Understanding AWS Marketplace Vendor Insights
AWS Marketplace Vendor Insights gathers compliance artifacts and security control information for your product and presents it in a dashboard. The dashboard takes data from the product owner's self-assessment, evidence from audit reports, and live evidence from AWS accounts. This data feeds into the security controls and then to the dashboard for buyers to review.
The dashboard presents the evidence-based information gathered by AWS Marketplace Vendor Insights from multiple security control categories. This provides insight with a near real-time view of the security profile and reduces discussions between the buyer and seller. Buyers can validate a seller's information completing assessments within a few hours. AWS Marketplace Vendor Insights provides a mechanism for sellers to keep security and compliance posture information up-to-date automatically. They can share it with buyers on-demand which eliminates the need to respond to questionnaires on a random basis.
AWS Marketplace Vendor Insights gathers the evidence-based information from three sources:
-
Your vendor self-assessment – Supported self-assessments include the AWS Marketplace Vendor Insights security self-assessment and Consensus Assessment Initiative Questionnaire (CAIQ).
-
Your production accounts – Of the multiple controls, 25 controls support live evidence gathering from your production accounts. Live evidence for each control is generated by evaluating the configuration settings of your AWS resources using one or more AWS Config rules. AWS Audit Manager captures the evidence and prepares it for AWS Marketplace Vendor Insights to consume. The onboarding AWS CloudFormation template automates the prerequisite steps required for enabling live evidence gathering. AWS Config is enabled in the seller's environment. Data about configurations, backups enabled, and other information is updated automatically. For example, assume that the Access Control for a product is Compliant and an Amazon S3 bucket becomes public. The dashboard would display that the control's status changed from Compliant to Undetermined.
-
Turning on AWS Config and the AWS Audit Manager service.
-
Creating AWS Config rules and the AWS Audit Manager automated assessment.
-
Provisioning the AWS Identity and Access Management (IAM) role so that AWS Marketplace Vendor Insights can pull assessment results.
-
-
Your ISO 27001 and SOC2 Type II report – The control categories are mapped to controls in the International Organization for Standardization (ISO) and System and Organization Controls (SOC2) reports. When you share these reports with AWS Marketplace Vendor Insights, it can extract relevant evidence from these reports and present it on the dashboard.