Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Marketplace blocking specific products or seller

0

Hello, I am looking to block the purchase of a product (or seller if easier) from AWS Marketplace. I started to look at scp, but the condition key 'aws-marketplace:ProductId' is not valid for AWS Marketplace. Do you know if that's possible using scp ?

Topics
Management & GovernanceAWS Marketplace
Tags
Management & GovernanceAWS Marketplace
Language
English
asked 8 months ago516 views
3 Answers
0

You can block the purchase of specific products from AWS Marketplace using IAM policies with a deny-based approach. While you mentioned that 'aws-marketplace:ProductId' isn't valid, the correct condition key to use is actually 'aws-marketplace:ProductId'.

Here's how you can implement a deny policy to restrict access to specific AWS Marketplace products:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAcceptingSpecificModelEULAs",
"Effect": "Deny",
"Action": [
"aws-marketplace:Subscribe"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws-marketplace:ProductId": [
"product-id-to-block-1",
"product-id-to-block-2"
]
}
}
},
{
"Sid": "DenyUnsubscribingSpecificModels",
"Effect": "Deny",
"Action": [
"aws-marketplace:Unsubscribe",
"aws-marketplace:ViewSubscriptions"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws-marketplace:ProductId": [
"product-id-to-block-1",
"product-id-to-block-2"
]
}
}
}
]
}

This policy denies the ability to subscribe to, unsubscribe from, or view subscriptions for the specified product IDs. You would need to replace "product-id-to-block-1" and "product-id-to-block-2" with the actual product IDs you want to block.

You can implement this as a Service Control Policy (SCP) at the organization level to enforce these restrictions across your AWS organization.

Alternatively, if you want to allow only specific products and deny all others, you can use a similar approach but with "ForAnyValue:StringNotEquals" in the condition, which would deny access to all products except those explicitly listed.
Sources
Implementing least privilege access for Amazon Bedrock | AWS Security Blog

answered 8 months ago
0

Rather than using an IAM policy, I recommend setting up a Private Marketplace for your organization. https://aws.amazon.com/marketplace/features/privatemarketplace This feature was designed to address this specific use case. The other option is to setup a Marketplace Service Catalog: https://aws.amazon.com/servicecatalog/ This allow separation between procurement and deployment. It also provides the ability to enforce your org's deployment configurations and controls.

AWS
answered 8 months ago
0

Hi,

I reviewed the policy you attempted, and I can confirm that the condition key aws-marketplace:ProductId only applies to AWS Marketplace Red Hat OpenShift products purchased through the Red Hat console. It does not restrict access to other AWS Marketplace products. This is why your SCP did not work as expected. More details are available in the documentation here [1].

Moreover, looking through the market place documentation: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplace.html and https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html#all_svcs for AWS services that work with IAM, the service "AWS MarketPlace" does not support resource level permission.

Unfortunately, there isn't any other condition that meets the use case. This leaves you with the solution of giving only the authorized users/roles/groups the permission "aws-marketplace:Subscribe" to AWS Market Place products, and other users can send a request for your team to do it on their behalf.

Having said that, I was able to find an existing feature request that expands on the functionality of this condition key. I have added your case to it so that it prioritizes the implementation of the feature. Since product roadmaps are not shared with Support Engineering. I cannot provide you with ETA on when this feature might be released, as we have no visibility over that process. All of our new announcements and releases can be found on our What's New page [2] and our official blog [3].

I will also reach out to the internal team regarding the information provided on the document and its correction [1]. Please accept my sincere apologies for the inconvenience caused.

To conclude, the action 'Subscribe' isn't supported with resource-level permissions to restrict it, and neither condition key 'productid' has full access to the products to use it in the policy as a filter. As of now, Product ID only works to filter 'RedHat OpenShift products'. There exists a feature request to have this condition key supported for all product IDs. As previously mentioned, I have added your voice to it.

I sincerely regret any inconvenience this lack of features has caused you. I hope you find the above information helpful. In case you need any further clarification or have more questions/concerns, please feel free to reply, and I will be happy to assist you.

Have a nice day, and stay safe!

Reference: [1] Control model access permissions - https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplace.html#awsmarketplace-policy-keys [2] What's New with AWS? - https://aws.amazon.com/new/ [3] AWS News Blog - https://aws.amazon.com/blogs/aws/

AWS
SUPPORT ENGINEER
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content