.AWS Marketplace Automation

UseCase

In order to be able to manage Marketplace Subscriptions for a whole AWS organization in one account - to help the purchase department with their daily work and prevent contracts from being concluded without them, we developed a solution that will enable multi-account managing of marketplace subscriptions trough a whole AWS organization.

The solution will take care of new accounts added, existing ones which are SUSPENDED or when the specific tag for licences is updated in one account - that every existing licence will be shared or removed from that account.

⚠️ The API is currently very slow - when we were removing 2 licenses in around 20 accounts it was taking us 1-2 hours.

ℹ️ - You cannot share a license which is already existing in the target account.

Update Trigger using Eventbridge

ℹ️ Amazon EventBridge is my preferred way to manage events. CloudWatch Events and EventBridge are the same underlying service and API, but EventBridge provides more features. Changes you make in either CloudWatch or EventBridge will appear in each console. You can find more informations here For my automation I am waiting for different Events from CloudTrail to trigger my licence management Lambda to either share or revoke access to new subscribed products.

• TagResource: Will trigger an update of one account only. Python will grab the specific changed parameter for Licence Management from the requestParameters of the presented CloudTrail event.
• ListReceivedGrants: After subscribing to a new product in AWS Marketplace a ListReceivedGrants from AWSMarketPlaceSession will be invoked - this event will trigger the automation to update all accounts to share / revoke access to the new product.

SCP

The following policy will take care that only the purchase department is able to subscribe to new Marketplace products (or unsubscribe old products).

{
      "Version": "2012-10-17",
      "Statement": [
            {
                  "Sid": "DenyMarketplace",
                  "Effect": "Deny",
                  "Action": [
                        "aws-marketplace:AcceptAgreementApprovalRequest",
                        "aws-marketplace:RejectAgreementApprovalRequest",
                        "aws-marketplace:Subscribe",
                        "aws-marketplace:Unsubscribe"
                  ],
                  "Resource": [
                        "*"
                  ],
                  "Condition": {
                        "StringNotLike": {
                              "aws:PrincipalArn": "arn:aws:iam::*:role/{ResourcePrefix}-PurchaseTeamRole"
                        }
                  }
            }
      ]
}

Prerequisite:

License grants can be activated only when both the license administrator and the grant recipient have enabled the AWS Marketplace Service Linked Role, or trusted access is enabled for AWS Marketplace in the management account of your organization.

To enable trusted access between Organizations and License Manager:

1. Sign in to the AWS Management Console using your organization's management account.
2. Navigate to the License Manager console and choose Settings.
3. Click on Edit.
4. Choose Link AWS Organizations accounts.

How to deploy the solution

For the deployment of this automation we created a taskfile - you can read up on this documentation on how to use it.

ℹ️ Task is a task runner / build tool that aims to be simpler and easier to use than, for example, GNU Make. Since it’s written in Go, Task is just a single binary and has no other dependencies, which means you don’t need to mess with any complicated install setups just to use a build tool.

task deploy

We hope you will find this solution helpful to manage your licenses! If you have any feedback, please feel free to reach out to us or open a github