AWS Marketplace
Providers Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Publishing Container Products

AWS Marketplace enables two types of container product. First, it enables products that have a set of containers as a fulfillment option. This means that the product includes one or more container images that can be launched on any standard container runtime. These are new products, separate from any products that you can currently list through AWS Marketplace, even if the container images are equivalent to AMI versions of your product. Second, it enables new or existing SaaS products that use a container-based agent to list the agent as a separate product. Customers can find the products when browsing or searching for container products, either in the Amazon ECS console or on the AWS Marketplace website. To enable this scenario, you don't have to modify your existing SaaS products, but you do need to create a separate product for your container agent.

Server Container Products

Products consist of one or more container images and associated metadata. You submit at least one set of container images as a fulfillment option for your product. Customers find your product in the AWS Marketplace catalog by searching for products that have a Container fulfillment option available under Delivery Method. Other delivery methods for server products include Amazon Machine Image, Private Image Build, and AWS CloudFormation Stack. For example, you might submit two container images as a fulfillment option for use with Amazon ECS: one for the product and one for a supporting database. Similarly, you might submit a second set of container images as a fulfillment option to use with Amazon EKS.

Each set of container images representing a fulfillment option is considered a container group by AWS Marketplace, and is given a container group ID by AWS Marketplace, which is sent to you after your images have been scanned.

To create a container product, first sign in to AWS Marketplace Management Portal. From Assets choose Container. From there you can create a new container product, defining at least one container group. For each container group you provide links to the container images that comprise your product. Links can be the name of a public external repository on Docker Hub or a URL to a private repository such as Amazon ECR.

For example, you could use either of the following formats as pointers to your images:

  • nginx:mytag

  • 123456789012.dkr.ecr.us-west-2.amazonaws.com/nginx:mytag

As soon as you submit each container image URL, we scan it and check for security vulnerabilities. The AWS Marketplace container ingestion process includes an image scanning phase where we examine the images you provide for known security vulnerabilities. To do this, we perform a layer-by-layer static scan on the image. If we find critical vulnerabilities with remotely exploitable risk vectors, we present the list of found issues in AWS Marketplace Management Portal. We strongly recommend that you perform your own security analysis using a container image scanner such as Clair, Twistlock, Aqua Security, and Trend Micro to avoid delays in the ingestion and publishing process.

Your choice of base image for building your container images can have a significant influence on the security profile of the final image. If you pick a base image that already has known critical vulnerabilities, they will get flagged because of the base layer, even if your application software layers are clean. We recommend that you verify that you are starting with a vulnerability-free base container before you build your images and submit them to AWS Marketplace.

After the scan is complete, we will provide the container group ID that you need to identify the set of images associated with the fulfillment option you are creating. You can define up to four fulfillment options for each container product you submit, with up to 50 container images in each set.

When you create a new container product in AWS Marketplace Management Portal, we provide a set of product identifiers, specifically a product ID, a product code, and a public key. These are used to integrate your product with the AWS Marketplace Metering Service if your product is a paid product, or a free or BYOL product that you want to track usage of.

You also provide metadata by completing and submitting the product load form (PLF) for container products, which is a different (and shorter) format to previous PLFs you might have used to submit other products to AWS Marketplace. The first set of columns (A through AJ) is for standard product information such as title, description, product highlights, free trials, product categories, logo image URL, and EULA. The next set of columns (AK through AX) is for metadata specific to your first container fulfillment option. These columns are repeated for the next three available fulfillment options (AY through BL, BM through BZ, and CA through CN). This is where you specify the name of the fulfillment option, provide a description, and which AWS services the fulfillment option supports (Amazon ECS, Amazon EKS, or both Amazon ECS and Amazon EKS). You also specify usage instructions and provide URLs for deployment templates to support your fulfillment option. You can specify up to four per fulfillment option. These are service-specific documents that help configure and launch your product on a given runtime or orchestration service. For example, you might make your container product available with two fulfillment options: one for Amazon ECS and one for Amazon EKS. The Amazon ECS fulfillment option might then come with two deployment templates: one that is a task definition enabling the product to be launched easily on Amazon ECS as a scalable application, and one that is an AWS CloudFormation template that includes both an inline task definition and also instructions for configuring a database that the product will use. Similarly, the Amazon EKS fulfillment option might come with only one deployment template: a Helm chart that enables the product to be easily deployed to a customer’s Kubernetes cluster on Amazon EKS. You can have up to four deployment templates per fulfillment option.

Tip

When viewing the product load form in Microsoft Excel, hover over each of the fields to show comments that provide guidance on how to fill in each field.

When your product is on AWS Marketplace, customers see the available fulfillment options on the product detail page, and after they subscribe to the product and choose their preferred fulfillment option on the Configure your product page, they see links to the available deployment templates as well as instructions for how to pull the individual container images.

AWS Marketplace publishes your product once you have submitted the completed product load form with your product metadata and your container images have been successfully scanned. Initially, the product is published in a limited state with only your account having access to it. This enables you to review the product and ensure that it is appearing as intended. As part of the publishing process, your container images are copied to an AWS Marketplace repository on Amazon ECR. Therefore, you must update the references in your deployment templates to point to the new image URLs or your product may not work as intended. In particular, for paid products, customers will receive errors if the container image URLs are incorrect.

The final URL for each image will be of the following format:

mp-account-#.dkr.us-east-1.amazonaws.com/product_id/container_group_id/product_name/scan:product-version_latest

SaaS Products for Containers

You might want to list a new SaaS product that is relevant to containers, or you may already have one on AWS Marketplace. For example, if your product monitors container applications or provides security for servers running container applications, you can use the existing SaaS product type on AWS Marketplace.

In most cases, your product will typically use an agent that is deployed either natively to a server or as a container image. To ensure that your product appears when customers visit the Amazon ECS console or when they use the Delivery Method filter on the AWS Marketplace website to show only container products, you will list the agent as a separate product that includes a single container image with your agent already installed inside. This will be a free product, and you will provide metadata in the product load form. In the Usage Information section of the product load form, you provide a link to the associated SaaS product that the customer must subscribe to in order to use your software. A customer doesn't have to subscribe to the container agent product to use your SaaS product. However, it's more convenient for them to do so if they want to deploy the container agent on their Amazon ECS cluster, on their Amazon EKS cluster, or in an Amazon Fargate task.