# AWS Marketplace security
Cloud security at AWS is the highest priority. As an AWS customer, you benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations.
Security is a shared responsibility between AWS and you. The [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) describes this as security *of* the cloud and security *in* the cloud:
+ **Security of the cloud** – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. The effectiveness of our security is regularly tested and verified by third-party auditors as part of the [AWS compliance programs](https://aws.amazon.com/compliance/programs/). To learn about the compliance programs that apply to AWS Marketplace, see [AWS Services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/).
+ **Security in the cloud** – Your responsibility is determined by the AWS service that you use. You're also responsible for other factors including the sensitivity of your data, your organization’s requirements, and applicable laws and regulations.
This documentation helps you understand how to apply the shared responsibility model when using AWS Marketplace. The following topics show you how to configure AWS Identity and Access Management to manage access to AWS Marketplace in order to meet your security and compliance objectives. You can also learn how to use other AWS services that can help you to monitor and secure your AWS Marketplace resources.
To learn more about security and other policies regarding the products that you offer in AWS Marketplace, see the following topics:
+ [AMI-based product requirements for AWS Marketplace](product-and-ami-policies.md)
+ [Container-based product requirements for AWS Marketplace](container-product-policies.md)
+ [Requirements and best practices for creating machine learning products](ml-listing-requirements-and-best-practices.md)
+ [SaaS product guidelines for AWS Marketplace](saas-guidelines.md)
+ [Requirements for professional services products on AWS Marketplace](proserv-product-guidelines.md)
**Note**
To learn about security on AWS Data Exchange for data products, see [Security](https://docs.aws.amazon.com/data-exchange/latest/userguide/security.html) in the *AWS Data Exchange User Guide*.
To learn about security for buyers in AWS Marketplace, see [Security on AWS Marketplace](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-security.html) in the *AWS Marketplace Buyer Guide*.
**Topics**
+ [Controlling access to AWS Marketplace Management Portal](marketplace-management-portal-user-access.md)
+ [Policies and permissions for AWS Marketplace sellers](detailed-management-portal-permissions.md)
+ [AWS managed policies for AWS Marketplace sellers](security-iam-awsmanpol.md)
+ [AWS Marketplace Commerce Analytics Service account permissions](set-aws-iam-cas-permissions.md)
+ [Amazon SQS permissions](set-aws-iam-sqs-permissions.md)
+ [AWS Marketplace metering and entitlement API permissions](iam-user-policy-for-aws-marketplace-actions.md)
+ [Using service-linked roles for Resale Authorization with AWS Marketplace](using-roles-for-resale-authorization.md)
+ [Logging AWS Marketplace API calls with AWS CloudTrail](cloudtrail-logging.md)
# Controlling access to AWS Marketplace Management Portal
AWS Identity and Access Management (IAM) is an AWS service that helps you control access to AWS resources. If you are an administrator, you control who can be *authenticated* (signed in) and *authorized* (have permissions) to use AWS Marketplace resources. IAM is an AWS service that you can use with no additional charge.
The recommended way to control who can do what in AWS Marketplace Management Portal is to use IAM to create users and groups. Then you add the users to the groups, and manage the groups. For example, if John should be allowed to view your products, create a user for him and add his user to a group you create for read-only access. You can assign a policy or permissions to the group that provide read-only permissions. If you have other users that need read-only access, you can add them to the group you created rather than adding permissions to the user. If John's role changes and he no longer needs read-only access, you can remove John from the group.
A *policy* is a document that defines the permissions that apply to a user, group, or role. In turn, the permissions determine what users can do in AWS. A policy typically allows access to specific actions, and can optionally grant that the actions are allowed for specific resources, like Amazon EC2 instances, Amazon S3 buckets, and so on. Policies can also explicitly deny access. A *permission* is a statement within a policy that allows or denies access to a particular resource. You can state any permission like this: "A has permission to do B to C." For example, Jane (A) has permission to read messages (B) from John's Amazon Simple Queue Service queue (C). Whenever Jane sends a request to Amazon SQS to use John's queue, the service checks to see if she has permission. It further checks to see if the request satisfies the conditions John specified in the permission.
**Important**
All of the users that you create authenticate by using their credentials. However, they use the same AWS account. Any change that a user makes can impact the whole account.
AWS Marketplace has permissions defined to control the actions that someone with those permissions can take in AWS Marketplace Management Portal. There are also policies that AWS Marketplace created and manage that combine several permissions.
The following resources provide more information about getting started and using IAM.
+ [Create an administrative user](https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_create-admin-group.html)
+ [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
+ [Managing IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-using.html#create-managed-policy-console)
+ [Attaching a policy to an IAM user group](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_attach-policy.html)
+ [IAM Identities (users, groups, and roles)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html)
+ [Controlling access to AWS resources using policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_permissions.html)
The following topics provide some high-level guidance for creating users and groups, and signing in as an user.
**Topics**
+ [Creating users](#creating-iam-users)
+ [Creating or using groups](#creating-iam-groups)
+ [Signing in as a user](#signing-in-using-iam-user)
## Creating users
To allow people in your company to sign in to the AWS Marketplace Management Portal, create a user for each person who needs access.
**To create users**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, under **Access management**, choose **Users**, then choose **Create user**.
1. In the numbered text boxes, enter a name for each user that you want to create.
1. Clear the **Generate an access key for each user** check box and then choose **Create**.
**To assign a password to each user that you just created**
1. In the list of users, choose the name of a new user.
1. Choose the **Security Credentials** tab and then choose **Manage Password**.
1. Choose an option for either an auto-generated password or a custom password. Optionally, to require the user to choose a new password at the next sign-in, select the box for **Require user to create a new password at next sign-in**. Choose **Apply**.
1. Choose **Download Credentials** to save the sign-in credentials and account-specific sign-in URL to a comma-separated values (CSV) file on your computer. Then choose **Close**.
**Note**
To sign in with the sign-in credentials that you just created, users must navigate to your account-specific sign-in URL. This URL is in the credentials file that you just downloaded and is also available on the IAM console. For more information, see [How IAM users sign in to your AWS account](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_sign-in.html) in the *IAM User Guide*.
**Tip**
Create sign-in credentials for yourself as well, even though you're the AWS account owner. It's a recommended best practice for everyone to work in AWS Marketplace as a user, even the account owner. For instructions on how to create a user for yourself that has administrative permissions, see [Create an administrative user](https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_create-admin-group.html) in the *IAM User Guide*.
## Creating or using groups
After you create users, create groups, create permissions to access the pages in the AWS Marketplace Management Portal, add those permissions to the groups, and then add users to the groups.
When you assign permissions to a group, you allow any member of that group to perform specific actions. When you add a new user to the group, that user automatically gains the permissions that are assigned to the group. A group can have permissions for more than one action. We recommend using an [AWS Marketplace managed policy](https://docs.aws.amazon.com/marketplace/latest/userguide/security-iam-awsmanpol.html) rather than creating your own policy.
**To assign a managed policy for AWS Marketplace to a group**
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Groups**, and then choose the group that you want to attach a policy to.
1. On the summary page for the group, under the **Permissions** tab, choose **Attach Policy**.
1. On the **Attach Policy** page, next to **Filter:** enter **awsmarketplace**.
1. Choose the policy or policies that you want to attach, and then choose **Attach Policy**.
**To create a policy with AWS Marketplace Management Portal permissions**
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Policies** and then choose **Create Policy**.
1. Next to **Policy Generator**, choose **Select**.
1. On the **Edit Permissions** page, do the following:
1. For **Effect**, choose **Allow**.
1. For **AWS Service**, choose **AWS Marketplace Management Portal**.
1. For **Actions**, select the permission or permissions to allow.
1. Choose **Add Statement**.
1. Choose **Next Step**.
1. On the **Review Policy** page, do the following:
1. For **Policy Name**, enter a name for this policy. Take note of the policy name because you need it for a later step.
1. (Optional) For **Description**, enter a description for this policy.
1. Choose **Create Policy**.
**To create an IAM group with appropriate permissions and add users to the group**
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Groups** and then choose **Create New Group**.
1. For **Group Name:**, type a name for the group. Then choose **Next Step**.
1. On the **Attach Policy** page, do the following:
1. For **Filter:**, choose **Customer Managed Policies**.
1. Select the check box next to the name of the policy that you want to attach to this group. This is typically the policy that you just created.
1. Choose **Next Step**.
1. Choose **Create Group**.
1. Find your new group in the **Groups** list and then select the check box next to it. Choose **Group Actions** and then **Add Users to Group**.
1. Select the check box next to each user to add to the group and then choose **Add Users**.
## Signing in as a user
After you have created users in IAM, users can sign in with their own sign-in credentials. To do so, they need to use the unique URL that is associated with your AWS account. You can get and distribute the sign-in URL to your users.
**To get your account's unique sign-in URL**
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Dashboard**.
1. Near the top of the content pane, find **IAM users sign-in link:** and take note of the sign-in link, which has a format like this:
```
https://AWS_account_ID.signin.aws.amazon.com/console/
```
**Note**
If you want the URL for your sign-in page to contain your company name (or other friendly identifier) instead of your AWS account ID, you can create an alias for your account by choosing **Customize**. For more information, see [Your AWS Account ID and Its Alias](https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html) in the *IAM User Guide*.
1. Distribute this URL to the people at your company who can work with AWS Marketplace, along with the sign-in credentials that you created for each. Instruct them to use your account's unique sign-in URL to sign in before they access AWS Marketplace.
# Policies and permissions for AWS Marketplace sellers
AWS Marketplace provides a set of managed policies for use with the AWS Marketplace Management Portal. In addition, you can use individual permissions to create your own AWS Identity and Access Management (IAM) policy.
You can also provide fine-grained access to the AWS Marketplace Management Portal for the **Settings**, **Contact Us**, **File Upload**, and **Insights** tabs. Fine-grained access enables you to do the following:
+ Grant other people permission to administer and use resources in your AWS account without sharing your password or access key.
+ Grant granular permissions to multiple people for various resources. For example, you might allow some users access to view the **Settings** tab in the AWS Marketplace Management Portal. For other users, you might allow access to edit in the **Settings** and **Contact Us** tabs.
**Note**
For more information about policies and permissions in AWS Data Exchange for data products, see [Identity and Access Management in AWS Data Exchange](https://docs.aws.amazon.com/data-exchange/latest/userguide/auth-access.html) in the *AWS Data Exchange User Guide*.
For more information about policies and permissions for AWS Marketplace buyers, see [ Controlling access to AWS Marketplace subscriptions](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-iam-users-groups-policies.html) in the *AWS Marketplace Buyer Guide*.
## Policies for AWS Marketplace sellers
You can use the following managed policies to provide users with controlled access to the AWS Marketplace Management Portal:
**`AWSMarketplaceSellerFullAccess`**
Allows full access to all of the pages in the AWS Marketplace Management Portal and other AWS services, such as Amazon Machine Image (AMI) management.
**`AWSMarketplaceSellerProductsFullAccess`**
Allows full access to the [Products](https://aws.amazon.com/marketplace/management/products/) pages in the AWS Marketplace Management Portal.
**`AWSMarketplaceSellerProductsReadOnly`**
Allows read-only access to the [Products](https://aws.amazon.com/marketplace/management/products/) pages in the AWS Marketplace Management Portal.
**Important**
AWS Marketplace buyers can use managed policies to manage the subscriptions they purchase. The names of the managed policies that you use with AWS Marketplace Management Portal start with `AWSMarketplaceSeller`. When you search for policies in IAM, make sure to search for policy names that start with `AWSMarketplaceSeller`. For more information about those policies, see the *AWS Managed Policy Reference*.
AWS Marketplace also provides specialized managed policies for specific scenarios. For a full list of AWS managed policies for AWS Marketplace sellers and descriptions of what permissions they provide, see [AWS managed policies for AWS Marketplace sellers](security-iam-awsmanpol.md).
## Permissions for AWS Marketplace sellers
You can use the following permissions in IAM policies for the AWS Marketplace Management Portal:
**`aws-marketplace-management:PutSellerVerificationDetails`**
Allows access to start the Know Your Customer (KYC) process.
**`aws-marketplace-management:GetSellerVerificationDetails`**
Allows access to view the KYC status in the AWS Marketplace Management Portal.
**`aws-marketplace-management:PutBankAccountVerificationDetails`**
Allows access to start the [bank account verification](https://docs.aws.amazon.com/marketplace/latest/userguide/registration-process.html#completing-bank-account-verification) process.
**`aws-marketplace-management:GetBankAccountVerificationDetails`**
Allows access to view the bank account verification status in the AWS Marketplace Management Portal.
**`aws-marketplace-management:PutSecondaryUserVerificationDetails`**
Allows access to add secondary users in the AWS Marketplace Management Portal.
**`aws-marketplace-management:GetSecondaryUserVerificationDetails`**
Allows access to view the secondary user status in the AWS Marketplace Management Portal.
**`aws-marketplace-management:GetAdditionalSellerNotificationRecipients`**
Allows access to view email contacts for AWS Marketplace notifications.
**`aws-marketplace-management:PutAdditionalSellerNotificationRecipients`**
Allows access to update email contacts for AWS Marketplace notifications.
**`tax:PutTaxInterview`**
Allows access to take the [tax interview](https://docs.aws.amazon.com/marketplace/latest/userguide/registration-process.html#tax-info-for-sellers) in the AWS Marketplace Management Portal.
**`tax:GetTaxInterview`**
Allows access to view the tax interview status in the AWS Marketplace Management Portal.
**`tax:GetTaxInfoReportingDocument`**
Allows AWS Marketplace sellers to view and download tax documents (for example, 1099-K forms) from the Tax dashboard
**`payments:CreatePaymentInstrument`**
Allows access to add a bank account to the AWS Marketplace Management Portal.
**`payments:GetPaymentInstrument`**
Allows access to view existing bank accounts in the AWS Marketplace Management Portal.
**`support:CreateCase`**
Allows access to create an AWS Marketplace case within the AWS Marketplace Management Portal.
**`aws-marketplace-management:viewSupport`**
Allows access to the [Customer Support Eligibility](https://aws.amazon.com/marketplace/management/support/) page in the AWS Marketplace Management Portal.
**`aws-marketplace-management:viewReports`**
Allows access to the [Reports](https://aws.amazon.com/marketplace/management/reports/) page in the AWS Marketplace Management Portal.
**`aws-marketplace:ListEntities`**
Allows access to list objects in AWS Marketplace Management Portal. Required to access the [File Upload](https://aws.amazon.com/marketplace/management/product-load/), [Offers](https://aws.amazon.com/marketplace/management/offers) and [Partners](https://aws.amazon.com/marketplace/management/partners) pages in the AWS Marketplace Management Portal.
To allow access to view the **Settings** tab, you can use this permission, the `ListEntity` permission, and the following Amazon Resource Name (ARN): `arn:{partition}:{aws-marketplace}:{region}:{account-id}:AWSMarketplace/Seller/{entity-id}`.
**`aws-marketplace:DescribeEntity`**
Allows access to view details of objects in AWS Marketplace Management Portal. Required to access the [File Upload](https://aws.amazon.com/marketplace/management/product-load/), [Offers](https://aws.amazon.com/marketplace/management/offers), [Partners](https://aws.amazon.com/marketplace/management/partners), and [Agreements](https://aws.amazon.com/marketplace/management/agreements) pages in the AWS Marketplace Management Portal.
To allow access to view the **Settings** tab, you can use this permission, the `DescribeEntity` permission, and the following ARN: `arn:{partition}:{aws-marketplace}:{region}:{account-id}:AWSMarketplace/Seller/*`.
**`aws-marketplace:StartChangeSet`**
Allows access to create product changes in AWS Marketplace Management Portal. Required to make changes in the [File Upload](https://aws.amazon.com/marketplace/management/product-load/), [Offers](https://aws.amazon.com/marketplace/management/offers), [Partners](https://aws.amazon.com/marketplace/management/partners), and [**Agreements**](private-offers-upgrades-and-renewals.md) pages in the AWS Marketplace Management Portal.
To allow access to register as a seller in AWS Marketplace, you can use this permission, the `catalog:ChangeType: "CreateSeller"` condition key, and the following ARN: `arn:{partition}:{aws-marketplace}:{region}:{account-id}:AWSMarketplace/Seller/{entity-id}`.
To allow access to update the seller profile in AWS Marketplace, you can use this permission, the `catalog:ChangeType: "UpdateInformation"` condition key, and the following ARN: `arn:{partition}:{aws-marketplace}:{region}:{account-id}:AWSMarketplace/Seller/{entity-id}`.
To allow access to update disbursement preferences for Amazon Web Services, you can use this permission, the `catalog:ChangeType: "UpdateDisbursementPreferences"` condition key, and the following ARN: `arn:{partition}:{aws-marketplace}:{region}:{account-id}:AWSMarketplace/Seller/{entity-id}`.
**`aws-marketplace:SearchAgreements`**
Allows viewing the high-level list of agreements on the [**Agreements**](private-offers-upgrades-and-renewals.md) page, and opportunities between ISVs and channel partners on the [**Partners**](channel-partner-offers.md) page.
**`aws-marketplace:DescribeAgreement`**
Allows viewing of high-level agreement details on the **Agreements** page, and opportunities between ISVs and channel partners on the **Partners** page.
**`aws-marketplace:GetAgreementTerms`**
Allows viewing all agreement term details on the **Agreements** page, and opportunities between ISVs and channel partners on the **Partners** page.
**`aws-marketplace:GetSellerDashboard`**
Allows access to the dashboards on the **Insights** page in the AWS Marketplace Management Portal.
**`aws-marketplace:ListAssessments`**
Allows access to view a list of assessments pending seller action.
**`aws-marketplace:DescribeAssessment`**
Allows access to view the details of assessments pending seller action.
**Note**
To enable a user to access the [Manage Products](https://aws.amazon.com/marketplace/management/products/) page, you must use either the `AWSMarketplaceSellerProductsFullAccess` or `AWSMarketplaceSellerProductsReadOnly` managed permissions.
You can combine the preceding permissions into a single IAM policy to grant the permissions that you want. See the following examples.
## Example 1: Permissions to view the KYC status
To grant permissions to view KYC status in the AWS Marketplace Management Portal, use a policy similar to the following example.
To grant permissions to view the KYC status in the AWS Marketplace Management Portal, use a policy similar to the following example.
------
#### [ JSON ]
****
```
{"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"aws-marketplace-management:GetSellerVerificationDetails"
],
"Resource": ["*"]
}]
}
```
------
## Example 2: Permissions to create upgrades and renewals for private offers
To grant permissions to view and use the **Agreements** page to create upgrades and renewals for private offers, use a policy similar to the following example.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"aws-marketplace:SearchAgreements",
"aws-marketplace:DescribeAgreement",
"aws-marketplace:GetAgreementTerms",
"aws-marketplace:DescribeEntity",
"aws-marketplace:StartChangeSet"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws-marketplace:PartyType": "Proposer"
},
"ForAllValues:StringEquals": {
"aws-marketplace:AgreementType": [
"PurchaseAgreement"
]
}
}
}
]
}
```
------
## Example 3: Permissions to access the Offers page and create new private offers
To grant permissions to view and use the **Offers** page to view existing private offers and create private offers, use a policy similar to the following example.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"aws-marketplace:ListEntities",
"aws-marketplace:DescribeEntity",
"aws-marketplace:StartChangeSet"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
## Example 4: Permissions to access the Settings page
To grant permissions to view and use the **Settings** page, use a policy similar to the following example.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"aws-marketplace:ListEntities",
"aws-marketplace:DescribeEntity",
"aws-marketplace:StartChangeSet"
],
"Effect": "Allow",
"Resource": "arn:aws:aws-marketplace:us-east-1:111122223333:AWSMarketplace/Seller/*"
}
]
}
```
------
## Example 5: Permissions to access the File Upload page
To grant permissions to view and use the **File Upload** page, use a policy similar to the following example.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"aws-marketplace:ListEntities",
"aws-marketplace:DescribeEntity",
"aws-marketplace:StartChangeSet"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
## Using IAM groups
Alternatively, you can create separate IAM groups for granting access to each individual page in the AWS Marketplace Management Portal. Users can belong to more than one group. So, if a user needs access to more than one page, you can add the user to all of the appropriate groups. For example, create one IAM group and grant that group permission to access the **Insights** page, create another group and grant that group permission to access the **File Upload** page, and so on. If a user needs permission to access both the **Insights** page and the **File Upload** page, add the user to both groups.
For more information about users and groups, see [IAM Identities (users, groups, and roles)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html) in the *IAM User Guide*.
# AWS managed policies for AWS Marketplace sellers
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
This section lists each of the policies used to manage seller access to AWS Marketplace. For information about buyer policies, see [AWS managed policies for AWS Marketplace buyers](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-security-iam-awsmanpol.html) in the *AWS Marketplace Buyer Guide*.
**Topics**
+ [AWS managed policy: AWSMarketplaceAmiIngestion](#security-iam-awsmanpol-awsmarketplaceamiingestion)
+ [AWS managed policy: AWSMarketplaceFullAccess](#security-iam-awsmanpol-awsmarketplacefullaccess)
+ [AWS managed policy: AWSMarketplaceGetEntitlements](#security-iam-awsmanpol-awsmarketplacegetentitlements)
+ [AWS managed policy: AWSMarketplaceMeteringFullAccess](#security-iam-awsmanpol-awsmarketplacemeteringfullaccess)
+ [AWS managed policy: AWSMarketplaceMeteringRegisterUsage](#security-iam-awsmanpol-awsmarketplacemeteringregisterusage)
+ [AWS managed policy: AWSMarketplaceSellerFullAccess](#security-iam-awsmanpol-awsmarketplacesellerfullaccess)
+ [AWS managed policy: AWSMarketplaceSellerProductsFullAccess](#security-iam-awsmanpol-awsmarketplacesellerproductsfullaccess)
+ [AWS managed policy: AWSMarketplaceSellerProductsReadOnly](#security-iam-awsmanpol-awsmarketplacesellerproductsreadonly)
+ [AWS managed policy: AWSMarketplaceSellerOfferManagement](#security-iam-awsmanpol-awsmarketplaceselleroffermanagement)
+ [AWS managed policy: AWSMarketplaceResaleAuthorizationServiceRolePolicy](#security-iam-awsmanpol-awsmarketplaceresaleauthorizationservicerolepolicy)
+ [AWS managed policy: AWSVendorInsightsVendorFullAccess](#security-iam-awsmanpol-awsvendorinsightsvendorfullaccess)
+ [AWS managed policy: AWSVendorInsightsVendorReadOnly](#security-iam-awsmanpol-awsvendorinsightsvendorreadonly)
+ [AWS Marketplace updates to AWS managed policies](#security-iam-awsmanpol-updates)
## AWS managed policy: AWSMarketplaceAmiIngestion
You can create a service role with this policy that can then be used by AWS Marketplace to perform actions on your behalf. For more information about using `AWSMarketplaceAmiIngestion`, see [Giving AWS Marketplace access to your AMI](single-ami-marketplace-ami-access.md).
This policy grants contributor permissions that allow AWS Marketplace to copy your Amazon Machine Images (AMIs) in order to list them on AWS Marketplace.
To view the permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSMarketplaceAmiIngestion.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSMarketplaceAmiIngestion.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: AWSMarketplaceFullAccess
You can attach the `AWSMarketplaceFullAccess` policy to your IAM identities.
This policy grants administrative permissions that allow full access to AWS Marketplace and related services, as a buyer. These permissions include the following abilities:
+ Subscribe and unsubscribe to AWS Marketplace software.
+ Manage AWS Marketplace software instances from AWS Marketplace.
+ Create and manage a private marketplace in your account.
+ Provide access to Amazon EC2, CloudFormation, and Amazon EC2 Systems Manager.
To view the permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSMarketplaceFullAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSMarketplaceFullAccess.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: AWSMarketplaceGetEntitlements
You can attach the `AWSMarketplaceGetEntitlements` policy to your IAM identities.
This policy grants read-only permissions that allow software as a service (SaaS) product sellers to check whether a customer has subscribed to their AWS Marketplace SaaS product.
To view the permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSMarketplaceGetEntitlements.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSMarketplaceGetEntitlements.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: AWSMarketplaceMeteringFullAccess
You can attach the `AWSMarketplaceMeteringFullAccess` policy to your IAM identities.
This policy grants contributor permissions that allow reporting metered usage that corresponds to AMI and container products with flexible consumption pricing on AWS Marketplace.
To view the permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSMarketplaceMeteringFullAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSMarketplaceMeteringFullAccess.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: AWSMarketplaceMeteringRegisterUsage
You can attach the `AWSMarketplaceMeteringRegisterUsage` policy to your IAM identities.
This policy grants contributor permissions that allow reporting metered usage that corresponds to container products with hourly pricing on AWS Marketplace.
To view the permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSMarketplaceMeteringRegisterUsage.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSMarketplaceMeteringRegisterUsage.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: AWSMarketplaceSellerFullAccess
You can attach the `AWSMarketplaceSellerFullAccess` policy to your IAM identities.
This policy grants administrative permissions that allow full access to all seller operations on AWS Marketplace, including AWS Marketplace Management Portal, and managing the Amazon EC2 AMI used in AMI-based products.
**Permissions details**
This policy includes the following permissions:
+ `aws-marketplace` – Allows principals to manage change sets, entities, agreements, and seller dashboards.
+ `aws-marketplace` – Allows principals to search and view purchase agreements and their terms where the user is the seller.
+ `aws-marketplace` – Allows principals to send, retrieve, list, and cancel agreement payment requests for purchase agreements.
+ `aws-marketplace` – Allows principals to list invoice line items, manage billing adjustment requests, and handle agreement cancellation requests for purchase agreements.
+ `aws-marketplace` – Allows principals to start, retrieve, and list invoice submission tasks.
+ `aws-marketplace` – Allows principals to list payables.
+ `aws-marketplace` – Allows principals to manage resource policies and tag resources.
+ `aws-marketplace-management` – Allows principals to upload files, view reports and support information.
+ `ec2` – Allows principals to describe and modify AMI images and snapshots.
+ `iam` – Allows principals to retrieve role information and pass roles to the assets marketplace service.
+ `iam` – Allows principals to create service-linked roles for resale authorization.
+ `vendor-insights` – Allows principals to retrieve and list data sources, security profiles, and snapshots.
+ `payments` – Allows principals to retrieve and create payment instruments.
+ `tax` – Allows principals to manage tax interviews, registrations, and retrieve tax documents.
+ `support` – Allows principals to create support cases.
+ `q` – Allows principals to use Amazon Q Partner Assistant for conversations and requests.
+ `partnercentral` – Allows principals to start and retrieve seller verification status.
To view the permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSMarketplaceSellerFullAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSMarketplaceSellerFullAccess.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: AWSMarketplaceSellerProductsFullAccess
You can attach the `AWSMarketplaceSellerProductsFullAccess` policy to your IAM identities.
This policy grants contributor permissions that allow full access to manage products and to the AWS Marketplace Management Portal, and managing the Amazon EC2 AMI used in AMI-based products.
**Permissions details**
To view the permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSMarketplaceSellerProductsFullAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSMarketplaceSellerProductsFullAccess.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: AWSMarketplaceSellerProductsReadOnly
You can attach the `AWSMarketplaceSellerProductsReadOnly` policy to your IAM identities.
This policy grants read-only permissions that allow access to view products on the AWS Marketplace Management Portal, and view the Amazon EC2 AMI used in AMI-based products.
**Permissions details**
To view the permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSMarketplaceSellerProductsReadOnly.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSMarketplaceSellerProductsReadOnly.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: AWSMarketplaceSellerOfferManagement
You can attach the `AWSMarketplaceSellerOfferManagement` policy to your IAM identities.
This policy grants sellers access to manage offers and view purchase agreements. Sellers can create and modify offers, track change sets, and monitor agreement lifecycle events including invoice line items, billing adjustments, and cancellation requests.
**Permissions details**
This policy includes the following permissions:
+ `aws-marketplace` – Allows principals to view and track the status of change sets submitted to AWS Marketplace.
+ `aws-marketplace` – Allows principals to initiate changes to existing offers and change sets, or create new offers on products.
+ `aws-marketplace` – Allows principals to list and retrieve details about marketplace entities including offers, products, and resale authorizations.
+ `aws-marketplace` – Allows principals to search and view purchase agreements and their terms where the user is the seller (proposer).
+ `aws-marketplace` – Allows principals to track invoice line items, billing adjustments, and cancellation requests for purchase agreements.
To view the permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSMarketplaceSellerOfferManagement.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSMarketplaceSellerOfferManagement.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: AWSMarketplaceResaleAuthorizationServiceRolePolicy
This policy is attached to a service-linked role that allows AWS Marketplace to perform actions on your behalf for Resale Authorization. For more information about using this service-linked role, see [Using service-linked roles for Resale Authorization with AWS Marketplace](using-roles-for-resale-authorization.md).
This policy grants permissions that allow AWS Marketplace to share ResaleAuthorization resources between manufacturers (ISVs) and channel partners using AWS Resource Access Manager (AWS RAM).
This policy includes permissions for AWS Marketplace operations and AWS Resource Access Manager (RAM) actions to facilitate the sharing and management of ResaleAuthorization resources across different AWS accounts and catalogs.
To view the permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSMarketplaceResaleAuthorizationServiceRolePolicy.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSMarketplaceResaleAuthorizationServiceRolePolicy.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: AWSVendorInsightsVendorFullAccess
You can attach the `AWSVendorInsightsVendorFullAccess` policy to your IAM identities.
This policy grants full access to create and manage all resources on AWS Marketplace Vendor Insights. In AWS Marketplace Vendor Insights, an assessor is equal to a buyer, and a vendor is equal to a seller for the purposes of this guide.
To view the permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSVendorInsightsVendorFullAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSVendorInsightsVendorFullAccess.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: AWSVendorInsightsVendorReadOnly
You can attach the `AWSVendorInsightsVendorReadOnly` policy to your IAM identities.
This policy grants read-only access for viewing AWS Marketplace Vendor Insights profiles and related resources. In AWS Marketplace Vendor Insights, an assessor is equal to a buyer, and a vendor is equal to a seller for the purposes of this guide.
To view the permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSVendorInsightsVendorReadOnly.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSVendorInsightsVendorReadOnly.html) in the *AWS Managed Policy Reference*.
## AWS Marketplace updates to AWS managed policies
View details about updates to AWS managed policies for AWS Marketplace since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the AWS Marketplace [Document history](document-history.md) page.
| Change | Description | Date |
| --- | --- | --- |
| [AWSMarketplaceSellerFullAccess](#security-iam-awsmanpol-awsmarketplacesellerfullaccess) – Update to an existing policy | AWS Marketplace added `aws-marketplace:ListPayables` to the `SellerSettings` statement. Added a new `InvoiceSubmissionManagement` statement with `aws-marketplace:StartInvoiceSubmissionTask`, `aws-marketplace:GetInvoiceSubmissionTask`, and `aws-marketplace:ListInvoiceSubmissionTasks` scoped to invoice submission task resources. Updated the resource ARN for the `TagManagement` and `ResourcePolicyManagement` statements. | April 21, 2026 |
| [AWSMarketplaceSellerFullAccess](#security-iam-awsmanpol-awsmarketplacesellerfullaccess) – Update to an existing policy | AWS Marketplace added 8 new actions for managing agreement cancellations and billing adjustments: `aws-marketplace:ListAgreementInvoiceLineItems`, `aws-marketplace:ListBillingAdjustmentRequests`, `aws-marketplace:GetBillingAdjustmentRequest`, `aws-marketplace:BatchCreateBillingAdjustmentRequest`, `aws-marketplace:ListAgreementCancellationRequests`, `aws-marketplace:GetAgreementCancellationRequest`, `aws-marketplace:SendAgreementCancellationRequest`, and `aws-marketplace:CancelAgreementCancellationRequest`. | March 31, 2026 |
| [AWSMarketplaceSellerOfferManagement](#security-iam-awsmanpol-awsmarketplaceselleroffermanagement) – Update to an existing policy | AWS Marketplace added 5 new read-only actions to track invoice line items, billing adjustments, and cancellation requests for purchase agreements: `aws-marketplace:ListAgreementInvoiceLineItems`, `aws-marketplace:ListBillingAdjustmentRequests`, `aws-marketplace:GetBillingAdjustmentRequest`, `aws-marketplace:ListAgreementCancellationRequests`, and `aws-marketplace:GetAgreementCancellationRequest`. | March 31, 2026 |
| [AWSMarketplaceSellerFullAccess](#security-iam-awsmanpol-awsmarketplacesellerfullaccess) – Update to an existing policy | AWS Marketplace added two new Partner Central permissions for seller identity verification: `partnercentral:StartVerification` and `partnercentral:GetVerification`. | February 27, 2026 |
| [AWSMarketplaceSellerProductsFullAccess](#security-iam-awsmanpol-awsmarketplacesellerproductsfullaccess) – Update to an existing policy | AWS Marketplace updated `AWSMarketplaceSellerProductsFullAccess` policy to support all AWSMarketplace catalogs, put files into S3, and access legacy Partner Central. | November 30, 2025 |
| [AWSMarketplaceResaleAuthorizationServiceRolePolicy](#security-iam-awsmanpol-awsmarketplaceresaleauthorizationservicerolepolicy) – Updated policy | AWS Marketplace updated the policy to support multi-catalog features and enable proper lifecycle management of ResaleAuthorization entities. The updates include: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/marketplace/latest/userguide/security-iam-awsmanpol.html) | July 24, 2025 |
| [AWSMarketplaceSellerFullAccess](#security-iam-awsmanpol-awsmarketplacesellerfullaccess) – Updated policies | AWS Marketplace added four new `SellerSettings`permissions for the supplemental tax profile feature: `ListSupplementalTaxRegistrations`, `PutSupplementalTaxRegistration`, `DeleteSupplementalTaxRegistration`, `GetTaxRegistration`. | December 20, 2024 |
| [AWSMarketplaceSellerFullAccess](#security-iam-awsmanpol-awsmarketplacesellerfullaccess) – Updated policies [AWSMarketplaceSellerProductsFullAccess](#security-iam-awsmanpol-awsmarketplacesellerproductsfullaccess) – Updated policies [AWSMarketplaceSellerFullAccess](#security-iam-awsmanpol-awsmarketplacesellerfullaccess) – Updated policies [AWSMarketplaceSellerProductsReadOnly](#security-iam-awsmanpol-awsmarketplacesellerproductsreadonly) – Updated policies | AWS Marketplace removed the `ListTasks`, `DescribeTask`, `UpdateTasks`, and `CompleteTasks` permissions. | December 10, 2024 |
| [AWSMarketplaceSellerOfferManagement](#security-iam-awsmanpol-awsmarketplaceselleroffermanagement) – Added new policy | AWS Marketplace added new policy: AWSMarketplaceSellerOfferManagement | November 18, 2024 |
| [AWSMarketplaceSellerFullAccess](#security-iam-awsmanpol-awsmarketplacesellerfullaccess) – Updated policies | AWS Marketplace added the `UploadFiles` permission. The change enables sellers to use a deprecated page in the AWS Marketplace Management Portal. | November 6, 2024 |
| [AWSMarketplaceSellerFullAccess](#security-iam-awsmanpol-awsmarketplacesellerfullaccess) – Updated policies | AWS Marketplace added the `ListAssessments` and `DescribeAssessments` permissions. The changes enable SSLv2 users to access assessment data. | October 22, 2024 |
| [AWSMarketplaceSellerProductsFullAccess – Updated policies](#security-iam-awsmanpol-awsmarketplacesellerproductsfullaccess) | AWS Marketplace added the `ListAssessments` and `DescribeAssessments` permissions. The changes enable SSLv2 users to access assessment data. | October 22, 2024 |
| [AWSMarketplaceSellerProductsReadOnly](#security-iam-awsmanpol-awsmarketplacesellerproductsreadonly) – Updated policies | AWS Marketplace added the `ListAssessments` and `DescribeAssessments` permissions. The changes enable SSLv2 users to access assessment data. | October 22, 2024 |
| [AWSMarketplaceSellerFullAccess](#security-iam-awsmanpol-awsmarketplacesellerfullaccess) – Updated policy | Updated the `AWSMarketplaceSellerFullAccess` documentation to reflect the removal of the following actions: `aws-marketplace-management:viewMarketing`, `aws-marketplace-management:viewSettings`, and `aws-marketplace-management:uploadFiles`. This update also includes removing the *Using fine-grained permissions* section. | June 4, 2024 |
| [AWSMarketplaceGetEntitlements](#security-iam-awsmanpol-awsmarketplacegetentitlements) – Updated policy | AWS Marketplace updated AWSMarketplaceGetEntitlements to add sid for the policy statement. | March 22, 2024 |
| [AWSMarketplaceSellerFullAccess](#security-iam-awsmanpol-awsmarketplacesellerfullaccess) – Updated policy | AWS Marketplace updated AWSMarketplaceSellerFullAccess to add permissions for creating service-linked roles. | March 15, 2024 |
| [AWSMarketplaceSellerFullAccess](#security-iam-awsmanpol-awsmarketplacesellerfullaccess) – Updated policy | AWS Marketplace updated AWSMarketplaceSellerFullAccess to add a permission for accessing tax information. | February 8, 2024 |
| [AWSVendorInsightsVendorFullAccess](https://docs.aws.amazon.com/marketplace/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awsvendorinsightsvendorfullaccess) - Updated policy | AWS Marketplace updated AWSVendorInsightsVendorFullAccess to add permissions to update data sources. | October 18, 2023 |
| [AWSMarketplaceSellerFullAccess](#security-iam-awsmanpol-awsmarketplacesellerfullaccess) – Updated policy | AWS Marketplace updated AWSMarketplaceSellerFullAccess to add permissions for sharing entities. | June 1, 2023 |
| [AWSMarketplaceSellerFullAccess](#security-iam-awsmanpol-awsmarketplacesellerfullaccess) – Updated policy | AWS Marketplace updated AWSMarketplaceSellerFullAccess to add permissions related to account verifications, bank account verifications, case management, and seller notification details. | June 1, 2023 |
| [AWSMarketplaceSellerFullAccess](#security-iam-awsmanpol-awsmarketplacesellerfullaccess) – Updated policy | AWS Marketplace updated AWSMarketplaceSellerFullAccess to add permissions to access seller dashboards. | December 23, 2022 |
| [AWSMarketplaceSellerFullAccess](#security-iam-awsmanpol-awsmarketplacesellerfullaccess), [AWSMarketplaceSellerProductsFullAccess](#security-iam-awsmanpol-awsmarketplacesellerproductsfullaccess), [AWSMarketplaceSellerProductsReadOnly](#security-iam-awsmanpol-awsmarketplacesellerproductsreadonly) – Update to existing policy | AWS Marketplace updated policies for the new tag-based authorization feature. | December 9, 2022 |
| AWS Marketplace updated [AWSVendorInsightsVendorFullAccess](#security-iam-awsmanpol-awsvendorinsightsvendorfullaccess) | AWS Marketplace updated AWSMarketplaceSellerProductsFullAccess to add agreement search, updating profile snapshots, vendor tagging, and allows read-only access to AWS Artifact third-party reports (preview). | November 30, 2022 |
| AWS Marketplace updated [AWSVendorInsightsVendorReadOnly](#security-iam-awsmanpol-awsvendorinsightsvendorreadonly) | AWS Marketplace updated AWSVendorInsightsVendorReadOnly to add permissions to list tags and allows read-only accesss to AWS Artifact third-party reports (preview). | November 30, 2022 |
| [AWSVendorInsightsVendorFullAccess](#security-iam-awsmanpol-awsvendorinsightsvendorfullaccess) and [AWSVendorInsightsVendorReadOnly](#security-iam-awsmanpol-awsvendorinsightsvendorreadonly) – Added new policies | AWS Marketplace added policies for the new feature AWS Marketplace Vendor Insights: AWSMarketplaceSellerProductsFullAccess and AWSVendorInsightsVendorReadOnly. | July 26, 2022 |
| [AWSMarketplaceSellerProductsFullAccess](#security-iam-awsmanpol-awsmarketplacesellerproductsfullaccess)and [AWSMarketplaceSellerFullAccess](#security-iam-awsmanpol-awsmarketplacesellerfullaccess)– Updated policies | AWS Marketplace updated policies for the new feature AWS Marketplace Vendor Insights: AWSMarketplaceSellerProductsFullAccess and AWSMarketplaceSellerFullAccess. | July 26, 2022 |
| [AWSMarketplaceSellerFullAccess](#security-iam-awsmanpol-awsmarketplacesellerfullaccess) and [AWSMarketplaceSellerProductsFullAccess](#security-iam-awsmanpol-awsmarketplacesellerproductsfullaccess) – Update to existing policies | AWS Marketplace updated the policies so that the iam:PassedToService condition is only applied to iam:PassRole. | November 22, 2021 |
| [AWSMarketplaceFullAccess](#security-iam-awsmanpol-awsmarketplacefullaccess) – Update to an existing policy | AWS Marketplace removed a duplicate `ec2:DescribeAccountAttributes` permission from `AWSMarketplaceFullAccess` policy. | July 20, 2021 |
| AWS Marketplace started tracking changes | AWS Marketplace started tracking changes for its AWS managed policies. | April 20, 2021 |
# AWS Marketplace Commerce Analytics Service account permissions
Use the following IAM permissions policy to enroll in the AWS Marketplace Commerce Analytics Service.
For instructions on how to enroll, follow the [onboarding guide](https://docs.aws.amazon.com/marketplace/latest/userguide/commerce-analytics-service.html#on-boarding-guide).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListRoles",
"iam:CreateRole",
"iam:CreatePolicy",
"iam:AttachRolePolicy",
"aws-marketplace-management:viewReports"
],
"Resource": "*"
}
]
}
```
------
Use the following IAM permissions policy to allow a user to make requests to the AWS Marketplace Commerce Analytics Service.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "marketplacecommerceanalytics:GenerateDataSet",
"Resource": "*"
}
]
}
```
------
For more information about this feature, see [Accessing product and customer data with the AWS Marketplace Commerce Analytics Service](commerce-analytics-service.md).
# Amazon SQS permissions
**Important**
SNS notifications for AWS Marketplace SaaS products are being replaced with Amazon EventBridge notifications. If you have existing SaaS products integrated with SNS, they will continue to function. New listings will eventually transition to using Amazon EventBridge instead of SNS. For more information, see [Managing SaaS subscription events with Amazon EventBridge](saas-eventbridge-integration.md).
As part of the SaaS product publication process, AWS Marketplace provides you an Amazon SNS topic you can use to receive notifications if a customer's subscription or entitlement status changes. You can configure one or more Amazon SQS queues to the topic so that the queues can take action on the notification. For example, if a customer adds more storage to the subscription they have to your SaaS product, the Amazon SNS topic can send a message to an Amazon SQS queue that starts a process to automatically increase the storage capacity available to that customer.
When you subscribe the Amazon Simple Queue Service (Amazon SQS) queue to the provided Amazon SNS topic, permissions are automatically added to allow the topic to publish messages to the queue. However, you still need an IAM policy for granting the AWS Marketplace Metering and Entitlement Service API user access to the queue. This can be applied to the same user if the services run with the same credentials. Create a policy with the following contents and attach it to your user or role.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl"
],
"Effect": "Allow",
"Resource": "arn:aws:sqs:us-east-1:111122223333:YourQueueName"
}
]
}
```
------
**Note**
The `Resource` field is the Amazon Resource Name (ARN) of your Amazon SQS queue.
For more information on message notification and queuing for your SaaS products, see [Subscribing an SQS queue to the SNS topic](saas-notification.md#subscribing-an-sqs-queue-to-the-sns-topic) and [Accessing the AWS Marketplace Metering and Entitlement Service APIs](saas-integration-metering-and-entitlement-apis.md).
# AWS Marketplace metering and entitlement API permissions
Software as a service (SaaS) products, Amazon Machine Image (AMI) products, and container products can use the AWS Marketplace Metering Service and AWS Marketplace Entitlement Service APIs. Each type requires different AWS Identity and Access Management (IAM) permissions. For your product or products, you meter for all usage, and customers are billed by AWS based on the metering records that you provide. To enable the integration required to provide AWS Marketplace your metering records, the service account that the integration is using needs a constrained IAM policy to enable access. Attach the policy for the product type that you're sending metering information for to the user or role that you're using for the integration.
**Topics**
+ [IAM policy for SaaS products](#iam-user-policy-for-saas-products)
+ [IAM policy for AMI products](#iam-user-policy-for-ami-products)
+ [IAM policy for container products](#iam-user-policy-for-container-products)
## IAM policy for SaaS products
In the following policy, the first permission, `aws-marketplace:ResolveCustomer`, is required for all SaaS integrations. The second permission, `aws-marketplace:BatchMeterUsage`, is needed for the AWS Marketplace Metering Service API. The third permission, `aws-marketplace:GetEntitlements`, is needed for the AWS Marketplace Entitlement Service API.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"aws-marketplace:ResolveCustomer",
"aws-marketplace:BatchMeterUsage",
"aws-marketplace:GetEntitlements"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
For more information about SaaS products, see [SaaS-based products in AWS Marketplace](saas-products.md).
## IAM policy for AMI products
Use the following IAM policy for AMI products.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"aws-marketplace:MeterUsage"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
For more information about AMI products, see [AMI-based products in AWS Marketplace](ami-products.md).
## IAM policy for container products
Use the following IAM policy for container products.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"aws-marketplace:RegisterUsage"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
For more information about container products, see [Container-based products on AWS Marketplace](container-based-products.md).
For more information about creating users, see [Creating a user in your AWS account](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) in the *IAM User Guide*. For more information about creating and assigning policies, see [Changing permissions for an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html).
This policy grants access to the APIs for the IAM role or user that you attach the policy to. For more information about how to enable role assumption by another account for these API calls, see [How to Best Architect Your AWS Marketplace SaaS Subscription Across Multiple AWS accounts](https://aws.amazon.com/blogs/apn/how-to-best-architect-your-aws-marketplace-saas-subscription-across-multiple-aws-accounts/) at the AWS Partner Network (APN) Blog.
# Using service-linked roles for Resale Authorization with AWS Marketplace
AWS Marketplace uses AWS Identity and Access Management (IAM) [service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that is linked directly to AWS Marketplace. Service-linked roles are predefined by AWS Marketplace and include all the permissions that the service requires to call other AWS services on your behalf.
A service-linked role makes setting up AWS Marketplace easier because you don’t have to manually add the necessary permissions. AWS Marketplace defines the permissions of its service-linked roles, and unless defined otherwise, only AWS Marketplace can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.
You can delete a service-linked role only after first deleting their related resources. This protects your AWS Marketplace resources because you can't inadvertently remove permission to access the resources.
For information about other services that support service-linked roles, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes** in the **Service-linked roles** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.
**Topics**
+ [Service-linked role permissions for AWS Marketplace](#slr-permissions)
+ [Creating a service-linked role for AWS Marketplace](#create-slr)
+ [Editing a service-linked role for AWS Marketplace](#edit-slr)
+ [Deleting a service-linked role for AWS Marketplace](#delete-slr)
+ [Supported Regions for AWS Marketplace service-linked roles](#slr-regions)
## Service-linked role permissions for AWS Marketplace
AWS Marketplace uses the service-linked role named **AWSServiceRoleForMarketplaceResaleAuthorization**, which enables access to AWS services and resources used or managed by AWS Marketplace for Resale Authorizations.
The AWSServiceRoleForMarketplaceResaleAuthorization service-linked role trusts the following services to assume the role:
+ `resale-authorization.marketplace.amazonaws.com`
The role permissions policy named **AWSMarketplaceResaleAuthorizationServiceRolePolicy** allows AWS Marketplace to share ResaleAuthorization resources between manufacturers (ISVs) and channel partners using AWS Resource Access Manager (AWS RAM).
For details about the permissions in this policy, see [AWSMarketplaceResaleAuthorizationServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSMarketplaceResaleAuthorizationServiceRolePolicy.html) in the *AWS Managed Policy Reference*.
For information about policy updates, see [AWS managed policy updates](https://docs.aws.amazon.com/marketplace/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates) in this guide.
You must configure permissions to allow your users, groups, or roles to create, edit, or delete a service-linked role. For more information, see [Service-linked role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.
## Creating a service-linked role for AWS Marketplace
You don't need to manually create a service-linked role. When you choose a service-linked role in the AWS Marketplace Management Portal, AWS Marketplace creates the service-linked role for you.
**To create a service-linked role**
1. In the [AWS Marketplace Management Portal](http://aws.amazon.com/marketplace/management/), sign in to the management account and choose **Settings**.
1. In the **Settings** section, select the **Service-linked roles** tab.
1. On the **Service-linked roles** page, select **Service-linked role for Resale Authorizations** or **Resale Authorizations integration**, and then choose **Create service-linked role** or **Configure integration**.
1. On the **Service-linked role for Resale Authorizations** or **Create Resale Authorizations integrations** page, review the information and confirm by choosing **Create service-linked role** or **Create integration**.
A message appears on the **Service-linked roles** page, indicating that the Resale Authorization service-linked role was successfully created.
If you delete a service-linked role, you can follow these steps to recreate it.
## Editing a service-linked role for AWS Marketplace
AWS Marketplace does not allow you to edit the AWSServiceRoleForMarketplaceResaleAuthorization service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Deleting a service-linked role for AWS Marketplace
If you no longer need a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained.
**Note**
If independent software vendors (ISVs) don't have the role, AWS Resource Access Manager won't automatically share new Resale Authorizations with the targeted channel partner. If channel partners don't have the role, AWS Resource Access Manager won't automatically accept the Resale Authorization targeted to them.
**To manually delete the service-linked role using IAM**
Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForMarketplaceResaleAuthorization service-linked role. For more information, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
## Supported Regions for AWS Marketplace service-linked roles
AWS Marketplace supports using service-linked roles in all of the Regions where the service is available. For more information, see [AWS Regions and endpoints](https://docs.aws.amazon.com/general/latest/gr/aws-marketplace.html#aws-marketplace_region).
# Logging AWS Marketplace API calls with AWS CloudTrail
AWS Marketplace is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in AWS Marketplace. CloudTrail captures API calls for AWS Marketplace as events. The calls captured include calls from the AWS Marketplace console and code calls to the AWS Marketplace API operations.
CloudTrail is enabled on your AWS account when you create the account. When supported event activity occurs in AWS Marketplace, that activity is recorded in a CloudTrail event along with other AWS service events in **Event history**. You can view, search, and download recent events in your account.
Every event or log entry contains information about who generated the request. The identity information helps you determine the following:
+ Whether the request was made with root or AWS Identity and Access Management user credentials.
+ Whether the request was made with temporary security credentials for a role or a federated user.
+ Whether the request was made by another AWS service.
For more information on the different CloudTrail log entries and to see examples, see [Logging for the AWS Marketplace API](https://docs.aws.amazon.com/marketplace/latest/APIReference/logging.html) in the *AWS Marketplace API Reference*.