AWS managed policies for AWS Marketplace sellers - AWS Marketplace

AWS managed policies for AWS Marketplace sellers

An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.

For more information, see AWS managed policies in the IAM User Guide.

This section lists each of the policies used to manage seller access to AWS Marketplace. For information about buyer policies, see AWS managed policies for AWS Marketplace buyers in the AWS Marketplace Buyer Guide.

AWS managed policy: AWSMarketplaceAmiIngestion

You can create a service role with this policy that can then be used by AWS Marketplace to perform actions on your behalf. For more information about using AWSMarketplaceAmiIngestion, see Give AWS Marketplace access to your AMI.

This policy is used to grant contributor permissions that allow AWS Marketplace to copy your Amazon Machine Images (AMIs) in order to list them on AWS Marketplace.

Permissions details

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:ModifySnapshotAttribute" ], "Effect": "Allow", "Resource": "arn:aws:ec2:us-east-1::snapshot/snap-*" }, { "Action": [ "ec2:DescribeImageAttribute", "ec2:DescribeImages", "ec2:DescribeSnapshotAttribute", "ec2:ModifyImageAttribute" ], "Effect": "Allow", "Resource": "*" } ] }

AWS managed policy: AWSMarketplaceFullAccess

You can attach the AWSMarketplaceFullAccess policy to your IAM identities.

This policy grants administrative permissions that allow full access to AWS Marketplace and related services, both as a seller and a buyer. These permissions include the following abilities:

  • Subscribe and unsubscribe to AWS Marketplace software.

  • Manage AWS Marketplace software instances from AWS Marketplace.

  • Create and manage a private marketplace in your account.

  • Provide access to Amazon EC2, AWS CloudFormation, and Amazon EC2 Systems Manager.

Permissions details

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "aws-marketplace:*", "cloudformation:CreateStack", "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources", "cloudformation:DescribeStacks", "cloudformation:List*", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DeleteSecurityGroup", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeKeyPairs", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVpcs", "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CopyImage", "ec2:DeregisterImage", "ec2:DescribeSnapshots", "ec2:DeleteSnapshot", "ec2:CreateImage", "ec2:DescribeInstanceStatus", "ssm:GetAutomationExecution", "ssm:UpdateDocumentDefaultVersion", "ssm:CreateDocument", "ssm:StartAutomationExecution", "ssm:ListDocuments", "ssm:UpdateDocument", "ssm:DescribeDocument", "sns:ListTopics", "sns:GetTopicAttributes", "sns:CreateTopic", "iam:GetRole", "iam:GetInstanceProfile", "iam:ListRoles", "iam:ListInstanceProfiles" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::*image-build*" ] }, { "Effect": "Allow", "Action": [ "sns:Publish", "sns:setTopicAttributes" ], "Resource": "arn:aws:sns:*:*:*image-build*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "*" ], "Condition": { "StringLike": { "iam:PassedToService": [ "ec2.amazonaws.com", "ssm.amazonaws.com" ] } } } ] }

AWS managed policy: AWSMarketplaceGetEntitlements

You can attach the AWSMarketplaceGetEntitlements policy to your IAM identities.

This policy grants read-only permissions that allow software as a service (SaaS) product sellers to check whether a customer has subscribed to their AWS Marketplace SaaS product.

Permissions details

{ "Version": "2012-10-17", "Statement": [ { "Sid" : "AWSMarketplaceGetEntitlements", "Effect" : "Allow", "Action": [ "aws-marketplace:GetEntitlements" ], "Resource": "*" } ] }

AWS managed policy: AWSMarketplaceMeteringFullAccess

You can attach the AWSMarketplaceMeteringFullAccess policy to your IAM identities.

This policy grants contributor permissions that allow reporting metered usage that corresponds to AMI and container products with flexible consumption pricing on AWS Marketplace.

Permissions details

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "aws-marketplace:MeterUsage" ], "Effect": "Allow", "Resource": "*" } ] }

AWS managed policy: AWSMarketplaceMeteringRegisterUsage

You can attach the AWSMarketplaceMeteringRegisterUsage policy to your IAM identities.

This policy grants contributor permissions that allow reporting metered usage that corresponds to container products with hourly pricing on AWS Marketplace.

Permissions details

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "aws-marketplace:RegisterUsage" ], "Effect": "Allow", "Resource": "*" } ] }

AWS managed policy: AWSMarketplaceSellerFullAccess

You can attach the AWSMarketplaceSellerFullAccess policy to your IAM identities.

This policy grants administrative permissions that allow full access to all seller operations on AWS Marketplace, including AWS Marketplace Management Portal, and managing the Amazon EC2 AMI used in AMI-based products.

Permissions details

{ "Version": "2012-10-17", "Statement": [ { "Sid": "MarketplaceManagement", "Effect": "Allow", "Action": [ "aws-marketplace-management:viewReports", "aws-marketplace-management:viewSupport", "aws-marketplace:ListChangeSets", "aws-marketplace:DescribeChangeSet", "aws-marketplace:StartChangeSet", "aws-marketplace:CancelChangeSet", "aws-marketplace:ListEntities", "aws-marketplace:DescribeEntity", "aws-marketplace:ListTasks", "aws-marketplace:DescribeTask", "aws-marketplace:UpdateTask", "aws-marketplace:CompleteTask", "aws-marketplace:GetSellerDashboard", "ec2:DescribeImages", "ec2:DescribeSnapshots", "ec2:ModifyImageAttribute", "ec2:ModifySnapshotAttribute" ], "Resource": "*" }, { "Sid": "AgreementAccess", "Action": [ "aws-marketplace:SearchAgreements", "aws-marketplace:DescribeAgreement", "aws-marketplace:GetAgreementTerms" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "aws-marketplace:PartyType": "Proposer" }, "ForAllValues:StringEquals": { "aws-marketplace:AgreementType": [ "PurchaseAgreement" ] } } }, { "Sid": "IAMGetRole", "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/*" }, { "Sid": "AssetScanning", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": "assets.marketplace.amazonaws.com" } } }, { "Sid": "VendorInsights", "Effect": "Allow", "Action": [ "vendor-insights:GetDataSource", "vendor-insights:ListDataSources", "vendor-insights:ListSecurityProfiles", "vendor-insights:GetSecurityProfile", "vendor-insights:GetSecurityProfileSnapshot", "vendor-insights:ListSecurityProfileSnapshots" ], "Resource": "*" }, { "Sid": "TagManagement", "Effect": "Allow", "Action": [ "aws-marketplace:TagResource", "aws-marketplace:UntagResource", "aws-marketplace:ListTagsForResource" ], "Resource": "arn:aws:aws-marketplace:*:*:AWSMarketplace/*" }, { "Sid": "SellerSettings", "Effect": "Allow", "Action": [ "aws-marketplace-management:GetSellerVerificationDetails", "aws-marketplace-management:PutSellerVerificationDetails", "aws-marketplace-management:GetBankAccountVerificationDetails", "aws-marketplace-management:PutBankAccountVerificationDetails", "aws-marketplace-management:GetSecondaryUserVerificationDetails", "aws-marketplace-management:PutSecondaryUserVerificationDetails", "aws-marketplace-management:GetAdditionalSellerNotificationRecipients", "aws-marketplace-management:PutAdditionalSellerNotificationRecipients" "payments:GetPaymentInstrument", "payments:CreatePaymentInstrument", "tax:GetTaxInterview", "tax:PutTaxInterview", "tax:GetTaxInfoReportingDocument" ], "Resource": "*" }, { "Sid": "Support", "Effect": "Allow", "Action": [ "support:CreateCase" ], "Resource": "*" }, { "Sid": "ResourcePolicyManagement", "Effect": "Allow", "Action": [ "aws-marketplace:GetResourcePolicy", "aws-marketplace:PutResourcePolicy", "aws-marketplace:DeleteResourcePolicy" ], "Resource": "arn:aws:aws-marketplace:*:*:AWSMarketplace/*" }, { "Sid": "CreateServiceLinkedRole", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "resale-authorization.marketplace.amazonaws.com" } } } ] }

AWS managed policy: AWSMarketplaceSellerProductsFullAccess

You can attach the AWSMarketplaceSellerProductsFullAccess policy to your IAM identities.

This policy grants contributor permissions that allow full access to manage products and to the AWS Marketplace Management Portal, and managing the Amazon EC2 AMI used in AMI-based products.

Permissions details

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "aws-marketplace:ListChangeSets", "aws-marketplace:DescribeChangeSet", "aws-marketplace:StartChangeSet", "aws-marketplace:CancelChangeSet", "aws-marketplace:ListEntities", "aws-marketplace:DescribeEntity", "aws-marketplace:ListTasks", "aws-marketplace:DescribeTask", "aws-marketplace:UpdateTask", "aws-marketplace:CompleteTask", "ec2:DescribeImages", "ec2:DescribeSnapshots", "ec2:ModifyImageAttribute", "ec2:ModifySnapshotAttribute" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": "arn:aws:iam:::role/" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam:::role/", "Condition": { "StringEquals": { "iam:PassedToService": "assets.marketplace.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "vendor-insights:GetDataSource", "vendor-insights:ListDataSources", "vendor-insights:ListSecurityProfiles", "vendor-insights:GetSecurityProfile", "vendor-insights:GetSecurityProfileSnapshot", "vendor-insights:ListSecurityProfileSnapshots" ], "Resource": "*" } { "Effect": "Allow", "Action": [ "aws-marketplace:TagResource", "aws-marketplace:UntagResource", "aws-marketplace:ListTagsForResource" ], "Resource": "arn:aws:aws-marketplace:*:*:AWSMarketplace/*" } ] }

AWS managed policy: AWSMarketplaceSellerProductsReadOnly

You can attach the AWSMarketplaceSellerProductsReadOnly policy to your IAM identities.

This policy grants read-only permissions that allow access to view products on the AWS Marketplace Management Portal, and view the Amazon EC2 AMI used in AMI-based products.

Permissions details

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "aws-marketplace:ListChangeSets", "aws-marketplace:DescribeChangeSet", "aws-marketplace:ListEntities", "aws-marketplace:DescribeEntity", "aws-marketplace:ListTasks", "aws-marketplace:DescribeTask", "ec2:DescribeImages", "ec2:DescribeSnapshots" ], "Resource": "*" } { "Effect": "Allow", "Action": [ "aws-marketplace:ListTagsForResource" ], "Resource": "arn:aws:aws-marketplace:*:*:AWSMarketplace/*" } ] }

AWS managed policy: AWSVendorInsightsVendorFullAccess

You can attach the AWSVendorInsightsVendorFullAccess policy to your IAM identities.

This policy grants full access to create and manage all resources on AWS Marketplace Vendor Insights. AWS Marketplace Vendor Insights identifies assessor as the buyer and vendor is equal to the seller for the purposes of this guide. AWS Marketplace updated AWSVendorInsightsVendorFullAccess to add agreement search, updating profile snapshots, vendor tagging, and allows read-only access to AWS Artifact third-party reports.

Permissions details

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "aws-marketplace:DescribeEntity", "Resource": "arn:aws:aws-marketplace:*:*:*/SaaSProduct/*" }, { "Effect": "Allow", "Action": "aws-marketplace:ListEntities", "Resource": "*" }, { "Effect": "Allow", "Action": [ "vendor-insights:CreateDataSource", "vendor-insights:UpdateDataSource", "vendor-insights:DeleteDataSource", "vendor-insights:GetDataSource", "vendor-insights:ListDataSources", "vendor-insights:CreateSecurityProfile", "vendor-insights:ListSecurityProfiles", "vendor-insights:GetSecurityProfile", "vendor-insights:AssociateDataSource", "vendor-insights:DisassociateDataSource", "vendor-insights:UpdateSecurityProfile", "vendor-insights:ActivateSecurityProfile", "vendor-insights:DeactivateSecurityProfile", "vendor-insights:UpdateSecurityProfileSnapshotCreationConfiguration", "vendor-insights:UpdateSecurityProfileSnapshotReleaseConfiguration", "vendor-insights:GetSecurityProfileSnapshot", "vendor-insights:ListSecurityProfileSnapshots" "vendor-insights:TagResource", "vendor-insights:UntagResource", "vendor-insights:ListTagsForResource", ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "aws-marketplace:AcceptAgreementApprovalRequest", "aws-marketplace:RejectAgreementApprovalRequest", "aws-marketplace:GetAgreementApprovalRequest", "aws-marketplace:ListAgreementApprovalRequests" "aws-marketplace:CancelAgreement", "aws-marketplace:SearchAgreements" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "aws-marketplace:AgreementType": "VendorInsightsAgreement" } } }, { "Effect": "Allow", "Action": [ "artifact:GetReport", "artifact:GetReportMetadata", "artifact:GetTermForReport", "artifact:ListReports", ], "Resource": "arn:aws:artifact:*::report/*" } ] }

AWS managed policy: AWSVendorInsightsVendorReadOnly

You can attach the AWSVendorInsightsVendorReadOnly policy to your IAM identities.

This policy grants read-only access for viewing AWS Marketplace Vendor Insights profiles and related resources. AWS Marketplace Vendor Insights identifies assessor as the buyer and vendor is equal to the seller for the purposes of this guide. AWS Marketplace updated AWSVendorInsightsVendorReadOnly to add permissions to list tags and allows read-only access to AWS Artifact third-party reports.

Permissions details

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "aws-marketplace:DescribeEntity", "Resource": "arn:aws:aws-marketplace:*:*:*/SaaSProduct/*" }, { "Effect": "Allow", "Action": "aws-marketplace:ListEntities", "Resource": "*" }, { "Effect": "Allow", "Action": [ "vendor-insights:GetDataSource", "vendor-insights:ListDataSources", "vendor-insights:ListSecurityProfiles", "vendor-insights:GetSecurityProfile", "vendor-insights:GetSecurityProfileSnapshot", "vendor-insights:ListSecurityProfileSnapshots" "vendor-insights:ListTagsForResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "artifact:GetReport", "artifact:GetReportMetadata", "artifact:GetTermForReport", "artifact:ListReports" ], "Resource": "arn:aws:artifact:*::report/*" } ] }

AWS Marketplace updates to AWS managed policies

View details about updates to AWS managed policies for AWS Marketplace since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the AWS Marketplace Document history page.

Change Description Date

AWSMarketplaceSellerFullAccess – Updated policy

Updated the AWSMarketplaceSellerFullAccess documentation to reflect the removal of the following actions: aws-marketplace-management:viewMarketing, aws-marketplace-management:viewSettings, and aws-marketplace-management:uploadFiles. This update also includes removing the Using fine-grained permissions section.

June 4, 2024

AWSMarketplaceGetEntitlements – Updated policy

AWS Marketplace updated AWSMarketplaceGetEntitlements to add sid for the policy statement. March 22, 2024

AWSMarketplaceSellerFullAccess – Updated policy

AWS Marketplace updated AWSMarketplaceSellerFullAccess to add permissions for creating service-linked roles. March 15, 2024

AWSMarketplaceSellerFullAccess – Updated policy

AWS Marketplace updated AWSMarketplaceSellerFullAccess to add a permission for accessing tax information. February 8, 2024
AWSVendorInsightsVendorFullAccess - Updated policy AWS Marketplace updated AWSVendorInsightsVendorFullAccess to add permissions to update data sources. October 18, 2023

AWSMarketplaceSellerFullAccess – Updated policy

AWS Marketplace updated AWSMarketplaceSellerFullAccess to add permissions for sharing entities. June 1, 2023

AWSMarketplaceSellerFullAccess – Updated policy

AWS Marketplace updated AWSMarketplaceSellerFullAccess to add permissions related to account verifications, bank account verifications, case management, and seller notification details. June 1, 2023

AWSMarketplaceSellerFullAccess – Updated policy

AWS Marketplace updated AWSMarketplaceSellerFullAccess to add permissions to access seller dashboards. December 23, 2022

AWSMarketplaceSellerFullAccess, AWSMarketplaceSellerProductsFullAccess, AWSMarketplaceSellerProductsReadOnly – Update to existing policy

AWS Marketplace updated policies for the new tag-based authorization feature.

December 9, 2022

AWS Marketplace updated AWSVendorInsightsVendorFullAccess

AWS Marketplace updated AWSMarketplaceSellerProductsFullAccess to add agreement search, updating profile snapshots, vendor tagging, and allows read-only access to AWS Artifact third-party reports (preview). November 30, 2022
AWS Marketplace updated AWSVendorInsightsVendorReadOnly AWS Marketplace updated AWSVendorInsightsVendorReadOnly to add permissions to list tags and allows read-only accesss to AWS Artifact third-party reports (preview). November 30, 2022

AWSVendorInsightsVendorFullAccess and AWSVendorInsightsVendorReadOnly – Added new policies

AWS Marketplace added policies for the new feature AWS Marketplace Vendor Insights: AWSMarketplaceSellerProductsFullAccess and AWSVendorInsightsVendorReadOnly. July 26, 2022
AWSMarketplaceSellerProductsFullAccessand AWSMarketplaceSellerFullAccess– Updated policies AWS Marketplace updated policies for the new feature AWS Marketplace Vendor Insights: AWSMarketplaceSellerProductsFullAccess and AWSMarketplaceSellerFullAccess. July 26, 2022

AWSMarketplaceSellerFullAccess and AWSMarketplaceSellerProductsFullAccess – Update to existing policies

AWS Marketplace updated the policies so that the iam:PassedToService condition is only applied to iam:PassRole. November 22, 2021

AWSMarketplaceFullAccess – Update to an existing policy

AWS Marketplace removed a duplicate ec2:DescribeAccountAttributes permission from AWSMarketplaceFullAccess policy.

July 20, 2021

AWS Marketplace started tracking changes

AWS Marketplace started tracking changes for its AWS managed policies.

April 20, 2021