AWS Marketplace Automation

UseCase

In order to be able to manage Marketplace Subscriptions for a whole AWS organization in one account - to help the purchase department with their daily work and prevent contracts from being concluded without them, we developed a solution that will enable multi-account managing of marketplace subscriptions trough a whole AWS organization.

The solution will take care of new accounts added, existing ones which are SUSPENDED or when the specific tag for licences is updated in one account - that every existing licence will be shared or removed from that account.

⚠️ The API is currently very slow - when we were removing 2 licenses in around 20 accounts it was taking us 1-2 hours.

ℹ️ - You cannot share a license which is already existing in the target account.

Update Trigger

• TagResource: Will trigger an update of one account only. Python will grab the specific changed parameter for Licence Management from the requestParameters of the presented CloudTrail event.

• ListReceivedGrants: After subscribing to a new product in AWS Marketplace a ListReceivedGrants from AWSMarketPlaceSession will be invoked - this event will trigger the automation to update all accounts to share / revoke access to the new product.

SCP

The following policy will take care that only the purchase department is able to subscribe to new Marketplace products (or unsubscribe old products).

{
      "Version": "2012-10-17",
      "Statement": [
            {
                  "Sid": "DenyMarketplace",
                  "Effect": "Deny",
                  "Action": [
                        "aws-marketplace:AcceptAgreementApprovalRequest",
                        "aws-marketplace:RejectAgreementApprovalRequest",
                        "aws-marketplace:Subscribe",
                        "aws-marketplace:Unsubscribe"
                  ],
                  "Resource": [
                        "*"
                  ],
                  "Condition": {
                        "StringNotLike": {
                              "aws:PrincipalArn": "arn:aws:iam::*:role/{ResourcePrefix}-PurchaseTeamRole"
                        }
                  }
            }
      ]
}

Prerequisite:

License grants can be activated only when both the license administrator and the grant recipient have enabled the AWS Marketplace Service Linked Role, or trusted access is enabled for AWS Marketplace in the management account of your organization.

To enable trusted access between Organizations and License Manager:

1. Sign in to the AWS Management Console using your organization's management account.

2. Navigate to the License Manager console and choose Settings.

3. Click on Edit.

4. Choose Link AWS Organizations accounts.

How to deploy the solution

For the deployment of this automation we created a taskfile - you can read up on this documentation on how to use it.

task deploy

We hope you will find this solution helpful to manage your licenses! If you have any feedback, please feel free to reach out to us or open a github issue.