Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

AMI-based product requirements for AWS Marketplace

PDF
RSS
Focus mode
AMI-based product requirements for AWS Marketplace - AWS Marketplace
AMI product seller policiesSecurity policiesArchitecture policiesAMI product usage instructionsAMI product version policiesCustomer information policiesProduct usage policies

AWS Marketplace maintains the following policies for all Amazon Machine Image (AMI) products and offerings. The policies in this section are intended to provide customers with a safe, secure, and trustworthy compute platform.

All products and their related metadata are reviewed when submitted to ensure they meet or exceed current AWS Marketplace policies. These policies are regularly updated to align with evolving security guidelines. AWS Marketplace continuously scans products to verify that existing listings continue to meet any changes to these requirements. If a product falls out of compliance, AWS Marketplace will contact the seller to update their product to meet new standards. In some cases, products might be temporarily made unavailable to new subscribers until issues are resolved. This process helps maintain the security and trustworthiness of the AWS Marketplace platform for all users.

Before submitting your product, we strongly recommend using the Test 'Add Version' feature in the AWS Marketplace Management Portal to ensure compliance with current policies.

AMI product seller policies

All AMIs must adhere to the following seller policies:

  • By default, AWS Marketplace sellers are limited to a maximum of 75 public AMI product listings. All sellers above their limit are subject to periodic performance review and may be required to restrict underperforming listings. AWS Marketplace may grant and revoke increases to this limit at its sole discretion.

Security policies

General policies

All AMIs must comply with the following policies:

  • AMIs must pass all security checks performed by the AWS Marketplace AMI scanning tool, showing no known vulnerabilities or malware.

  • AMIs must use currently supported operating systems and software. Operating systems and software that reached their end of life are not allowed.

  • Password-based authentication for instance services is prohibited. This applies even if the password is generated, reset, or defined by the user at launch. Null and blank passwords are not allowed.

    Exceptions:

    • Administrator passwords generated by EC2Config/EC2Launch on Windows instances.

    • Non-administrative access to host services (for example, web applications) in the absence of other authentication methods. If strong passwords are used, they must be randomly generated for each instance, used once by the service administrator for initial authentication, and changed immediately after first login.

  • AMI must not contain hardcoded secrets such as system user and service passwords (including hashed passwords), private keys, or credentials.

  • AMIs must not request AWS credentials to access AWS services. If your product requires access to AWS services, an instance should be assigned a minimally privileged AWS Identity and Access Management (IAM) role. Users can create roles manually or by using a AWS CloudFormation template. When single-AMI launch is enabled for products with a CloudFormation delivery method, usage instructions must include clear guidance for creating minimally privileged IAM roles. For more information, see Delivering your AMI-based product using AWS CloudFormation.

  • A seller must not have access to instances run by a customer. In case such access is required for support or other purpose, the customer can be instructed to explicitly enable it.

SSH (Secure Shell) access policies

In addition to general policies, AMIs providing SSH (Secure Shell) access must comply with the following security policies:

  • AMIs must not allow password-based authentication using SSH. To ensure this, in your sshd_config file, set PasswordAuthentication to no.

  • AMIs must disable password-based remote logins for superuser accounts. For more information, refer to Disable password-based remote logins for the root user.

  • AMIs must not contain authorized public keys for SSH access.

  • SSH on AMIs must be accessible to AWS Marketplace internal vetting procedures.

    • The SSH service must listen on the TCP port specified for AMI scanning. For more information, refer to Add a new version.

    • SSH must be accessible from subnets 10.0.0.0/16 and 10.2.0.0/16 on the IP address assigned by Amazon Elastic Compute Cloud (Amazon EC2) at instance launch.

Policies for AMIs based on Linux and other Unix-like operating systems

In addition to general policies, AMIs based on Linux and other Unix-like operating systems must comply with the following security policies:

  • AMIs must allow users to get fully privileged access (for example, to allow sudo access).

Policies for Windows-based AMIs

In addition to general policies, Windows-based AMIs must comply with the following security policies:

  • AMIs must not contain guest accounts.

  • Only administrator accounts may be granted remote desktop access to an instance.

  • Windows AMIs must generate administrator passwords by enabling these options in EC2Launch (or EC2Config for Windows 2016 and older):

    • Ec2SetPassword

    • Ec2WindowsActivate

    • Ec2HandleUserData

  • AMIs must be available to automated vetting. At least one of the following requirements must be implemented:

Architecture policies

All AMIs must adhere to the following architecture policies:

  • Source AMIs for AWS Marketplace must be provided in the US East (N. Virginia) Region.

  • AMIs must use HVM virtualization.

  • AMIs must use x86-64 or 64-bit ARM architecture.

  • AMIs must be AMIs backed by Amazon Elastic Block Store (Amazon EBS). We don't support AMIs backed by Amazon Simple Storage Service (Amazon S3).

  • AMIs must not use encrypted EBS snaphots.

  • AMIs must not use encrypted file systems.

  • AMIs must be built so that they can run in all AWS Regions and are Region-agnostic. AMIs built differently for different Regions aren't allowed.

AMI product usage instructions

When creating usage instructions for your AMI product, please follow the steps and guidance located in Creating AMI and container product usage instructions for AWS Marketplace.

AMI product version policies

AWS Marketplace automates the version management experience for AWS customers and sellers using S-AMI, AMI with CloudFormation template, and container products. With automated version archival, any product version that has been restricted by a seller for longer than two years is automatically archived. Archived versions are no longer available to launch from AWS Marketplace for new customers, however existing users can continue to use the archived version through launch templates and Amazon EC2 Auto Scaling groups by specifying the AMI ID. Any archived version that has not been used to launch a new instances in the past 13 months is deleted. Once an archived version is deleted, it is no longer available to launch for new or existing users.

Customer information policies

All AMIs must adhere to the following customer information policies:

  • Software must not collect or export customer data without the customer's knowledge and express consent except as required by BYOL (Bring Your Own License). Applications that collect or export customer data must follow these guidelines:

    • The collection of the customer data must be self-service, automated, and secure. Buyers must not need to wait for sellers to approve to deploy the software.

    • The requirements for customer data must be clearly stated in the description or the usage instructions of the listing. This includes what is collected, the location of where the customer data will be stored, and how it will be used. For example, This product collects your name and email address. This information is sent to and stored by the <company name>. This information will only be used to contact the buyer in regards to the <product name>.

    • Payment information must not be collected.

Product usage policies

All AMIs must adhere to the following product usage policies:

  • Products must not restrict access to the product or product functionality by time, number of users, or other restrictions. Beta and prerelease products, or products whose sole purpose is to offer trial or evaluation functionality, are not supported. Developer, Community, and BYOL editions of commercial software are supported, provided an equivalent paid version is also available in AWS Marketplace.

  • All AMIs must be compatible with either the Launch from Website experience or AMI-based delivery through AWS CloudFormation. For Launch from Website, the AMI can't require customer or user data at instance creation to function correctly.

  • AMIs and their software must be deployable in a self-service manner and must not require additional payment methods or costs. Applications that require external dependencies on deployment must follow these guidelines:

    • The requirement must be disclosed in the description or the usage instructions of the listing. For example, This product requires an internet connection to deploy properly. The following packages are downloaded on deployment: <list of package>.

    • Sellers are responsible for the use of and ensuring the availability and security of all external dependencies.

    • If the external dependencies are no longer available, the product must be removed from AWS Marketplace as well.

    • The external dependencies must not require additional payment methods or costs.

  • AMIs that require an ongoing connection to external resources not under the direct control of the buyer—for example, external APIs or AWS services managed by the seller or a third party—must follow these guidelines:

    • The requirement must be disclosed in the description or the usage instructions of the listing. For example, This product requires an ongoing internet connection. The following ongoing external services are required to properly function: <list of resources>.

    • Sellers are responsible for the use of and ensuring the availability and security of all external resources.

    • If the external resources are no longer available, the product must be removed from AWS Marketplace as well.

    • The external resources must not require additional payment methods or costs and the setup of the connection must be automated.

  • Product software and metadata must not contain language that redirects users to other cloud platforms, additional products, or upsell services that aren't available in AWS Marketplace.

  • If your product is an add-on to another product or another ISV’s product, your product description must indicate that it extends the functionality of the other product and that without it, your product has very limited utility. For example, This product extends the functionality of <product name> and without it, this product has very limited utility. Please note that <product name> might require its own license for full functionality with this listing.

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.