wrnu
commented
2 months ago To disable the public AWS Marketplace and restrict access to only approved products in your organization using the AWS Landing Zone Accelerator (LZA), you can implement the following approach:
- Enable AWS Private Marketplace:
Enable the AWS Private Marketplace feature for your organization. This redirects users to your curated private Marketplace instead of the public one[2].
- Configure Service Control Policies (SCPs):
Create and apply SCPs to restrict access to the public Marketplace. Here's an example SCP you can use:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RestrictPublicMarketplace",
"Effect": "Deny",
"Action": [
"aws-marketplace:Subscribe",
"aws-marketplace:Unsubscribe",
"aws-marketplace:CreatePrivateMarketplace",
"aws-marketplace:AssociateProductsWithPrivateMarketplace",
"aws-marketplace:DisassociateProductsFromPrivateMarketplace"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::*:role/YourApprovedAdminRole"
]
}
}
}
]
}This SCP denies access to key Marketplace actions for all users except those assuming the specified admin role[6].
- Customize LZA Configuration:
In your LZA configuration files, add the SCP to the appropriate organizational units (OUs) or accounts[1]. For example:
organizationalUnits:
- name: YourOU
scps:
- RestrictPublicMarketplace- Approve Products for Private Marketplace:
As an administrator, carefully select and approve the products you want to make available in your Private Marketplace[2].
- Grant Access to Private Marketplace:
Ensure that users have the necessary permissions to access the Private Marketplace. You can use the AWS managed policy AWSPrivateMarketplaceRequests or create a custom IAM policy[2].
- Implement Additional Controls:
- Use AWS Config rules to monitor and enforce compliance with your Marketplace policies[3].
- Set up AWS CloudTrail to log and monitor Marketplace-related activities[5].
- Education and Communication:
Inform your organization about the transition to Private Marketplace and provide guidance on how to request new products if needed[2].
By implementing these steps within your LZA configuration and organizational policies, you can effectively disable access to the public AWS Marketplace while providing a controlled environment for approved products through the Private Marketplace.
Citations: [1] https://github.com/awslabs/landing-zone-accelerator-on-aws [2] https://www.tecracer.com/blog/2023/04/restrict-aws-marketplace-offerings-with-private-marketplace.html [3] https://aws.amazon.com/blogs/mt/migrate-aws-landing-zone-solution-to-aws-control-tower/ [4] https://www.reddit.com/r/aws/comments/191jb9z/is_it_ever_practical_to_disable_useast1_via/ [5] https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/ [6] https://docs.aws.amazon.com/marketplace/latest/userguide/marketplace-management-portal-user-access.html [7] https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html
Describe the Issue We are not allowed to purchase services on AWS Marketplace. Yet, it is still technically possible to purchase them, and we don't have much control over this.
Additional Context By restricting we mean having product teams come through us to complete the purchase. If the service is free, we will allow the purchase right away, if the service is paid we will check that a) the team completed competitive procurement and b) we have sufficient funds in our account with SSC to cover this unplanned expense Acceptance Criteria