Enterprise customers with multiple AWS accounts want to subscribe once to an AWS Marketplace product and have all accounts in the organization deploy AWS Marketplace solutions without needing each account to subscribe first.
AWS Control Tower helps customers create accounts and manage many account configurations and best practices. AWS Service Catalog helps customers deploy AWS resources using a repeatable process that follows best practice for standardization, compliance, and security considerations.
Managing AWS Marketplace licenses across accounts can be complex. Customers want to automate this as part of their normal solution process. In this blog post, we will show you how to use AWS Control Tower and AWS Service Catalog to grant AWS Marketplace licenses to accounts managed by Control Tower, enabling you to easily use AWS Marketplace products in your solutions and services.
This solution uses the following AWS services:
- AWS CloudFormation
- AWS Service Catalog
- AWS Systems Manager
- AWS License Manager
- AWS Lambda
- AWS Marketplace
Most of the resources are set up for you with an AWS CloudFormation stack.
For information about AWS Service Catalog concepts and terminology used in this post, see Overview of AWS Service Catalog.
The following diagram shows the solution architecture for deploying AWS Marketplace licenses to accounts managed by AWS Control Tower.
Figure 1: Solution architecture diagram
A. The administrator deploys an AWS CloudFormation template that creates resources in the management account, gets the AWS Marketplace license information, and then creates an AWS Service Catalog product that can be used to deploy licenses to other accounts.
B. The administrator uses the AWS Service Catalog product to deploy an AWS Marketplace license to a managed account and creates an AWS Service Catalog product in the managed account for the AWS Marketplace product. This step can also be used to update the AWS Service Catalog product with new accounts and AWS Marketplace licenses.
C. An end user in the managed account uses AWS Service Catalog to deploy and use the AWS Marketplace solution.
- Deploy AWS Control Tower.
- Create an organizational unit (OU).
- Create two accounts in the OU.
- Subscribe to an AWS Marketplace AMI solution.
Configure an environment
Download the content
- Download the content
- Extract the zipped file “mgtentitlement.zip” that was downloaded
- The following artifacts below are located in the extracted folder named “content/mgtentitlement“:
Follow these steps to upload content and use your own bucket:
- Create an S3 bucket. Make a note of the bucket name (mgtent-your-awsaccountID).
- Upload the content folder from the previous step to the bucket.
- Open the content/mgtentitlement folder and navigate the setup file, sc_mgtentitlement_setup.json.
- Under Object URL, copy the link for sc_mgtentitlement_setup.json.
Follow these steps to deploy the CloudFormation template:
- Sign in to your AWS account as an administrator with permission to create resources.
- Open the AWS CloudFormation console
- Choose Create Stack, with new resources (standard).
- Choose Amazon S3 URL, paste the link you copied into Amazon S3 URL, and then choose Next.
- In Specify stack details, for Stack name, enter mgtentitlementsetup.
- Under Parameters:
- HoldingBucket, enter the S3 bucket name you created
- SCenduser, enter the user, group, or role that will have access to AWS Service Catalog portfolio
- Choose Next.
- On the Configure stack options page, choose Next.
- On the Review page, select the I acknowledge that AWS CloudFormation might create IAM resources and I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND check boxes.
- Choose Create stack, and then wait for the status to change to CREATE_COMPLETE
Deploy an AWS Marketplace license to a managed account
- In the CloudFormation console, choose the Output tab.
- Right-click and open in a new browser tab the URL next to MgtentitlementLicManagment.
- Choose Launch product.
- In Parameters:
- Enter a provisioned product name if one is not generated automatically.
- For ImageId, enter the AMI for the AWS Region.
- For License, choose the license you want to deploy.
- For OrganizationlUnits, choose the target OU.
- For RecipientAccount, choose the account you want to deploy the license to.
- Choose Launch product and then wait for the status to change to Available
Figure 2: Parameters
A license will be granted to the recipient account and an AWS Service Catalog product will be created in the recipient account for the AWS Marketplace product
After the status has changed to Available, you can view a report that shows the grants that have been deployed. Scroll down and select the Reports URL.
Figure 3: Sample report
Congratulations! You have successfully deployed an AWS Marketplace license to a managed account.
Update the AWS Service Catalog product
You can add new AWS Marketplace subscriptions or accounts at any time. Follow these steps to update the AWS Service Catalog product with new AWS Marketplace subscriptions or accounts.
- In the left navigation pane of the AWS Service Catalog console, choose Products.
- Choose the AWS MP License Management -ManageEntitlements product, and then choose Launch product.
- In Parameters:
- For Provisioned product name, enter a name or select the Generate name check box.
- For ImageId, use the default.
- For License, choose any license.
- For RecipientAccount, choose 01-Update_Accounts-And-Subscriptions.
- Choose Launch product and then wait for the status to change to Available.
The AWS Service Catalog product will now be updated with the latest AWS Marketplace subscriptions and organization accounts. You can repeat this process at any time
To avoid ongoing charges in your account, delete the resources you created.
Use the AWS Service Catalog console to delete the AWS Service Catalog product. Choose Provisioned products, and from Actions, choose Terminate.
In this post, we showed you an easy way that enterprises can use AWS Service Catalog to subscribe to AWS Marketplace products and quickly distribute them to multiple accounts in their organizations. A process that includes AWS Service Catalog can efficiently address a business objective like license management that follows repeatable, compliant steps.
About the authors