AWS Marketplace
User Guide for AWS Marketplace Subscribers

Controlling Access to AWS Marketplace Subscriptions

The recommended way to let other people in your organization manage subscriptions is to use AWS Identity and Access Management (IAM) to create users and groups. For example, if John should be allowed only to view your subscriptions, you can create an IAM user for him and add his IAM user to the read-only group. If John's role in your organization changes or he leaves the company, you can change the group that his IAM user belongs to, or you can change his user's settings in IAM.


All of your users work on the same AWS Marketplace account. Any change that a user makes to manage a software subscription is global and applies to all of your users for that subscription.

Creating Users

To allow people in your company manage subscriptions, we recommend that you create an IAM user for each person. For more information, see IAM Users in the IAM User Guide. We also recommend you create a user name and password for yourself, even though you are the AWS account owner. It is a recommended best practice for everyone to work in AWS Marketplace as an IAM user, even the account owner. To learn how to create an IAM user for yourself that has administrative permissions, see Creating Your First IAM Admin User and Group. For more information on recommended practices for using IAM, see IAM Best Practices.

Creating Groups for AWS Marketplace Access and Adding Users to the Groups

To create groups for assigning AWS Marketplace permissions

  1. Open the IAM console at

  2. In the left navigation pane, choose Groups and then choose Create New Group.

  3. For Group Name, enter a name for the group, such as MarketplaceReadOnly or MarketplaceFullAccess, and choose Next Step.

  4. On the Attach Policy page, select the box next to one of the following policies:

    • To allow permissions only to view subscriptions (but not change them), choose AWS MarketplaceRead-only

    • To allow permissions to subscribe and unsubscribe, choose AWSMarketplaceManageSubscriptions

    • To allow complete control of your subscriptions, choose AWSMarketplaceFullAccess

  5. Choose Next Step and then choose Create Group.

To add users to the groups you just created

  1. In the list of groups, choose the name of the group.

  2. Under Users, choose Add Users to Group.

  3. Select the users to add to the group and then choose Add Users.

Repeat the preceding steps to create more groups with different permissions and assign users to those groups.

You're not limited to the permissions in the AWS managed policies that are described here. You can use IAM to create policies with custom permissions and then add those policies to IAM groups. For more information, see Managing IAM Policies and Attaching a Policy to an IAM Group in the IAM User Guide.

AWS Managed Policies for AWS Marketplace

After creating users, we recommend that you create groups and apply AWS managed policies to provide basic AWS Marketplace permissions. Then, for any unique scenarios, you can create your own polices and apply them to the groups with the specific requirements for your scenario. Use the following four basic AWS Marketplace policies to control who has which permissions:

  • AWSMarketplaceRead-only

    { "Version": "2012-10-17", "Statement": [ { "Resource": "*", "Action": [ "aws-marketplace:ViewSubscriptions", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeKeyPairs", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs" ], "Effect": "Allow" }, { "Resource": "*", "Effect": "Allow", "Action": [ "aws-marketplace:ListBuilds", "aws-marketplace:DescribeBuilds", "iam:ListRoles", "iam:ListInstanceProfiles", "sns:GetTopicAttributes", "sns:ListTopics" ] } ] }
  • AWSMarketplaceManageSubscriptions

    { "Version": "2012-10-17", "Statement": [ { "Action": [ "aws-marketplace:ViewSubscriptions", "aws-marketplace:Subscribe", "aws-marketplace:Unsubscribe" ], "Effect": "Allow", "Resource": "*" } ] }
  • AWSMarketplaceFullAccess

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "aws-marketplace:*", "cloudformation:CreateStack", "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources", "cloudformation:DescribeStacks", "cloudformation:List*", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DeleteSecurityGroup", "ec2:DescribeAccountAttributes", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeKeyPairs", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVpcs", "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CopyImage", "ec2:DeregisterImage", "ec2:DescribeSnapshots", "ec2:DeleteSnapshot", "ec2:CreateImage", "ec2:DescribeInstanceStatus", "ssm:GetAutomationExecution", "ssm:UpdateDocumentDefaultVersion", "ssm:CreateDocument", "ssm:StartAutomationExecution", "ssm:ListDocuments", "ssm:UpdateDocument", "ssm:DescribeDocument", "sns:ListTopics", "sns:GetTopicAttributes", "sns:CreateTopic", "iam:GetRole", "iam:GetInstanceProfile", "iam:ListRoles", "iam:ListInstanceProfiles" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::*image-build*" ] }, { "Effect": "Allow", "Action": [ "sns:Publish", "sns:setTopicAttributes" ], "Resource": "arn:aws:sns:*:*:*image-build*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "*" ], "Condition": { "StringLike": { "iam:PassedToService": [ "", "" ] } } } ] }
  • AWSPrivateMarketplaceAdminFullAccess

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "aws-marketplace:CreatePrivateMarketplace", "aws-marketplace:CreatePrivateMarketplaceProfile", "aws-marketplace:UpdatePrivateMarketplaceProfile", "aws-marketplace:StartPrivateMarketplace", "aws-marketplace:StopPrivateMarketplace", "aws-marketplace:AssociateProductsWithPrivateMarketplace", "aws-marketplace:DisassociateProductsFromPrivateMarketplace", "aws-marketplace:DescribePrivateMarketplaceProfile", "aws-marketplace:DescribePrivateMarketplaceStatus", "aws-marketplace:ListPrivateMarketplaceProducts", "aws-marketplace:DescribePrivateMarketplaceProducts" ], "Resource": [ "*" ] } ] }

Additional Resources

For more information about managing IAM users and groups, see Identities (Users, Groups, and Roles) in the IAM User Guide.

For more information about managing IAM permissions and policies, see Controlling Access Using Policies in the IAM User Guide.