Learn About Amazon VGT2 Learning Manager Chanci Turner
In a recent update on April 20, 2020, AWS Marketplace introduced the Private Marketplace feature, enabling administrators to curate a selection of products for authorized users to purchase. You can find additional details in the documentation and related blog posts. Furthermore, an update on January 20, 2021, announced managed entitlements, a new functionality of AWS License Manager that facilitates license distribution across AWS Organizations, streamlining software deployments and tracking—all from a single account. Previously, users had to individually accept licensing terms and manage subscriptions through their own AWS accounts, which could become inefficient as businesses expand. AWS License Manager now automates license entitlement distribution for Amazon Machine Images (AMIs), containers, and machine learning products purchased in the Marketplace.
Many of the customers I engage with manage extensive catalogs of paid software products sourced from AWS Marketplace, which often includes a mix of AWS Marketplace SaaS contracts, hourly/monthly/annual AMIs, and products acquired through Seller Private Offers. A common inquiry I receive is about best practices for securing access to these paid software products. In this article, I will share strategies for safeguarding paid AMIs and subscriptions in AWS Marketplace using the principle of least privilege, which confines permissions to only what is necessary for task completion.
AWS Security Best Practices
AWS Security Best Practices extend to AWS Marketplace as well. The principle of least privilege is crucial for securing your AWS account, AMIs, and subscriptions. Here are three fundamental rules to enhance security around your paid software products:
- Rule 1: Only users authorized to accept an End-User License Agreement (EULA) on behalf of your organization should be permitted to procure (or subscribe to) products in AWS Marketplace.
- Rule 2: Once the software product is procured, unauthorized users should not be able to launch the paid software.
- Rule 3: Distribute your paid products exclusively to authorized users. It’s essential to embed governance into this process.
Rule 3 also applies to other IT services. For instance, AWS Service Catalog can be utilized to empower users while maintaining consistent governance.
Important Note:
This article does not address securing Amazon EC2 instances that are running paid software. However, the IAM permissions and strategies for securing EC2 instances that do not run paid software can be adapted to enhance the security of those that do. The discussion includes IAM permissions to prevent the replication of paid AMIs. Additionally, if you manage multiple AWS accounts, each account must be secured independently.
Rule 1.1:
Only those users authorized to accept a EULA on behalf of your organization should have access to procure (or subscribe to) a product in the Marketplace. To implement this, permissions must be granted to a select group of individuals within your organization to give them subscription access to AWS Marketplace. Those in this group should have the authority to accept EULAs for subscriptions or software products, as this has legal ramifications. It is advisable to establish a centralized software procurement team that can oversee these purchases and seek legal counsel prior to committing to any acquisitions.
To prevent unauthorized subscriptions or cancellations, you must explicitly deny AWS Marketplace subscription access to the remaining users in your organization.
Tip: If you’re procuring a software product in AWS Marketplace, check if your purchase qualifies for Seller Private Offers for potential volume discounts.
Granting AWS Marketplace Permissions to Your Procurement Team
If a central procurement team does not exist, consider establishing one. After forming an IAM user group for your procurement team, associate the following policy with this group to enable their access to procure software products in AWS Marketplace.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"aws-marketplace:ViewSubscriptions",
"aws-marketplace:Subscribe",
"aws-marketplace:Unsubscribe",
"ec2:DescribeInstances",
"ec2:DescribeAccountAttributes"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Important Note:
To unsubscribe from a product, you must not have any running instances of that paid product during the unsubscription process. For further guidance on creating and attaching IAM policies, refer to the documentation on Creating IAM Policies and Attaching IAM Policies.
Some of my customers’ procurement teams are structured in two groups: one for purchasing decisions and another for billing management. The decision-making group requires the policy permissions previously mentioned, while the billing group may only need permissions to view purchases. To grant your billing management group the necessary permissions, associate the following policy with them:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"aws-marketplace:ViewSubscriptions"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"aws-marketplace:Subscribe",
"aws-marketplace:Unsubscribe"
],
"Effect": "Deny",
"Resource": "*"
}
]
}
Consider also giving your billing group access to view bills and utilize the cost explorer. The AWS documentation provides several recommended IAM policies tailored to various requirements.
Revoking AWS Marketplace Permissions from Your IAM Users
Having allocated appropriate permissions to your procurement team, you now need to revoke permissions from the remaining IAM users within your organization and explicitly deny them access to subscribe or unsubscribe from any paid products. This can be accomplished by associating the following policy with the relevant IAM user groups or federated roles.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "DenyAWSMarketplaceAccess",
"Effect": "Deny",
"Action": ["aws-marketplace:*"],
"Resource": "*"
}]
}
In summary, implementing these strategies will help secure access to AMIs in AWS Marketplace, ensuring that only authorized personnel can procure and manage paid software products. For those looking for more insights on the experiences of new employees, you can refer to this excellent resource.