 (x86_64) – with Updates HVM By Centos.org.
- Choose Instance state and then choose Terminate instance.
B. Remove the approved product from the AWS Marketplace subscriptions
- Log in to the account in the standard Region with an administrator role.
- Navigate to AWS Marketplace Subscriptions page.
- In the navigation pane, choose Manage Subscriptions.
- Choose Manage CentOS 7 (x86_64) – with Updates HVM By Centos.org.
- Choose Actions and then choose Cancel subscription.
- Select the I understand that I will continue to be charged for all running instances even after canceling my subscription.
- Choose Yes, cancel subscription.
C. Disable the Private Marketplace experience
- Navigate to Private Marketplace administrator’s page.
- In the navigation pane, choose Experiences.
- On the Experiences page, choose the experience that you created.
- On the experience details page, choose Settings.
- Under Status and requests, toggle the Experience status to Not Live (enabled). This might take a minute to complete.
Conclusion
In this post, I showed you how to use AWS Private Marketplace to create a catalog of approved products in an account in a standard Region. I showed how to use this Private Marketplace to govern access to AWS Marketplace products in the associated AWS GovCloud (US) Region account. Then I demonstrated how to deploy the approved products and how non-approved products fail during the deployment process. To learn more about Private Marketplace, visit the Private Marketplace documentation here.
About the authors
Ji Jung is a Solutions Architect whose areas of expertise include AWS Marketplace. He’s passionate about cloud technologies and building innovative solutions to help customers. When not working, he enjoys spending time with his family and playing sports.
Adam Hesch is a Solutions Architect on the Amazon Web Services Federal Systems Integrator team. He works with AWS customers to provide guidance on architecture and best practices for operating Federal information systems in the cloud. When he’s not working with customers, he enjoys spending time with this family and working on his house.