Product setup guidelines Customer information requirements Product usage guidelines Architecture guidelines

SaaS product guidelines for AWS Marketplace

AWS Marketplace maintains the following guidelines for all software as a service (SaaS) products and offerings on AWS Marketplace to promote a safe, secure, and trustworthy platform for our customers. The following sections provide guidelines for SaaS products on AWS Marketplace.

All products and their related metadata are reviewed when submitted to ensure that they meet or exceed current AWS Marketplace guidelines. These guidelines are reviewed and adjusted to meet our evolving security requirements. In addition, AWS Marketplace continuously reviews products to verify that they meet any changes to these guidelines. If products fall out of compliance, we might require that you update your product and in some cases your product might temporarily be unavailable to new subscribers until issues are resolved.

Product setup guidelines

All SaaS products must adhere to the following product setup guidelines:

Pricing dimensions can't be limited to private offers only. Buyers should be able to subscribe to any of the pricing dimensions on public products.
At least one pricing dimension must have a price greater than $0.00.
All pricing dimensions must relate to actual software and cannot include any other products or services unrelated to the software.
SaaS products offered exclusively in the AWS GovCloud (US) Regions must include GovCloud somewhere in the product title.

Customer information requirements

All SaaS products must adhere to the following customer information requirements:

SaaS products must be billed entirely through the listed dimensions on AWS Marketplace.
You cannot collect customer payment information for your SaaS product at any time, including credit card and bank account information.

Product usage guidelines

All SaaS products must adhere to the following product usage guidelines:

After subscribing to the product in AWS Marketplace, customers should be able to create an account within your SaaS application and gain access to a web console. If the customer cannot gain access to the application immediately, you must provide a message with specific instructions on when they will gain access. When an account has been created, the customer must be sent a notification confirming that their account has been created along with clear next steps.
If a customer already has an account in the SaaS application, they must have the ability to log in from the fulfillment landing page.
Customers must be able to see the status of their subscription within the SaaS application, including any relevant contract or subscription usage information.
Customers must be able to easily get help with issues such as: using the application, troubleshooting, and requesting refunds (if applicable). Support contact options must be specified on the fulfillment landing page.
Product software and metadata must not contain language that redirects users to other cloud platforms, additional products, upsell services, or free trial offers that aren't available on AWS Marketplace.

For information about free trials for SaaS products, see Creating a SaaS free trial offer in AWS Marketplace.
If your product is an add-on to another product or another ISV’s product, your product description must indicate that it extends the functionality of the other product and that without it, your product has very limited utility. For example, This product extends the functionality of <product name> and without it, this product has very limited utility. Please note that <product name> might require its own license for full functionality with this listing.

Architecture guidelines

The following topics list and describe the architecture guidelines for SaaS products.

Topics

Guidelines effective May 1, 2025
Architecture diagram
Current guidelines effective until April 30, 2025

Guidelines effective May 1, 2025

Note

The following guidelines go into effect on May 1, 2025.

You can publish all SaaS architectures. However, for AWS Marketplace to consider your product as deployed on AWS, your SaaS application must conform to one of the AWS hosting patterns listed below. Products that are deployed on AWS receive a special designation in the AWS Marketplace search results, and in their product details pages.
- The product runs entirely on AWS. This includes both the application and control planes. The application plane can run in the seller's AWS account, the buyer's AWS account, or both. The SaaS application can use content delivery networks (CDNs), domain name systems (DNSs), and corporate identity providers (IdPs) from other providers.
- The product is designed to replicate data or migrate workloads to AWS only. Except for clients and gateways running outside of AWS, the application and control planes must run on AWS. AWS must be the only available target. If the product also supports replication to environments outside of AWS, you must remove that capability and publish a separate product with that capability. AWS Marketplace won't consider that second product as deployed on AWS.
Applications that require resources in the buyer's infrastructure must follow these guidelines:
- Your control plane—as defined in the SaaS Architecture Fundamentals AWS Whitepaper—must reside in infrastructure that you manage for your product to be considered a SaaS product and not a managed service. For more information, see the SaaS vs. Managed Service Provider whitepaper.
- In the product description, you must notify customers that if they incur AWS infrastructure charges separate from their AWS Marketplace transaction, they must pay those charges.
- You must provision resources in a secure way, such as using the AWS Security Token Service (AWS STS) or AWS Identity and Access Management (IAM).
- You must follow the principle of least privilege when creating usage instructions or deployment templates that grant permissions to your application.
- You must provide additional documentation that describes all provisioned AWS services, IAM policy statements, and how an IAM role or user is deployed and used in the customer's account.
- You must provide instructions or deployment templates that enable buyers to deploy the required resources in their AWS accounts.
- If you provide AWS CloudFormation templates (CFTs) for deploying resources to the buyer's AWS account, they must comply with AWS Marketplace policies for CFTs. You must publish those CFTs as part of your SaaS listing by following the method provided when you enable the SaaS Quick Launch deployment option for your buyers. SaaS Quick Launch makes it easier for your buyers to configure your SaaS solution.
- If Amazon Machine Images (AMIs) are deployed into the buyer's AWS account, they must comply with AWS Marketplace policies for AMIs. Your AMIs must pass the AMI scanner in the AWS Marketplace Management Portal (seller portal). When requesting your product to be public, you must also contact AWS Marketplace operations and provide proof of scan results.
- If container images are deployed into a buyer's AWS account, the images must comply with AWS Marketplace policies for containers. Your container images can be hosted outside of AWS, but they must be scanned in Amazon Elastic Container Registry (Amazon ECR) and be free of critical vulnerabilities. When requesting your product to be public, you must also contact AWS Marketplace operations and provide proof that the container passed the scan.
Successfully call the AWS Marketplace APIs from the AWS account that registered as a provider and submitted the SaaS publishing request. The SaaS pricing model determines which APIs should be called:
- SaaS contracts – GetEntitlements in the AWS Marketplace Entitlement Service.
- SaaS contracts with consumption – GetEntitlements in the AWS Marketplace Entitlement Service and BatchMeterUsage in the AWS Marketplace Metering Service.
- SaaS subscriptions – BatchMeterUsage in the AWS Marketplace Metering Service.
SaaS products offered exclusively in the AWS GovCloud (US) Regions must explain the architectural boundaries between other AWS Regions and the AWS GovCloud (US) Regions, use cases for the product, and the workloads not recommended for the product.

For more information on SaaS architectures, refer to SaaS Architecture Fundamentals.

Architecture diagram

To receive the special designation that your product is deployed on AWS, update your product's architecture details in AWS Marketplace Management Portal. Select a hosting pattern that is deployed on AWS and upload an architecture diagram that will be reviewed by AWS. For hosting patterns that AWS Marketplace considers deployed on AWS, refer to Guidelines effective May 1, 2025, previously in this guide.

Use the following criteria when creating a diagram:

Group and label components as part of the application plane or control plane.
For any components outside of AWS that are part of the core business logic of your product, group them with the application plane.
Components can represent low-level details (for example, compute instances and network subnets), or high-level services (for example, a data analytics platform).
Components don’t need to identify the name of the AWS services or non-AWS services used.
Place components where they logically run. For example, in the seller's AWS account, the buyer's AWS account, the seller’s non-AWS environment, or another environment.
For data replication or workload migration products, include all supported source and target environments.

Level of detail

You can create a high-level diagram that shows main system components, includes basic data flows, and focuses on the application plane and control plane services. Or, you can create a low-level, detailed diagram that breaks down each component, shows specific connections, and includes technical specifications with different levels of detail.

The following diagrams show the architecture of a hypothetical video-analysis SaaS application. Each shows a different level of detail. Both are acceptable. Use them as examples for the level of detail to include in your own diagrams.

The following is an example of a high-level diagram.

An architecture diagram showing the architecture of a hypothetical video-analysis SaaS application with high-level services. The services include machine-learning, storage, web, and billing services grouped and labeled as part of the control plane and application plane.

The following is an example of a low-level, detailed diagram.

An architecture diagram showing the architecture of a hypothetical video-analysis SaaS application with low level details. The details includes AWS services icons for AWS Fargate, virtual private cloud (VPC), and Amazon SageMaker AI that are grouped and labeled as part of the control plane and application plane.

For more information, see What is Architecture Diagramming?. After creating a diagram, update your architecture details in the AWS Marketplace Management Portal (AMMP). For more information, see Update architecture details.

Current guidelines effective until April 30, 2025

All SaaS products must adhere to the following architecture guidelines:

Note

For guidelines after April 30, 2025, refer to Guidelines effective May 1, 2025.

A portion of your application must be hosted in an AWS account that you own.
All application components should be hosted in infrastructure you manage. Applications that require additional resources in the customer’s infrastructure must follow these guidelines:
- Provision resources in a secure way, such as using the AWS Security Token Service (AWS STS) or AWS Identity and Access Management (IAM).
- Provide additional documentation, including a description of all provisioned AWS services, IAM policy statements, and how an IAM role or user is deployed and used in the customer’s account.
- Include a notification in the product description that explains that if the customer incurs additional AWS infrastructure charges separate from their AWS Marketplace transaction, they're responsible for paying the additional infrastructure charges.
- If your product deploys an agent, you must provide instructions to the customer that describe how to deploy it in their AWS account.
- Applications that require resources running in the customer's infrastructure will have an additional review by AWS Marketplace, which can take 2-4 weeks.
Successfully call the AWS Marketplace APIs from the AWS account that registered as a provider and submitted the SaaS publishing request. The SaaS pricing model determines which APIs should be called:
- SaaS contracts – GetEntitlements in the AWS Marketplace Entitlement Service.
- SaaS contracts with consumption – GetEntitlements in the AWS Marketplace Entitlement Service and BatchMeterUsage in the AWS Marketplace Metering Service.
- SaaS subscriptions – BatchMeterUsage in the AWS Marketplace Metering Service.
SaaS products offered exclusively in the AWS GovCloud (US) Regions must explain the architectural boundaries between other AWS Regions and the AWS GovCloud (US) Regions, use cases for the product, and the workloads not recommended for the product.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Planning your SaaS product

SaaS product pricing