AWS Cloud Operations Blog

Procuring software on AWS Marketplace for customers in regulated spaces

Customers operating in highly-regulated spaces often tell us about the compliance challenges that they face when procuring commercial software in the cloud. This is especially true for federal customers subject to the GSA Schedule , or state and local customers operating under NASPO Value Point. Procurements in this space often require negotiated purchasing agreements and custom terms between the vendor and buyer. For these customers, it’s paramount that purchasing agreements are made by a central governing group to minimize the risk of noncompliant agreements. To solve this challenge for customers, we’ve created a centralized software procurement and distribution solution using AWS Marketplace Private Offers, License Manager, and AWS Identity and Access Management (IAM) that gives customers the flexibility to procure using custom purchasing agreements while maintaining complete governance.

In this post, we present a method for centralizing the procurement and distribution of AWS Marketplace software that is intended to get customers into highly-regulated environments up and running with AWS Marketplace. We utilize IAM roles to govern who has access to the AWS Marketplace subscribe and license distribution actions. Then, we set up AWS License Manager for the distribution of AWS Marketplace software licenses from a central account. After setting up the solution, we demonstrate its use through the experiences of the three personas, defined as follows:

  • Procurement Manager – This persona is responsible for negotiating terms and conditions with the AWS Marketplace software vendor. This persona has the permission to accept AWS Marketplace offers.
  • Software Manager – This persona is responsible for distributing access to the procured software using license grants in License Manager. This persona has permission to distribute and activate licenses, but it can’t accept AWS Marketplace offers.
  • End User – This persona is a consumer of the procured software. This persona can’t accept AWS Marketplace offers. This persona can only accept software licenses that have been sent to them by the Software Manager.

We’ll be using the following AWS services to create and demonstrate the solution:

This solution supports the distribution of Amazon Machine Image (AMI), Container, machine learning (ML), and AWS Data Exchange products on AWS Marketplace. Governance for AWS GovCloud regions isn’t covered in this post and will be addressed in future posts. Software license distribution for AWS Marketplace SaaS products is not currently supported by License Manager. For SaaS, we suggest an alternate approach that allows the procurement manager to subscribe to SaaS products on behalf of the end user. This is covered in the following section titled, Consideration for SaaS products.

We’ll be using AWS Marketplace Private Offers in the demonstration. However, this solution works for public AWS Marketplace offers as well. More information on Private Offers is available on the Private offers section of the AWS Marketplace Buyer Guide.

Implementing the solution

There are two parts to our solution. First, we create the necessary IAM roles and policies needed to appropriately authorize the three personas that will be using the solution. This solution includes CloudFormation templates to simplify role creation. Second, we’ll use the console to enable License Manager for use with AWS Marketplace. License Manager will serve as the mechanism for software license distribution.

Prerequisites

Using License Manager to distribute license grants is done within the context of a multi-account environment and supports both Organizations and AWS Control Tower. We’ll be using the organization’s management account for procurement and distribution of software to the member accounts. The end user persona will accept and launch distributed software in the member accounts. You can learn more about multi-account environments in the AWS Organizations User Guide or AWS Control Tower User Guide.

You’ll need admin access to the management account to set up License Manager and create the necessary IAM roles.

1. Creating the IAM policies and roles with CloudFormation

In this section, we use AWS CloudFormation StackSets to create IAM roles and base policies for the Procurement Manager, Software Manager, and End User personas.

  • MPProcurementManager – This role has full access to AWS Marketplace and allows users assuming it to subscribe to AWS Marketplace product terms and conditions. This role is used to by the Procurement Manager to accept Marketplace offers. This role is required in the management account and is optional in the member accounts (see the Consideration for SaaS products section).
  • MPSoftwareManager – This role has full access to License Manager and allows users assuming it to distribute license grants to member accounts. This role doesn’t allow the user to accept AWS Marketplace offers. This role is required in the management account.
  • MPEndUser – This role has access to License Manager and allows users assuming to accept grants distributed to the member account. This role doesn’t allow the user to accept AWS Marketplace offers. In this example, we’ve attached an Amazon EC2 access policy that allows users assuming the role to launch AWS Marketplace products that have been distributed to the account.

Download and review the templates

We’ve provided CloudFormation templates that you can use to automatically create each role. We suggest downloading the templates and reviewing the IAM permissions for each role. You can learn more about CloudFormation and StackSets in the AWS CloudFormation User guide. This is an example ONLY. Refer to IAM policy documentation to Add/Remove IAM policies.

Creating the MPProcurementManager and MPSoftwareManager roles

  1. Access the CloudFormation Console as an Admin in the management account.
  2. From the left sidebar, choose Stacks.
  3. Select Create stack and select the new resources option.
  4. Select upload template file and upload the MPProcurementManger template you downloaded earlier. Select Next.
  5. Follow the on-screen instructions to configure the Stack to your satisfaction.
  6. Complete the IAM creation acknowledgment and select Create stack.
  7. Repeat the process above using the MPSoftwareManager template.

Now you have both the MPProcurementManager and MPSoftwareManage roles created in the management account.

Creating the MPEndUser roles on the member accounts

AWS StackSets simplify the creation of the MPEndUser roles in all of the member accounts at once. You can learn more about StackSets in the AWS CloudFormation User guide.

  1.  Access the CloudFormation Console as an Admin in the management account.
  2. From the left sidebar, choose StackSets and select Create Stackset.
  3. Select Service-managed permissions if you would like to create the EndUser role in all of the member accounts, or select Self-service permissions to specify which accounts receive the role.
  4. Upload the MPEndUser template, and select Next.
  5. Follow the on-screen instructions to configure the StackSet to your satisfaction.
  6. Complete the IAM creation acknowledgment, and select Submit.

Now you have the MPEndUser role created in the specified member accounts.

2. Setting up License Manager

License Manager integration with AWS Marketplace requires several service-linked roles. All of these roles can be created using the console.

Create the AWSServiceRoleForMarketplaceLicenseManagement service-linked role

This role allows AWS Marketplace to create and modify license grants in License Manager.

  1. Access the AWS Marketplace Console as an Admin in the management account.
  2. From the left sidebar, choose Settings.
  3. Choose Configure Integration.
  4. Choose the check box next to “Enable Trusted access across your organization”.
  5. Choose Create integration.

Create the AWSServiceRoleForAWSLicenseManagerRole service-linked role

This role allows License Manager to create and modify license grants across the organization.

  1. Access the License manager console as an Admin in the management account.
  2. Select the Create customer managed license button.
  3. You’ll be prompted to create the required permissions to manage licenses. Select I grant AWS License Manager the required permissions, and select Grant permissions.

Link Organizations accounts

This step creates the AWSServiceRoleForAWSLicenseManagerRole service-linked roles in the member accounts and enables auto-acceptance of distributed grants. This action can’t be reversed. If you don’t wish to link your accounts, then you must create the AWSServiceRoleForAWSLicenseManagerRole service-linked role in each member account yourself.

  1. Access the License manager console as an Admin in the management account.
  2. From the left sidebar, choose Settings.
  3. Select Link AWS Organization accounts and follow the prompts to link the accounts.

We’ve now completed the setup for License Manager and are ready to start using the solution. In the next section, we’ll step through an example procurement workflow.

Using the solution

In this section, we walk through a typical procurement and distribution workflow for an AWS Marketplace product. We’ll explore the user experience for each persona by assuming the roles that we created and stepping through the actions that each persona would be expected to perform.

Procurement Manager experience

The Procurement Manager negotiates a private offer. They then accept the offer through AWS Marketplace. A Marketplace grant is create in License Manager.

Figure 1: Procurement Manager Workflow

The Procurement Manager engages with the AWS Marketplace solution provider and negotiates terms and conditions for an AWS Marketplace private offer. Upon agreement, the solution provider creates the private offer and shares a link to the offer with the Procurement Manager.

  1. The Procurement Manager assumes the MPProcurementManager role within the management account.
  2. The Procurement Manager opens the private offer link, reviews the terms of the offer, and accepts the offer.
The Software Manager creates and actives a grant for distribution using AWS License Manager. The grant is distributed throughout the organization.

Figure 2: Private Offer detail page

In the background, AWS Marketplace creates an entitlement for the private offer. This entitlement is registered with License Manager as a Granted license. This happens on the management account only. The license must be distributed to end users by the Software Manager.

Software Manager experience

The Software Manager creates and actives a grant for distribution using AWS License Manager. The grant is distributed throughout the organization.

Figure 3: Software Manager Workflow

Once the license grant is registered on the management account, the Software Manager uses License Manager to distribute the license to either an individual member account or throughout the organization.

  1. The Software Manager assumes the MPSoftwareManager role within the management account.
  2. The Software Manager accesses the License Manager console and navigates to the Granted licenses pane.
  3. The Software Manager selects the license associated with the procured software and offer, and selects View.
  4. The Software Manager selects Create grant and provides the account IDs that need access to the software. The Software Manager has the option of distributing to individual accounts or to the whole organization by including the Organization ID.
The Create grant form presents input fields for the new grant name and the AWS account IDs to receive the grant.

The Create grant form presents input fields for the new grant name and the AWS account IDs to receive the grant.

    1. The Software Manager selects Create grant. License manager will create the license grant in the member account.
    2. Under the Grant section, the Software Manager selects the newly-created grant.
    3. The Software Manager selects Activate and follows the directions to activate the grant. The product is now ready for use by the member account.
The newly created grant appears with an option to Active the grant.

The newly created grant appears with an option to Active the grant.

End User experience

The End User launches the granted products without every having to subscribe to a Marketplace offer.

Figure 4: End User Workflow

The End User can now immediately start using the newly-granted product without having to accept any terms or conditions.

  1.  The End User assumes the MPEndUser role within the member account.
  2. The End User accesses the AWS Marketplace Subscriptions console and sees that a new subscription was created for the member account. The End User selects Manage.
  3. The End User can now select Launch new instance and follow the launch wizard to deploy the software onto Amazon EC2.

Experience summary

In this workflow, we assumed the role of a procurement manager and accepted an AWS Marketplace private offer, which then created a license grant for the product. Next, we assumed the Software Manager role and distributed and activated the grant to a member account within the organization. Then, we assumed the End User role within the member account and confirmed the ability to launch the product. Corresponding to standard procurement policy, only the authorized Procurement Manager accepted terms and conditions.

Consideration for SaaS products

Distribution of SaaS subscriptions isn’t currently supported by License Manager. For this product type, the subscription must be activated from the accounts that will be using the product. To enable these products while still maintaining central governing authority, you can create the MPProcurementManager role within the member account. Then, the authorized Procurement Manager can assume the role from the member account and subscribe, thereby enabling the product for End Users in the account.

Cleanup

Cleanup consists of removing the IAM roles created for each persona, removing the service-linked roles created when setting up License Manager, and disabling the License Manager and AWS Marketplace trust policies with Organizations.

  1. Delete individual IAM roles by following this guide.
  2. Delete entire CloudFormation stacksets using this guide.
  3. Disable trust relationships.
  4. Remove service-linked roles.
  5. Unsubscribe from AWS Marketplace products.
  6. Terminate any running instances of AWS Marketplace products.

Conclusion

License Manager in combination with IAM can be used to create a centrally-governed approach for purchasing and distributing AWS Marketplace software in just a few simple steps. By using IAM to restrict subscription permissions, customers can prevent unauthorized agreements on AWS Marketplace. Enabling the distribution of AWS Marketplace licenses via License Manger then allows for the scalable distribution of pre-authorized software to end users on member accounts. With this approach, customers operating in highly regulated spaces will find AWS Marketplace to be an integral component in properly-governed software acquisition and distribution.

Authors:

Leno Piperi

Leno Piperi is a Solutions Architect who specializes in supporting public sector customers on AWS Marketplace. His professional interests include cloud governance and serverless computing on AWS. When he’s not in the office delighting customers, you’ll find him skiing or camping in the Cascades.

Swaminathan Jayaraman

Swaminathan Jayaraman is a Solutions Architect with AWS Marketplace. He supports buyers on procuring third party products via AWS Marketplace and sellers on listing their products successfully in AWS Marketplace. He has over 14 years of industry experience in developing and managing large scale applications, deploying SaaS solutions and supporting cloud migrations. He loves problem solving and always enjoys a good technical conversation.

Kenneth Walsh

Kenneth Walsh is a New York-based Solutions Architect focusing on AWS Marketplace. Kenneth is passionate about cloud computing and loves being a trusted advisor for his customers. When he’s not working with customers on their journey to the cloud, he enjoys cooking, audio books, movies, and spending time with his family and dog.