AWS managed policies for AWS Marketplace sellers
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see AWS managed policies in the IAM User Guide.
This section lists each of the policies used to manage seller access to AWS Marketplace. For information about buyer policies, see AWS managed policies for AWS Marketplace buyers in the AWS Marketplace Buyer Guide.
Topics
- AWS managed policy: AWSMarketplaceAmiIngestion
- AWS managed policy: AWSMarketplaceFullAccess
- AWS managed policy: AWSMarketplaceGetEntitlements
- AWS managed policy: AWSMarketplaceMeteringFullAccess
- AWS managed policy: AWSMarketplaceMeteringRegisterUsage
- AWS managed policy: AWSMarketplaceSellerFullAccess
- AWS managed policy: AWSMarketplaceSellerProductsFullAccess
- AWS managed policy: AWSMarketplaceSellerProductsReadOnly
- AWS managed policy: AWSVendorInsightsVendorFullAccess
- AWS managed policy: AWSVendorInsightsVendorReadOnly
- AWS Marketplace updates to AWS managed policies
AWS managed
policy: AWSMarketplaceAmiIngestion
You can create a service role with this policy that can then be used by AWS Marketplace to
perform actions on your behalf. For more information about using
AWSMarketplaceAmiIngestion, see Give AWS Marketplace access to your
AMI.
This policy is used to grant contributor permissions that allow AWS Marketplace to copy your Amazon Machine Images (AMIs) in order to list them on AWS Marketplace.
Permissions details
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:ModifySnapshotAttribute" ], "Effect": "Allow", "Resource": "arn:aws:ec2:us-east-1::snapshot/snap-*" }, { "Action": [ "ec2:DescribeImageAttribute", "ec2:DescribeImages", "ec2:DescribeSnapshotAttribute", "ec2:ModifyImageAttribute" ], "Effect": "Allow", "Resource": "*" } ] }
AWS managed policy:
AWSMarketplaceFullAccess
You can attach the AWSMarketplaceFullAccess policy to your IAM
identities.
This policy grants administrative permissions that allow full access to AWS Marketplace and related services, both as a seller and a buyer. These permissions include the following abilities:
-
Subscribe and unsubscribe to AWS Marketplace software.
-
Manage AWS Marketplace software instances from AWS Marketplace.
-
Create and manage a private marketplace in your account.
-
Provide access to Amazon EC2, AWS CloudFormation, and Amazon EC2 Systems Manager.
Permissions details
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "aws-marketplace:*", "cloudformation:CreateStack", "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources", "cloudformation:DescribeStacks", "cloudformation:List*", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DeleteSecurityGroup", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeKeyPairs", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVpcs", "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CopyImage", "ec2:DeregisterImage", "ec2:DescribeSnapshots", "ec2:DeleteSnapshot", "ec2:CreateImage", "ec2:DescribeInstanceStatus", "ssm:GetAutomationExecution", "ssm:UpdateDocumentDefaultVersion", "ssm:CreateDocument", "ssm:StartAutomationExecution", "ssm:ListDocuments", "ssm:UpdateDocument", "ssm:DescribeDocument", "sns:ListTopics", "sns:GetTopicAttributes", "sns:CreateTopic", "iam:GetRole", "iam:GetInstanceProfile", "iam:ListRoles", "iam:ListInstanceProfiles" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::*image-build*" ] }, { "Effect": "Allow", "Action": [ "sns:Publish", "sns:setTopicAttributes" ], "Resource": "arn:aws:sns:*:*:*image-build*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "*" ], "Condition": { "StringLike": { "iam:PassedToService": [ "ec2.amazonaws.com", "ssm.amazonaws.com" ] } } } ] }
AWS managed
policy: AWSMarketplaceGetEntitlements
You can attach the AWSMarketplaceGetEntitlements policy to your IAM
identities.
This policy grants read-only permissions that allow software as a service (SaaS) product sellers to check whether a customer has subscribed to their AWS Marketplace SaaS product.
Permissions details
{ "Version": "2012-10-17", "Statement": [ { "Sid" : "AWSMarketplaceGetEntitlements", "Effect" : "Allow", "Action": [ "aws-marketplace:GetEntitlements" ], "Resource": "*" } ] }
AWS managed
policy: AWSMarketplaceMeteringFullAccess
You can attach the AWSMarketplaceMeteringFullAccess policy to your IAM
identities.
This policy grants contributor permissions that allow reporting metered usage that corresponds to AMI and container products with flexible consumption pricing on AWS Marketplace.
Permissions details
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "aws-marketplace:MeterUsage" ], "Effect": "Allow", "Resource": "*" } ] }
AWS
managed policy: AWSMarketplaceMeteringRegisterUsage
You can attach the AWSMarketplaceMeteringRegisterUsage policy to your
IAM identities.
This policy grants contributor permissions that allow reporting metered usage that corresponds to container products with hourly pricing on AWS Marketplace.
Permissions details
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "aws-marketplace:RegisterUsage" ], "Effect": "Allow", "Resource": "*" } ] }
AWS managed
policy: AWSMarketplaceSellerFullAccess
You can attach the AWSMarketplaceSellerFullAccess policy to your IAM
identities.
This policy grants administrative permissions that allow full access to all seller operations on AWS Marketplace, including AWS Marketplace Management Portal, and managing the Amazon EC2 AMI used in AMI-based products.
Permissions details
{ "Version": "2012-10-17", "Statement": [ { "Sid": "MarketplaceManagement", "Effect": "Allow", "Action": [ "aws-marketplace-management:viewMarketing", "aws-marketplace-management:viewReports", "aws-marketplace-management:viewSupport", "aws-marketplace:ListChangeSets", "aws-marketplace:DescribeChangeSet", "aws-marketplace:StartChangeSet", "aws-marketplace:CancelChangeSet", "aws-marketplace:ListEntities", "aws-marketplace:DescribeEntity", "aws-marketplace:ListTasks", "aws-marketplace:DescribeTask", "aws-marketplace:UpdateTask", "aws-marketplace:CompleteTask", "aws-marketplace:GetSellerDashboard", "ec2:DescribeImages", "ec2:DescribeSnapshots", "ec2:ModifyImageAttribute", "ec2:ModifySnapshotAttribute" ], "Resource": "*" }, { "Sid": "AgreementAccess", "Action": [ "aws-marketplace:SearchAgreements", "aws-marketplace:DescribeAgreement", "aws-marketplace:GetAgreementTerms" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "aws-marketplace:PartyType": "Proposer" }, "ForAllValues:StringEquals": { "aws-marketplace:AgreementType": [ "PurchaseAgreement" ] } } }, { "Sid": "IAMGetRole", "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/*" }, { "Sid": "AssetScanning", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/*", "Condition": { "StringEquals": { "iam:PassedToService": "assets.marketplace.amazonaws.com" } } }, { "Sid": "VendorInsights", "Effect": "Allow", "Action": [ "vendor-insights:GetDataSource", "vendor-insights:ListDataSources", "vendor-insights:ListSecurityProfiles", "vendor-insights:GetSecurityProfile", "vendor-insights:GetSecurityProfileSnapshot", "vendor-insights:ListSecurityProfileSnapshots" ], "Resource": "*" }, { "Sid": "TagManagement", "Effect": "Allow", "Action": [ "aws-marketplace:TagResource", "aws-marketplace:UntagResource", "aws-marketplace:ListTagsForResource" ], "Resource": "arn:aws:aws-marketplace:*:*:AWSMarketplace/*" }, { "Sid": "SellerSettings", "Effect": "Allow", "Action": [ "aws-marketplace-management:GetSellerVerificationDetails", "aws-marketplace-management:PutSellerVerificationDetails", "aws-marketplace-management:GetBankAccountVerificationDetails", "aws-marketplace-management:PutBankAccountVerificationDetails", "aws-marketplace-management:GetSecondaryUserVerificationDetails", "aws-marketplace-management:PutSecondaryUserVerificationDetails", "aws-marketplace-management:GetAdditionalSellerNotificationRecipients", "aws-marketplace-management:PutAdditionalSellerNotificationRecipients" "payments:GetPaymentInstrument", "payments:CreatePaymentInstrument", "tax:GetTaxInterview", "tax:PutTaxInterview", "tax:GetTaxInfoReportingDocument" ], "Resource": "*" }, { "Sid": "Support", "Effect": "Allow", "Action": [ "support:CreateCase" ], "Resource": "*" }, { "Sid": "ResourcePolicyManagement", "Effect": "Allow", "Action": [ "aws-marketplace:GetResourcePolicy", "aws-marketplace:PutResourcePolicy", "aws-marketplace:DeleteResourcePolicy" ], "Resource": "arn:aws:aws-marketplace:*:*:AWSMarketplace/*" }, { "Sid": "CreateServiceLinkedRole", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "resale-authorization.marketplace.amazonaws.com" } } } ] }
AWS
managed policy: AWSMarketplaceSellerProductsFullAccess
You can attach the AWSMarketplaceSellerProductsFullAccess policy to your
IAM identities.
This policy grants contributor permissions that allow full access to manage products and to the AWS Marketplace Management Portal, and managing the Amazon EC2 AMI used in AMI-based products.
Permissions details
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "aws-marketplace:ListChangeSets", "aws-marketplace:DescribeChangeSet", "aws-marketplace:StartChangeSet", "aws-marketplace:CancelChangeSet", "aws-marketplace:ListEntities", "aws-marketplace:DescribeEntity", "aws-marketplace:ListTasks", "aws-marketplace:DescribeTask", "aws-marketplace:UpdateTask", "aws-marketplace:CompleteTask", "ec2:DescribeImages", "ec2:DescribeSnapshots", "ec2:ModifyImageAttribute", "ec2:ModifySnapshotAttribute" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": "arn:aws:iam:::role/" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam:::role/", "Condition": { "StringEquals": { "iam:PassedToService": "assets.marketplace.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "vendor-insights:GetDataSource", "vendor-insights:ListDataSources", "vendor-insights:ListSecurityProfiles", "vendor-insights:GetSecurityProfile", "vendor-insights:GetSecurityProfileSnapshot", "vendor-insights:ListSecurityProfileSnapshots" ], "Resource": "*" } { "Effect": "Allow", "Action": [ "aws-marketplace:TagResource", "aws-marketplace:UntagResource", "aws-marketplace:ListTagsForResource" ], "Resource": "arn:aws:aws-marketplace:*:*:AWSMarketplace/*" } ] }
AWS
managed policy: AWSMarketplaceSellerProductsReadOnly
You can attach the AWSMarketplaceSellerProductsReadOnly policy to your
IAM identities.
This policy grants read-only permissions that allow access to view products on the AWS Marketplace Management Portal, and view the Amazon EC2 AMI used in AMI-based products.
Permissions details
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "aws-marketplace:ListChangeSets", "aws-marketplace:DescribeChangeSet", "aws-marketplace:ListEntities", "aws-marketplace:DescribeEntity", "aws-marketplace:ListTasks", "aws-marketplace:DescribeTask", "ec2:DescribeImages", "ec2:DescribeSnapshots" ], "Resource": "*" } { "Effect": "Allow", "Action": [ "aws-marketplace:ListTagsForResource" ], "Resource": "arn:aws:aws-marketplace:*:*:AWSMarketplace/*" } ] }
AWS managed
policy: AWSVendorInsightsVendorFullAccess
You can attach the AWSVendorInsightsVendorFullAccess policy to your IAM
identities.
This policy grants full access to create and manage all resources on AWS Marketplace Vendor Insights. AWS Marketplace Vendor Insights
identifies assessor as the buyer and vendor is equal to the seller for the purposes of
this guide. AWS Marketplace updated AWSVendorInsightsVendorFullAccess to add
agreement search, updating profile snapshots, vendor tagging, and allows read-only
access to AWS Artifact third-party reports.
Permissions details
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "aws-marketplace:DescribeEntity", "Resource": "arn:aws:aws-marketplace:*:*:*/SaaSProduct/*" }, { "Effect": "Allow", "Action": "aws-marketplace:ListEntities", "Resource": "*" }, { "Effect": "Allow", "Action": [ "vendor-insights:CreateDataSource", "vendor-insights:UpdateDataSource", "vendor-insights:DeleteDataSource", "vendor-insights:GetDataSource", "vendor-insights:ListDataSources", "vendor-insights:CreateSecurityProfile", "vendor-insights:ListSecurityProfiles", "vendor-insights:GetSecurityProfile", "vendor-insights:AssociateDataSource", "vendor-insights:DisassociateDataSource", "vendor-insights:UpdateSecurityProfile", "vendor-insights:ActivateSecurityProfile", "vendor-insights:DeactivateSecurityProfile", "vendor-insights:UpdateSecurityProfileSnapshotCreationConfiguration", "vendor-insights:UpdateSecurityProfileSnapshotReleaseConfiguration", "vendor-insights:GetSecurityProfileSnapshot", "vendor-insights:ListSecurityProfileSnapshots" "vendor-insights:TagResource", "vendor-insights:UntagResource", "vendor-insights:ListTagsForResource", ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "aws-marketplace:AcceptAgreementApprovalRequest", "aws-marketplace:RejectAgreementApprovalRequest", "aws-marketplace:GetAgreementApprovalRequest", "aws-marketplace:ListAgreementApprovalRequests" "aws-marketplace:CancelAgreement", "aws-marketplace:SearchAgreements" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "aws-marketplace:AgreementType": "VendorInsightsAgreement" } } }, { "Effect": "Allow", "Action": [ "artifact:GetReport", "artifact:GetReportMetadata", "artifact:GetTermForReport", "artifact:ListReports", ], "Resource": "arn:aws:artifact:*::report/*" } ] }
AWS managed
policy: AWSVendorInsightsVendorReadOnly
You can attach the AWSVendorInsightsVendorReadOnly policy to your IAM
identities.
This policy grants read-only access for viewing AWS Marketplace Vendor Insights profiles and related
resources. AWS Marketplace Vendor Insights identifies assessor as the buyer and vendor is equal to the seller
for the purposes of this guide. AWS Marketplace updated
AWSVendorInsightsVendorReadOnly to add permissions to list tags and
allows read-only access to AWS Artifact third-party reports.
Permissions details
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "aws-marketplace:DescribeEntity", "Resource": "arn:aws:aws-marketplace:*:*:*/SaaSProduct/*" }, { "Effect": "Allow", "Action": "aws-marketplace:ListEntities", "Resource": "*" }, { "Effect": "Allow", "Action": [ "vendor-insights:GetDataSource", "vendor-insights:ListDataSources", "vendor-insights:ListSecurityProfiles", "vendor-insights:GetSecurityProfile", "vendor-insights:GetSecurityProfileSnapshot", "vendor-insights:ListSecurityProfileSnapshots" "vendor-insights:ListTagsForResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "artifact:GetReport", "artifact:GetReportMetadata", "artifact:GetTermForReport", "artifact:ListReports" ], "Resource": "arn:aws:artifact:*::report/*" } ] }
AWS Marketplace updates to AWS managed policies
View details about updates to AWS managed policies for AWS Marketplace since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the AWS Marketplace Document history page.
| Change | Description | Date |
|---|---|---|
|
AWSMarketplaceGetEntitlements – Updated policy |
AWS Marketplace updated AWSMarketplaceGetEntitlements to add
sid for the policy statement. |
March 22, 2024 |
|
AWSMarketplaceSellerFullAccess – Updated policy |
AWS Marketplace updated AWSMarketplaceSellerFullAccess to add
permissions for creating service-linked roles. |
March 15, 2024 |
|
AWSMarketplaceSellerFullAccess – Updated policy |
AWS Marketplace updated AWSMarketplaceSellerFullAccess to add a
permission for accessing tax information. |
February 8, 2024 |
| AWSVendorInsightsVendorFullAccess - Updated policy | AWS Marketplace updated AWSVendorInsightsVendorFullAccess to add
permissions to update data sources. |
October 18, 2023 |
|
AWSMarketplaceSellerFullAccess – Updated policy |
AWS Marketplace updated AWSMarketplaceSellerFullAccess to add
permissions for sharing entities. |
June 1, 2023 |
|
AWSMarketplaceSellerFullAccess – Updated policy |
AWS Marketplace updated AWSMarketplaceSellerFullAccess to add
permissions related to account verifications, bank account
verifications, case management, and seller notification details. |
June 1, 2023 |
|
AWSMarketplaceSellerFullAccess – Updated policy |
AWS Marketplace updated AWSMarketplaceSellerFullAccess to add
permissions to access seller dashboards. |
December 23, 2022 |
|
AWSMarketplaceSellerFullAccess, AWSMarketplaceSellerProductsFullAccess, AWSMarketplaceSellerProductsReadOnly – Update to existing policy |
AWS Marketplace updated policies for the new tag-based authorization feature. |
December 9, 2022 |
|
AWS Marketplace updated AWSVendorInsightsVendorFullAccess |
AWS Marketplace updated AWSMarketplaceSellerProductsFullAccess to
add agreement search, updating profile snapshots, vendor tagging, and
allows read-only access to AWS Artifact third-party reports (preview). |
November 30, 2022 |
| AWS Marketplace updated AWSVendorInsightsVendorReadOnly | AWS Marketplace updated AWSVendorInsightsVendorReadOnly to add
permissions to list tags and allows read-only accesss to AWS Artifact
third-party reports (preview). |
November 30, 2022 |
|
AWSVendorInsightsVendorFullAccess and AWSVendorInsightsVendorReadOnly – Added new policies |
AWS Marketplace added policies for the new feature AWS Marketplace Vendor Insights:
AWSMarketplaceSellerProductsFullAccess and
AWSVendorInsightsVendorReadOnly. |
July 26, 2022 |
| AWSMarketplaceSellerProductsFullAccessand AWSMarketplaceSellerFullAccess– Updated policies | AWS Marketplace updated policies for the new feature AWS Marketplace Vendor Insights:
AWSMarketplaceSellerProductsFullAccess and
AWSMarketplaceSellerFullAccess. |
July 26, 2022 |
|
AWSMarketplaceSellerFullAccess and AWSMarketplaceSellerProductsFullAccess – Update to existing policies |
AWS Marketplace updated the policies so that the
iam:PassedToService condition is only applied to
iam:PassRole. |
November 22, 2021 |
|
AWSMarketplaceFullAccess – Update to an existing policy |
AWS Marketplace removed a duplicate
|
July 20, 2021 |
|
AWS Marketplace started tracking changes |
AWS Marketplace started tracking changes for its AWS managed policies. |
April 20, 2021 |
