AWS Marketplace has updated its policies for SaaS products as of May 1, 2025. These changes aim to enhance security, reliability, and compliance for SaaS providers and their customers. Here's what you need to know:
-
Key Updates:
- SaaS products must be fully hosted on AWS to qualify for customer AWS spend commitments.
- Products deployed entirely on AWS get a "Deployed on AWS" badge.
- Compliance covers pricing, security, data privacy, and technical architecture.
-
Compliance Essentials:
- Use AWS IAM or STS for secure access.
- Submit detailed documentation (e.g., IAM policies, architecture diagrams).
- Ensure container images and AMIs are free of critical vulnerabilities.
- Process all billing exclusively through AWS Marketplace.
-
Prevent Violations:
- Follow pricing guidelines (e.g., no free products, billing through AWS only).
- Provide instant customer access and clear subscription details.
- Regularly update listings and technical documentation.
These changes are critical for SaaS providers to maintain compliance, avoid disruptions, and build trust with AWS customers.
AWS Marketplace SaaS Policy Basics
Required AWS Marketplace SaaS Standards
To qualify toward customer AWS spend commitments, AWS now mandates that SaaS products must be hosted entirely on AWS infrastructure [4]. To achieve the "Deployed on AWS" badge, SaaS providers need to meet these criteria:
- Both the application and control planes must run exclusively on AWS.
- Any third-party services used for transmitting, storing, or processing application data must operate within AWS, with a few exceptions like CDNs, DNS, and corporate IdPs.
- Tools for security monitoring and data replication, even when operated externally, must send all data to AWS for analysis and storage.
Additionally, SaaS providers are required to:
- Use AWS STS or IAM for secure resource provisioning.
- Enforce least-privilege access controls.
- Document AWS service usage and IAM policies.
- Ensure container images stored in Amazon ECR are free from critical vulnerabilities.
Now let’s look at how to avoid common compliance pitfalls.
How to Prevent Policy Violations
Many compliance issues stem from confusion around billing, pricing, and customer access. To avoid these problems and maintain a compliant listing, SaaS providers should adhere to the following:
Billing and Pricing Standards
- Ensure at least one pricing option is above $0.00.
- Process all billing exclusively through AWS Marketplace - direct customer payments are not allowed.
Customer Access Requirements
- Provide immediate web console access after subscription.
- Notify customers when their accounts are created.
- Display the subscription status directly within the SaaS application.
- Include support contact information on the fulfillment landing page.
For SaaS products deployed in AWS GovCloud (US), providers must:
- Add "GovCloud" as a prefix to the product title.
- Clearly document architectural boundaries, limitations, and any unsupported workloads.
Regularly updating submissions in the AWS Marketplace Management Portal is crucial. Keeping architectural diagrams and deployment templates up to date helps prevent compliance issues.
According to Forrester research conducted in 2023, commitment retirement remains a key reason customers opt for AWS Marketplace transactions [5].
AWS Marketplace SaaS opening up to ANY software
Technical and Security Requirements
AWS Marketplace enforces stringent technical and security standards for SaaS listings to maintain platform integrity and safeguard customers. These requirements build on the compliance measures discussed earlier.
Infrastructure Setup and Testing
To qualify for a special designation in AWS Marketplace, SaaS providers must ensure their applications operate entirely within AWS infrastructure, covering both the application and control planes. This is critical for reliable deployment and seamless integration.
Here are the key infrastructure requirements:
- AWS Service Integration: Providers must document all AWS services used and their configurations.
- Template Validation: AWS CloudFormation templates must align with AWS Marketplace policies.
- Resource Management: Providers must record how resources are deployed within customer accounts.
"Cloud security at AWS is the highest priority." – AWS Marketplace [3]
Testing protocols are equally rigorous to validate deployment:
- AMI Scanning: Amazon Machine Images (AMIs) must pass security scans conducted via the AWS Marketplace Management Portal.
- Container Images: All container images should be free of critical vulnerabilities, verified using Amazon ECR scanning tools.
- API Integration: Providers need to demonstrate successful API calls.
- Customer Onboarding: Subscription flows must undergo review by the AWS Marketplace MCO team.
Once deployment is verified, securing every access point with robust controls becomes the next priority.
Security Standards and Access Control
A strong security framework is essential for SaaS providers, centering on access control and proactive vulnerability management.
Key practices include:
-
Access Control Framework
Providers should use AWS Security Token Service (STS) or Identity and Access Management (IAM) for resource provisioning. This ensures secure access while adhering to least-privilege principles. -
Documentation
Providers must maintain detailed records of IAM policies, role configurations, user management, and service access setups. -
Security Monitoring
- Encrypt private data both during transit and at rest, with regular key rotation.
- Implement tools for incident response.
- Use consolidated logging systems for comprehensive monitoring.
For deployments in AWS GovCloud (US), additional documentation is necessary to clearly define the separation between AWS Regions and GovCloud (US) Regions, ensuring compliance with government security standards.
Other best practices include:
- Regularly consolidating and monitoring security logs.
- Periodically reviewing and updating access policies.
- Conducting vulnerability scans before deploying updates.
It’s important to remember AWS operates under a shared responsibility model. While AWS secures the cloud infrastructure, SaaS providers are responsible for securing their applications and data within the cloud [3]. Ongoing compliance checks and updates are crucial for maintaining adherence to AWS Marketplace standards.
SaaS Pricing and Billing Standards
AWS Marketplace follows strict pricing and billing guidelines to maintain transparency and ensure consistent revenue management.
Setting Up Public Pricing
AWS Marketplace supports three main pricing models for SaaS products, tailored to meet various business needs and customer preferences:
| Pricing Model | Billing Method | Key Features |
|---|---|---|
| SaaS Subscriptions | Hourly usage | Pay-as-you-go model with metered billing |
| SaaS Contracts | Upfront payment | Fixed-term agreements with advance billing |
| SaaS Contracts with Pay-as-you-go | Hybrid approach | Combines fixed pricing with usage-based charges |
When setting up public pricing, sellers must follow these essential requirements:
- Define at least one pricing dimension with a price greater than $0.00.
- Ensure each pricing dimension aligns with the software's functionality.
- Use pricing categories that clearly describe the product's usage metrics.
- A maximum of 24 pricing dimensions can be defined per product.
Important pricing constraints:
- Pricing models cannot be changed after being published with limited visibility.
- All pricing dimensions must be publicly available.
- Sellers cannot collect payments directly from customers.
- All billing must be exclusively handled through AWS Marketplace systems.
To finalize compliance, sellers must also integrate AWS spend requirements.
Meeting AWS Spend Requirements
To qualify for AWS Marketplace spend commitments and private pricing discounts, sellers must run their solutions entirely on AWS infrastructure.
The implementation of AWS Marketplace APIs depends on the chosen pricing model:
- SaaS Subscriptions: Use the BatchMeterUsage API for hourly usage reporting and accurate transmission of metering records.
- SaaS Contracts: Implement the GetEntitlements API through the AWS Marketplace Entitlement Service to manage customer access and validate entitlements.
- SaaS Contracts with Pay-as-you-go: Use both GetEntitlements and BatchMeterUsage APIs to handle fixed contracts and usage-based charges.
Key billing compliance requirements:
- All charges must be processed through AWS Marketplace systems.
- Hourly transmission of metering records is required for subscription-based products.
- Pricing must be displayed in US dollars (USD).
- Free products are exempt from AWS service fees.
sbb-itb-9e646a3
Using Awssome for Policy Compliance
Awssome's AWS Listing Tools
Awssome makes navigating AWS Marketplace compliance easier for SaaS businesses with a suite of specialized tools. One standout feature is its observability tool, which ensures your solutions meet AWS Marketplace technical standards before they’re submitted.
Here’s how some of Awssome’s features help maintain compliance:
| Feature | Compliance Benefit |
|---|---|
| Product Listing Manager | Ensures all required AWS documentation and technical specifications are complete. |
| FTR Compliance Scanner | Automatically checks adherence to AWS Marketplace technical requirements. |
| APN Registration Support | Simplifies the AWS Partner Network registration process. |
The platform also includes an analytics dashboard for real-time compliance monitoring. This tool keeps businesses aligned with AWS Marketplace standards while managing multiple SaaS offerings. Awssome's unlimited product listings feature ensures consistent compliance across an entire portfolio, making it easier to maintain technical validation and streamline operations.
Awssome's AWS Compliance Features
Beyond listing tools, Awssome simplifies AWS Marketplace compliance with automated validation and standardized workflows. These built-in features are designed to help sellers meet AWS's strict pricing and technical implementation guidelines.
Some of the key compliance capabilities include:
- Pricing Structure Validation: Automatically checks pricing dimensions to ensure they align with AWS standards [1].
- Billing Integration: Seamlessly integrates with AWS billing requirements [7].
- Technical Standards Monitoring: Continuously verifies that infrastructure setups meet AWS technical requirements.
- Access Control Management: Implements AWS security protocols and manages user authentication.
To further support sellers, Awssome offers a 6-week training academy focused on compliance essentials. This program equips businesses with the knowledge to understand and implement AWS policies effectively, helping them stay ahead in the marketplace.
Key Steps for AWS Marketplace Success
To achieve success on AWS Marketplace, it's essential to build on the technical, security, and pricing standards we've already discussed. The table below provides a clear breakdown of the critical requirements you need to meet:
| Requirement Category | Key Actions | Validation Method |
|---|---|---|
| Infrastructure | Deploy all components on AWS | AWS deployment verification |
| Security | Implement AWS STS/IAM with the principle of least privilege | Security compliance scan |
| Billing | Set up AWS Marketplace billing dimensions | Pricing structure validation |
| Documentation | Submit architecture diagrams and detailed IAM policies | AWS review process |
When designing your SaaS solution, tenant isolation is a non-negotiable. You must enforce strict separation across every layer of your architecture. As highlighted in the SaaS Lens [2]:
"Introduce isolation strategies across all layers of the architecture, providing specific constructs that ensure that any attempt to access a tenant resource is valid for the current tenant context."
Pricing is another critical area that requires alignment with AWS Marketplace guidelines. For instance, you must notify your existing customers at least 90 days in advance of any price changes [6].
To round out your compliance framework, ensure the following controls are in place:
- Centralize logging in an audit account for thorough monitoring.
- Use AWS Organizations to handle tenant provisioning.
- Enforce Service Control Policy guardrails to maintain security boundaries.
FAQs
What are the key advantages of hosting SaaS products entirely on AWS for compliance with AWS Marketplace policies?
Benefits of Hosting SaaS Products Entirely on AWS
Hosting your SaaS products entirely on AWS brings several perks, especially when it comes to meeting AWS Marketplace compliance requirements. Here's why it makes sense:
- Eligibility for Spend Commitments: Products fully hosted on AWS qualify for customer spend commitments through AWS Marketplace. This can open up more sales opportunities and align your offerings with customer purchasing incentives.
- Streamlined Procurement: Customers can buy directly through their AWS accounts, making the purchasing process smoother and ensuring compliance with procurement standards.
- Access to a Global Customer Base: AWS connects you to its vast network of customers, giving your product greater visibility and the chance to reach a wider audience. This can lead to increased adoption and revenue growth.
- Centralized Management Tools: AWS provides governance tools that simplify compliance, help manage risks, and keep costs under control - all from one place.
- Real-Time Security Insights: With access to AWS Vendor Insights, you'll have up-to-date security and compliance data at your fingertips, enabling smarter and quicker decisions.
Leveraging AWS's infrastructure not only simplifies compliance but also boosts operational efficiency and broadens your market opportunities.
What steps should SaaS providers take to ensure their products are secure before listing them on AWS Marketplace?
Before listing your SaaS product on AWS Marketplace, it's crucial to ensure it's secure. Start by conducting thorough vulnerability assessments. Combine automated tools with manual testing to uncover and address any security risks.
Stick to AWS security best practices, such as using AWS Identity and Access Management (IAM) to manage resource access and keeping your software updated to fix known vulnerabilities. You can also take advantage of AWS security services to run assessments and resolve issues before deployment. These measures will help your product meet AWS Marketplace standards and deliver a secure experience for your customers.
What steps should SaaS providers follow to stay compliant with AWS Marketplace's billing and pricing rules?
To ensure compliance with AWS Marketplace's billing and pricing rules, SaaS providers should focus on a few key practices:
- Set pricing correctly: Make sure at least one pricing dimension is above $0.00, and all pricing dimensions must directly reflect the software being offered. Avoid bundling unrelated products or services in your pricing model.
- Leverage AWS for billing: Use the AWS Marketplace Metering Service or Entitlement Service to handle billing and track usage accurately. Be sure to test this integration thoroughly before launching your product to avoid any issues.
- Adhere to AWS payment policies: Never collect customer payment details directly. All transactions must be processed through the AWS Marketplace.
Take time to regularly review and update your product listings to align with AWS's latest guidelines. This proactive approach will help maintain compliance and provide a smooth experience for your customers.