Assign roles according to the principle of least privilege Audit role assignments Use unique credentials Avoid generic logins

AWS Partner Central permissions best practices

When assigning AWS Partner Central roles, use the following guidelines.

Topics

Assign roles according to the principle of least privilege
Audit role assignments
Use unique credentials
Avoid generic logins

Assign roles according to the principle of least privilege

Users should have permissions to access only those resources that they need to perform their jobs. For example, if one of your team members is responsible only for updating and reporting on opportunities across your pipeline in the APN Customer Engagements (ACE) Pipeline Manager they should have the ACE manager role, not the alliance team role. For more information, refer to https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege.

Audit role assignments

Periodically audit your role assignments and adjust permissions as people change roles at your organization. Audit your user list to ensure you have deactivated users who have left your organization or moved to roles that no longer require access to AWS Partner Central.

Use unique credentials

Ensure that users log in to AWS Partner Central with unique login credentials. Sharing user credentials violates the AWS Partner Network and AWS Partner Network Customer Engagements (ACE) terms and conditions and creates security risks.

Avoid generic logins

Avoid keeping a generic login (for example, APN_Admin@company.com) assigned to the alliance lead role. Follow best practices for managing permissions and avoid having multiple users sign in to AWS Partner Central with the same generic credentials. Instead, reassign an individual user to the alliance lead role, assign other users to the roles they require, and deactivate the generic account.

To reassign a generic login

Identify all of the users currently signing in to AWS Partner Central with the generic login.
Assign an individual user to the alliance lead role.
Assign other users to roles based on the principle of least privilege. For a summary of roles and their permissions, refer to AWS Partner Central roles.
Confirm that all assigned users can access AWS Partner Central. After confirmation is complete, the alliance lead can deactivate the generic account.

To deactivate a generic account

Sign in to AWS Partner Central with the alliance lead role.
Choose View my APN Account.
In the Partner Users section, choose Manage Active Partner Users.
For the generic account, choose Deactivate from the action menu.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Managing users and role assignments

AWS Partner Central tasks