SCP should restrict marketplace subscriptions

iam
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

A Service Control Policy (SCP) should restrict the ability to subscribe to or create agreements in the AWS Marketplace. Unrestricted marketplace access allows any account member to procure third-party software, incurring costs and potentially introducing unvetted software into the environment. Limiting marketplace actions by SCP ensures procurement follows an approval process.

This rule verifies that an SCP denies all four marketplace subscription actions:

  • aws-marketplace:Subscribe
  • aws-marketplace:Unsubscribe
  • aws-marketplace:CreateAgreementRequest
  • aws-marketplace:AcceptAgreementApprovalRequest

Alternatively, a wildcard action (aws-marketplace:* or *) satisfies the requirement. Denying only a subset of these actions leaves gaps — for example, denying Subscribe but not CreateAgreementRequest still allows procurement through the agreements pathway.

Unsubscribe is included because canceling marketplace subscriptions mid-contract can violate licensing agreements, disrupt production workloads, or bypass finance and procurement approval processes. In a well-governed organization, both subscriptions and cancellations should follow a controlled change management process.

Remediation

Create an SCP that explicitly denies all four marketplace actions listed above (or aws-marketplace:*) using Action (not NotAction) and attach it to the organization root. Refer to the SCP syntax documentation for guidance.