Introduction

Have you ever faced challenges in managing a multitude of software subscriptions across various divisions of your organization? Or pondered how to ensure that every team adheres strictly to approved procurement policies? If these concerns resonate with you, then leveraging AWS Private Marketplace might just be your answer. AWS Private Marketplace offers a sophisticated way to centrally manage software subscriptions and ensure compliance across multiple AWS Organizations.

In this blog post, we'll dive deeply into a distributed serverless solution that allows for centralized governance of Private Marketplace experiences across numerous AWS Organizations. From setup to deployment and eventual validation, this guide will empower you to implement a robust system to manage your organization's software procurement effortlessly and securely.

The Power of Multi-Account Strategies

AWS advocates for a multi-account strategy as a key practice for resource isolation, enhanced security, and regulatory compliance. This segregation simplifies the tracking of operational expenses and adds layers of security to restrict the potential impact of security incidents.

By adopting a multi-account strategy combined with AWS Control Tower's capabilities, organizations can streamline their AWS environments into cohesive units, each adhering to common directives and regulatory needs. This approach not only simplifies cost allocation but also ensures accountability within each organizational unit.

Understanding AWS Marketplace and Private Marketplace

AWS Marketplace is a comprehensive digital catalog where businesses can find, buy, deploy, and manage third-party software and services. On top of AWS Marketplace sits the Private Marketplace—a feature that empowers administrators to curate approved products into a custom digital catalog. This mechanism ensures compliance with organizational policies and standards.

A key feature of the Private Marketplace is its ability to work within a single organization. However, for larger entities comprising multiple AWS Organizations, there arises a need to synchronize Private Marketplace experiences across these distributions. This blog post explores a serverless solution that achieves this feat, centralizing management while maintaining synchronized experiences across different organizational units.

Solution Overview

The proposed solution is a distributed serverless architecture designed to synchronize Private Marketplace experiences across multiple AWS Organizations from a central management entity. This solution comprises two main components: one deployed within the management organization and the other within the member organizations.

Here's a detailed walkthrough of deploying and managing this solution.

Step-by-Step Solution Walkthrough

Step 1: Enable Private Marketplace in Each Organization

First and foremost, you need to enable the Private Marketplace in each AWS Organization. Since it's a security best practice to avoid using your management account wherever possible, you should identify an administrative account in each organization to activate Private Marketplace and deploy the solution components. Remember to take note of these AWS account IDs, as they will be required later.

Step 2: Create and Go Live with Member Experiences

Next, create Private Marketplace experiences in each member organization, ensuring these experiences are associated with the AWS Organization root node. To maintain alignment with the management experience, make each member experience live. This forces all accounts to comply with the approved products. Note that existing subscriptions won’t be affected by this synchronization.

Step 3: Establish the Management Experience

In your central management organization, create a Private Marketplace experience to oversee multiple member experiences. Use the dedicated administrative account identified earlier for this process.

Step 4: Deploy the Management Component

Deploy the management component of your solution in the chosen account within your management organization. After the deployment, important output parameters will be generated. These parameters are vital for the next step where you will handle the member components.

Step 5: Deploy the Member Component

With the output parameters from the previous step, deploy the member component within each member organization. This process ensures that the member experiences are synchronized with the management experience every hour. Optionally, if you prefer to synchronize specific experiences, you can configure the MEMBER_EXPERIENCE_IDS environment variable accordingly.

If additional member organizations need to be controlled via the same central management experience, repeat steps 4 and 5. For deploying in an additional organization, modify the value of "OnlyCrossAccountAccessRole" to "yes". This ensures only essential synchronization resources are deployed without duplicating the entire management component.

Step 6: Validate Synchronization

After deployment, the synchronization should automatically trigger every hour. However, you can manually trigger it to validate the setup. Test by adding a new product to the management experience, and then manually initiate the synchronization to confirm that the member experiences reflect this addition.

Cleanup Process

Should you decide to deactivate the solution, ensure you delete the deployed resources to avoid any ongoing charges. This is achieved by deleting the CloudFormation stacks in each relevant AWS account. Begin with the member organizations and conclude with the management organization. To restore product availability, archive the Private Marketplace experiences established during Step 2.

Conclusion

By implementing this serverless distributed solution, you gain centralized control over Private Marketplace experiences across multiple AWS Organizations. This setup not only ensures compliance and security but also streamlines software procurement across diverse organizational units. For industries with stringent regulatory requirements, this solution offers the necessary governance while reducing the overhead associated with managing multiple software procurement processes.

FAQs

What are the benefits of using AWS Private Marketplace?

AWS Private Marketplace provides a controlled environment for software procurement, ensuring that only approved and compliant products are used. This reduces security risks and helps maintain adherence to organizational policies.

How often is the synchronization process triggered?

The synchronization process is automatically triggered every hour, but it can also be manually initiated to test or validate changes.

What happens if a member organization already has subscribed products before synchronization?

Existing subscriptions will not be affected when the synchronization occurs. Only new subscriptions will need to adhere strictly to the Private Marketplace rules.

How do I handle deactivation of the solution?

To deactivate the solution, delete the CloudFormation stacks in the order of member organizations first, followed by the management organization. Additionally, archive the created Private Marketplace experiences to restore the original product availability.

By adopting the outlined strategy, organizations can centralize their software procurement processes, ensuring they adhere to corporate policies and standards efficiently.

Managing Private Marketplace Across Multiple AWS Organizations