SCP should restrict marketplace subscriptions

iam

Description

A Service Control Policy (SCP) should restrict the ability to subscribe to or create agreements in the AWS Marketplace. Unrestricted marketplace access allows any account member to procure third-party software, incurring costs and potentially introducing unvetted software into the environment. Limiting marketplace actions by SCP ensures procurement follows an approval process.

This rule verifies that an SCP denies all four marketplace subscription actions:

  • aws-marketplace:Subscribe
  • aws-marketplace:Unsubscribe
  • aws-marketplace:CreateAgreementRequest
  • aws-marketplace:AcceptAgreementApprovalRequest

Alternatively, a wildcard action (aws-marketplace:* or *) satisfies the requirement. Denying only a subset of these actions leaves gaps — for example, denying Subscribe but not CreateAgreementRequest still allows procurement through the agreements pathway.

Unsubscribe is included because canceling marketplace subscriptions mid-contract can violate licensing agreements, disrupt production workloads, or bypass finance and procurement approval processes. In a well-governed organization, both subscriptions and cancellations should follow a controlled change management process.

Remediation

Create an SCP that explicitly denies all four marketplace actions listed above (or aws-marketplace:*) using Action (not NotAction) and attach it to the organization root. Refer to the SCP syntax documentation for guidance.