Controlling access to AWS Marketplace subscriptions

AWS IAM Identity Center helps you securely create or connect your workforce identities and manage their access centrally across AWS accounts and applications. IAM Identity Center is the recommended approach for workforce authentication and authorization in AWS for organizations of any size and type. For additional configuration guidance, review the AWS Security Reference Architecture.

IAM Identity Center provides a user portal where your users can find and access their assigned AWS account, roles, cloud applications, and custom applications in one place. IAM Identity Center assigns single sign-on access to users and groups in your connected directory and uses permission sets to determine their level of access. This enables temporary security credentials. You can define their level of access by assigning specific AWS managed roles for AWS Marketplace access to delegate the management of AWS Marketplace subscriptions across your AWS organization.

For example, Customer A assumes a role through federation with the ManagedMarketplace_ViewOnly policy attached to the role. This means Customer A can only view subscriptions in AWS Marketplace. You can create an IAM role with permissions to view subscriptions and grant permission to Customer A to assume this role.

Creating IAM roles for AWS Marketplace access

You can use IAM roles to delegate access to your AWS resources.

Repeat the preceding steps to create more roles with different permission sets so that each user persona can use the IAM role with customized permissions.

You're not limited to the permissions in the AWS managed policies that are described here. You can use IAM to create policies with custom permissions and then add those policies to IAM roles. For more information, see Managing IAM policies and Adding IAM identity permissions in the IAM User Guide.

AWS managed policies for AWS Marketplace

You can use AWS managed policies to provide basic AWS Marketplace permissions. Then, for any unique scenarios, you can create your own policies and apply them to the roles with the specific requirements for your scenario. The following basic AWS Marketplace managed policies are available to you to control who has which permissions.

The following links take you to the AWS Managed Policy Reference.

AWS Marketplace also provides specialized managed policies for specific scenarios. For a full list of AWS managed policies for AWS Marketplace buyers, as well as descriptions of what permissions they provide, see AWS managed policies for AWS Marketplace buyers in this section.

Permissions for working with License Manager

AWS Marketplace integrates with AWS License Manager to manage and share licenses for products that you subscribe to between accounts in your organization. To view the full details of your subscriptions in AWS Marketplace, a user must be able to list license information from AWS License Manager.

To make sure that your users have the permissions they need to see all the data about their AWS Marketplace products and subscriptions, add the following permission:

For more information about setting permissions, see Managing IAM policies in the IAM User Guide.

Additional resources

For more information about managing IAM roles, see IAM Identities (users, user groups, and roles) in the IAM User Guide.

For more information about managing IAM permissions and policies, see Controlling access to AWS resources using policies in the IAM User Guide.

For more information about managing IAM permissions and policies for data products in AWS Data Exchange, see Identity and access management in AWS Data Exchange in the AWS Data Exchange User Guide.