Skip to main content

Marketplace Subscriptions Deny

Policy Overview

This AWS Service Control Policy (SCP) is designed to govern who can make marketplace subscriptions and manage private marketplace actions. The AWS Marketplace allows local account administrators to bypass enterprise procurement and third-party risk management processes by engaging and paying for services directly through their AWS bill. This SCP ensures that only specific IAM roles, such as those in the Cloud Engineering or Organizational Management Account, can perform these actions. This policy should be applied to the Root OU to ensure consistent governance across all accounts.

Policy JSON

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "MarketplaceWriteActions",
      "Effect": "Deny",
      "Action": [
        "aws-marketplace:AcceptAgreementApprovalRequest",
        "aws-marketplace:CancelAgreementRequest",
        "aws-marketplace:RejectAgreementApprovalRequest",
        "aws-marketplace:Subscribe",
        "aws-marketplace:Unsubscribe",
        "aws-marketplace:UpdateAgreementApprovalRequest"
      ],
      "Resource": ["*"],
      "Condition": {
        "StringNotLike": {
          "aws:PrincipalArn": [
            "arn:*:iam::*:role/NAME_OF_YOUR_CLOUD_ENGINEERING_ROLE",
            "arn:*:iam::*:role/OrganizationAccountAccessRole"
          ]
        }
      }
    },
    {
      "Sid": "DenyAllPrivateMarketplaceActions",
      "Effect": "Deny",
      "Action": [
        "aws-marketplace:CreatePrivateMarketplace",
        "aws-marketplace:StartPrivateMarketplace",
        "aws-marketplace:StopPrivateMarketplace",
        "aws-marketplace:DescribePrivateMarketplaceStatus",
        "aws-marketplace:AssociateProductsWithPrivateMarketplace",
        "aws-marketplace:DisassociateProductsFromPrivateMarketplace",
        "aws-marketplace:ListPrivateMarketplaceProducts",
        "aws-marketplace:DescribePrivateMarketplaceProducts",
        "aws-marketplace:ListPrivateMarketplaceRequests",
        "aws-marketplace:DescribePrivateMarketplaceRequests",
        "aws-marketplace:UpdatePrivateMarketplaceSettings",
        "aws-marketplace:DescribePrivateMarketplaceSettings",
        "aws-marketplace:CreatePrivateMarketplaceProfile",
        "aws-marketplace:UpdatePrivateMarketplaceProfile",
        "aws-marketplace:DescribePrivateMarketplaceProfile"
      ],
      "Resource": ["*"],
      "Condition": {
        "StringNotLike": {
          "aws:PrincipalArn": [
            "arn:*:iam::*:role/NAME_OF_YOUR_CLOUD_ENGINEERING_ROLE",
            "arn:*:iam::*:role/OrganizationAccountAccessRole"
          ]
        }
      }
    }
  ]
}

Explanation

Policy Elements

  • Version: Specifies the version of the policy language.
  • Statement: Contains individual statements that define the policy.
Statement 1: Marketplace Write Actions
  • Sid: MarketplaceWriteActions
    • A unique identifier for this statement.
  • Effect: Deny
    • This statement denies the listed actions.
  • Action:
    • A list of AWS Marketplace actions that allow subscription management and agreement handling.
  • Resource: ["*"]
    • The policy applies to all resources.
  • Condition:
    • StringNotLike: Denies the actions unless the principal ARN matches the specified IAM roles.
    • aws:PrincipalArn: Lists the IAM roles allowed to perform the actions.
Statement 2: Deny All Private Marketplace Actions
  • Sid: DenyAllPrivateMarketplaceActions
    • A unique identifier for this statement.
  • Effect: Deny
    • This statement denies all private marketplace management actions.
  • Action:
    • A list of actions related to the management of AWS Private Marketplace.
  • Resource: ["*"]
    • The policy applies to all resources.
  • Condition:
    • StringNotLike: Denies the actions unless the principal ARN matches the specified IAM roles.
    • aws:PrincipalArn: Lists the IAM roles allowed to perform the actions.

Conditions and Exceptions

  • The StringNotLike condition allows exceptions for the specified IAM roles, ensuring that only authorized roles can perform the restricted actions.

When to Use This Policy

  • Use Case: Apply this policy to prevent local account administrators from making unauthorized marketplace subscriptions and managing private marketplace actions, ensuring proper enterprise procurement and third-party risk management.
  • Ideal For: Organizations that need to enforce strict control over marketplace subscriptions and private marketplace management to prevent bypassing enterprise policies.

Benefits

  • Enhanced Security: Prevents unauthorized marketplace actions that could lead to unapproved expenditures or security risks.
  • Improved Governance: Ensures that all marketplace interactions are handled through designated roles, promoting better oversight.
  • Cost Management: Reduces the risk of unexpected costs by controlling who can make marketplace purchases and manage subscriptions.

Potential Drawbacks

  • Operational Delays: Requiring specific roles for marketplace actions might introduce delays if the authorized personnel are unavailable.
  • Management Complexity: Keeping the list of authorized roles up-to-date requires careful management to ensure the right balance between security and operational efficiency.

Conclusion

Implementing this Service Control Policy enhances control over AWS Marketplace subscriptions and private marketplace actions. It ensures that only designated IAM roles can perform these actions, promoting better governance and security. Regular review and updates of the IAM roles specified in the policy are recommended to adapt to the evolving needs and structure of the organization.

Sources