avatarTeri Radichel

Summary

The content outlines the author's journey in exploring the AWS Marketplace as a platform for selling container-based products, detailing the technical and administrative challenges encountered along the way.

Abstract

Teri Radichel discusses the process of setting up a product on the AWS Marketplace, detailing the challenges faced with network restrictions, account associations, and the desire to monetize code in a scalable manner. The author encounters issues such as STS access limitations, the need for a separate account for selling products, and the complexities of AWS Marketplace seller account registration. Radichel provides a step-by-step account of attempting to list a container-based product, including the need to grant access to an ECR repository, the selection of pricing models, and the configuration of end-user license agreements (EULAs). The narrative includes reflections on the importance of proper access control within an organization to prevent unauthorized use of AWS Marketplace products and the potential need for legal consultation when setting up a seller account. The author also touches on the desire for more informative error messages from AWS services and the limitations of account changes once a seller account is registered.

Opinions

  • The author believes that the AWS Marketplace model is superior to traditional licensing models like Microsoft's due to its scalability and support for businesses of all sizes.
  • Radichel expresses a preference for using the AWS Marketplace to solve the problem of accessing code from external accounts without granting direct account access or making the code public.
  • The author finds the AWS Marketplace documentation not entirely clear and suggests that the UI could be improved by providing more appropriate error messages.
  • Radichel points out the confusion and lack of clarity in managing email addresses associated with AWS accounts and the AWS Marketplace seller account.
  • The author wishes for a simpler way to test marketplace configurations without impacting the public profile and without the need for extensive administrative setup.
  • Radichel highlights the importance of understanding and controlling access to the AWS Marketplace within an organization to mitigate security risks.
  • The author expresses frustration with the inability to change the AWS account associated with a marketplace product once it's listed, underscoring the need for careful planning when setting up a seller account.
  • Radichel suggests that AWS could improve the seller registration process and account management options to better meet the needs of sellers.

Selling on the AWS Marketplace

ACM.378 Do you know who has access to sell products on the AWS Seller Marketplace in your organization?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics | Code.

🔒 Related Stories: AWS Security | Secure Code | Cybersecurity

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In the last post I got hung up trying to run my deployment code in an account with a private network due to lack of STS access. Then I tried to run the code in an external account, but that account did not have access to the ECR repository where my container exists. Now I’m looking for an alternate solution.

I had this idea about setting up my code on the AWS Marketplace earlier. What if I set this up and use it to test my code in my remote account by granting it access to my Marketplace product in ECR?

I was looking into ways to monetize the work I’m putting into this and make the code available to others at a minimal cost to start but a scalable model where people pay for increased usage. This aligns with the AWS model that is so much better than the Microsoft licensing nightmare. A scalable pricing model allows businesses of any size to use the platform and pay more as they grow and increase usage (for most use cases).

I looked into somehow hosting code on GitHub and charging to use it or putting the code in an S3 bucket and various other options but nothing appealed to me for various reasons. So now I’m looking at the AWS Marketplace to solve two problems:

  1. I want to be able to access my code from external accounts via a container.
  2. I don’t want to grant other accounts direct access to my accounts.
  3. I don’t want to make it completely public.
  4. I’m looking for a simple way to monetize what I’m building.

So the AWS Marketplace seems like it may work but I need to try it out. I see one restriction so far that might make it infeasible but I’ll have to see how it works out.

You can sell container based products on the AWS Marketplace:

Note: Lambda is not an option for running containers…coming soon?

The high level steps to launch a product in the marketplace are listed here:

Requirements to be a seller including which region you must reside in are listed here:

Head over to the marketplace portal.

First, read the terms and conditions. If you plan to have a high volume of contracts on the AWS Marketplace then you should have a lawyer review the agreement as well. Fill out the form and register as a seller to get access to the AWS Marketplace Seller Portal.

Also note that when I registered for the AWS Marketplace I was in a particular account and that account and its email address were associated with my seller account. That is not what I wanted so I need to fix it now.

You can change the email as follows but that is for the account — not only for the seller profile.

I read through all the container documentation last night and I think the gist of it is that I need to give the AWS Marketplace access to an ECR repository to serve up my container. But it wasn’t an entirely simple read, so let’s try it out. I wouldn’t want to enter all my seller info in this account just yet so I want to see if I can run a test without all of that.

I select Server Products and choose to create a new Container based server product.

I give it a name tag and select Generate product ID and product code. And the page just spins.

And it spins for over 5 minutes and nothing happens.

I take a look at Chrome dev tools issues and see the following:

I trudge over to my desk to connect to a network where I can more easily analyze the traffic to the website to see if something is blocked.

Yes. For some reason, something is blocked on my WiFi network that is allowed on the management network and the ID gets created successfully when not connecting through my Ubiquiti pro and pfSense WiFi network interface.

I wish the UI would display a more appropriate error message which included the blocked IP address. #awswishlist

I have to enter some information about the product. Hopefully this URL which ultimately resolves to an S3 bucket will work.

I am forced to enter descriptions.

You can enter a product video. That’s cool.

Enter highlights:

Support information:

Some additional product information:

AWS needs some new categories here like just “Governance” not “Data Governance.”

Choose a pricing model:

I read something about this but I don’t recall what it said.

For testing the price is locked in at .001. So I guess you do pay for testing your own product.

Set a refund policy.

Next you have a EULA.

Now there’s a standard EULA which might make it easier for people at large companies to use your product because their legal team has already approved it. Should you use that EULA?

Read it first. Then ask your lawyer.

Aha. This was not clear when I read the documentation. You push your containers to AWS managed repositories.

I click Add new Repository. Then Next.

Choose counties. I’m choosing US only since this is just for my testing purposes and I am in the US.

Next I can specify the account number where I was trying to deploy my container.

Alright now I’m blocked.

I didn’t want to have my seller account associated with this Sandbox account so I need to change that somehow.

But let’s think about this for a minute. Who has access to the AWS Marketplace Management portal? Anyone you grant access to use it in your AWS Organization — including any administrators with full access who are not prevented from using it.

In addition, if you have not locked down access to the AWS Marketplace, users in your AWS account may be using Marketplace products from third party sellers that have not gone through a proper security and legal assessment.

The IAM Permissions that grant access to the AWS Marketplace Seller dashboard are explained here:

If you are not selling anything in the AWS Marketplace, you may want to set up a Service Control Policy to restrict its use. You may also want to limit access to the AWS Marketplace to specific users.

I’m going to login as the adminroot user and see if I can access the AWS Marketplace Management Portal.

When I head over to my OrgRoot user in the management account and try to click sign in, it sends me back to the home page so apparently I have to register.

When I click on Register I’m sent back to this management portal page:

So apparently these accounts are separate and you won’t see the products here created in some other account.

There’s some integration with the AWS Marketplace at the Organization level but it appears to be related to using products and it requires a service-linked role. If you use that feature make sure you understand what the service-linked role can do.

OK so now I have this seller marketplace configuration started in an account and I don’t want it in that account. What can I do?

Once you use an AWS account to register as a seller and list a product on AWS Marketplace, you can’t change the account associated with the product.

Oops. I missed that. It appears under “Creating your public profile” and I skimmed that as I’m not ready to create a public profile yet. So great.

OK so I want to set up a completely new account for this purpose but can I do that since I already added my company name in another account?

I searched the documentation and dug through the menus but I don’t see a way to close this account, or change the company name, so I guess I will submit a request to support.

Note that the email associated with this account will be the email associated with the account unless you change it. You can change the email address for notifications here:

What I don’t know is if you change the email for notifications is if that changes the email address for the seller overall and if you try to contact support with whatever email address you add here if that will work. As noted, the link in the Marketplace sends you over to a page about changing the email address for your AWS account as a whole. This is very confusing. To ensure I get any messages, I am going to leave the email address alone and use that in the support request.

I submit a request to support to close this account.

And …I get an error.

Later is now so I try again and it works.

And now we wait.

In the meantime, I noticed this message.

Since I had not used this Marketplace before I didn’t realize there was a legacy option. This leads back to the page I provided a link for above where you need to set IAM credentials to access the AWS Seller Marketplace Management Portal.

Also note that you may have problems in general if you try to close an account where you have set up an AWS Marketplace seller account.

Well anyway, what I want to do is set up a separate account for all of this — later. It’s a shame AWS does not have a way to simply test this in one account without a public profile and then set up your public profile in another account. #awswishlist

In the meantime I want to get back to what I was doing and see if I can sort out the STS issues in my container. I’ll probably also want to deny access to the AWS buyer or seller marketplace except in specific AWS accounts.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2023

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
AWS
Marketplace
Iam
Security
Cloud
Recommended from ReadMedium
avatarAlan Blackmore
Cloud Security Mapping with Hava

There’s no question organizations need robust cloud infrastructure and security management tools to ensure their data and resources remain…

8 min read
avatarHarry Zhou
As a Pro AWS Solutions Architect, I Can’t Believe I Just Found This Out about Subnets!

We all have those moments in tech where we stumble across a setting and think, “Wait, how did I not know this?”

3 min read
avatarSarah Chen
Serverless Workflow with AWS Step Functions: Security Automation on AWS

Don’t miss the AWS Solution Architect exam Sample Question at the end!

4 min read
avatarCumhur Akkaya
DevOps and Cloud Resources 2024 (PDF Books)

I updated DevOps and Cloud resources. I added 51 new documents. In this article;🔎 You may find the pdf of the resources about DevOps Tools…

20 min read
avatarTechStoryLines
AWS Console-to-Code Now Generally Available

Transform Console Actions into Reusable Infrastructure Code

4 min read
avatarJosh Thorne
6 Amazon CloudFront Configurations You Should Set

Essential Settings for Optimising your Amazon CloudFront Distribution

4 min read