The AWS marketplace contains a vast array of products and services that are easily setup and configured within AWS. How it works is 3rd party companies publish their product to the AWS Marketplace which enables users to easily subscribe and be billed through their existing AWS Billing mechanism. This effectively creates another customer acquisition channel for the vendor as well as an easy means for obtaining products for the consumer. The problem occurs in organizations with existing vendor agreements and that require approval for product usage.
Most companies require that vendors go through an approval process before being introduced to an organizations ecosystem. This process will look at the product through many different lenses. At a minimum, you will want some lawyers to look through the terms of the contract (does the vendor own the data?), the vendors security practices, service level agreements, etc… But how do we effectively use the AWS Marketplace, while still maintaining a governance model?
Enter Private Marketplace
Private Marketplace was announced by AWS in late 2018. You can read the announcement here. Essentially, it is going to give you a means to filter the products that are available in the AWS Marketplace when a user enters attempts to subscribe to a product. The user is presented with some customizable text and branding so they know they are dealing with the organizations private marketplace and not the public marketplace. The private marketplace is configured for your AWS Organization if applicable. So, with no additional work, it applies to all the accounts in your organization.
If a user would like to subscribe to a product, they navigate to the AWS Marketplace and search for that product. Once they have found the product, it is labeled as approved in the UI if they can launch it. If it has not been approved they can kick off the approval process, which is managed outside of AWS.
Following is a simple diagram depicting an example approval process. As mentioned previously, the approval process is a workflow that will necessarily need to be managed outside of AWS. Utilize existing approval process tools as necessary.
As depicted in the diagram above, once a user discovers an unapproved product they would like to use, they kick off the approval process. Once the product has been approved through that process a marketplace manager account can be used to publish the product to the private marketplace. This is just an account within the organization that has the necessary Service Control Policies and IAM roles to perform this action. The user can then be notified that the product has been published and is approved for usage.
A couple of gotcha’s that I found when working with AWS Private Marketplace is that the customization options were limited, there was no API access for automating publishing, and that it can be a bit slow. As of this writing, the customization gives you colors, a logo, and 255 characters of plain text. It would be nice if there was an easy way to direct the user to the approval process. As of now, the text only shows on the main marketplace screen. If you publish a product and it is not showing up, just wait longer. I didn’t do much testing around this, but it seemed to take on the order of hours for customization and approvals to appear on the marketplace.
It’s current state is indicative of the early stage of the feature. However, even with the issues, it is still the best way to proactively insure no unapproved products are launched in your AWS environment.