# AWS Marketplace Vendor Insights
<a name="buyer-vendor-insights"></a>

AWS Marketplace Vendor Insights simplifies software risk assessments by helping you to procure software that you trust and that meets your industry standards. With AWS Marketplace Vendor Insights, you can monitor the security profile of a product in near real-time from a single user interface. It reduces your assessment effort by providing a dashboard of a software product’s security information. You can use the dashboard to view and evaluate information, such as data privacy, application security, and access control. 

AWS Marketplace Vendor Insights gathers security data from sellers and supports buyers through procuring trusted software that continuously meets industry standards. By integrating with AWS Audit Manager, AWS Marketplace Vendor Insights can automatically pull up-to-date security information for your software as a service (SaaS) products in AWS Marketplace. AWS Marketplace Vendor Insights integrates with AWS Artifact third-party reports so you can access on-demand compliance reports for your vendor software, alongside reports for AWS services. 

AWS Marketplace Vendor Insights provides evidence-based information from 10 control categories and multiple controls. It gathers the evidence-based information from three sources: 
+ **Vendor production accounts** – Of the multiple controls, 25 controls support live evidence gathering from a vendor's production accounts. Live evidence for each control is generated by one or more AWS Config rules that evaluate the configuration settings of a seller's AWS resources. Live evidence is the method of consistently updating data from multiple sources to present the most current information. AWS Audit Manager captures the evidence and delivers it to the AWS Marketplace Vendor Insights dashboard. 
+ **Vendor ISO 27001 and SOC 2 Type II reports** – The control categories are mapped to controls in the International Organization for Standardization (ISO) and Service Organization Control (SOC) 2 reports. When sellers share these reports with AWS Marketplace Vendor Insights, the service extracts the relevant data and presents it in the dashboard.
+ **Vendor self-assessment** – Sellers complete a self-assessment. They can also create and upload other self-assessment types, including the AWS Marketplace Vendor Insights security self-assessment and Consensus Assessment Initiative Questionnaire (CAIQ).

The following video demonstrates how you can simplify the SaaS risk assessment and use AWS Marketplace Vendor Insights.

[![AWS Videos](http://img.youtube.com/vi/https://www.youtube.com/embed/faXhimuvZ2A/0.jpg)](http://www.youtube.com/watch?v=https://www.youtube.com/embed/faXhimuvZ2A)


# Get started with AWS Marketplace Vendor Insights as a buyer
<a name="buyer-vendor-insights-getting-started"></a>

AWS Marketplace Vendor Insights presents security information for software products available in AWS Marketplace. You can use AWS Marketplace Vendor Insights to view security profiles for products in AWS Marketplace. 

The AWS Marketplace Vendor Insights dashboard presents the compliance artifacts and security control information for a software product using AWS Marketplace Vendor Insights to assess the product. AWS Marketplace Vendor Insights gathers the evidence-based information for multiple security controls presented on the dashboard. 

There is no charge for using AWS Marketplace Vendor Insights to access security and compliance information for products.

## Finding products with AWS Marketplace Vendor Insights
<a name="discover-awsmp-vi"></a>

You can view profile and summary information for a product on the AWS Marketplace Vendor Insights dashboard or select the category controls and learn more about data gathered on the product. To find products in AWS Marketplace with AWS Marketplace Vendor Insights, use the following procedure.

**To find products with AWS Marketplace Vendor Insights**

1. Sign in to the AWS Management Console and open the [AWS Marketplace console](https://console.aws.amazon.com/marketplace/).

1. Choose **View all products**.

1. View products that have the **Vendor Insights** tag.

1. Under **Refine results for Vendor Insights**, choose **Security profiles**.

1. From the **Product detail** page, under **Product Overview**, choose **Vendor Insights** section.

1. Choose **View all profiles for this product**.

1. You can view details about the product in the **Overview** as well as a list of **Security certificates received**. 

1. Choose **Request access**.

1. On the **Request access to Vendor Insights data** page, provide your information, and then choose **Request access**.

   A success message appears, indicating that you have successfully requested access to the AWS Marketplace Vendor Insights data for this product.

## Requesting access to assessment data by subscribing
<a name="req-access-assessment-data"></a>

With AWS Marketplace Vendor Insights, you can continuously monitor the security profile of vendor software. First, subscribe, or request access, to vendor assessment data for the product that you want to monitor. If you no longer want to monitor the assessment data for a product, you can unsubscribe from its assessment data. There is no charge for using AWS Marketplace Vendor Insights to access security and compliance information for products. For more information about pricing, see [AWS Marketplace Vendor Insights Pricing](https://aws.amazon.com/marketplace/features/vendor-insights/pricing/).

To have access to all assessment data for a specific vendor product, you need to subscribe to the product's assessment data. 

**To subscribe to AWS Marketplace Vendor Insights assessment data for a product**

1. Sign in to the AWS Management Console and open the [AWS Marketplace console](https://console.aws.amazon.com/marketplace/).

1. Choose **Vendor Insights**.

1. From **Vendor Insights**, choose a product. 

1. Choose the **Overview** tab.

1. Choose **Request access**.

1. Enter your information in the fields provided.

1. When you're finished, choose **Request access**. 

   A success message appears indicating you requested access to all vendor assessment data for this product.

## Unsubscribing from assessment data
<a name="unsubscribe-assessment-data"></a>

If you no longer want access to assessment data for a vendor product, you can unsubscribe from the product's assessment data.

**To unsubscribe from AWS Marketplace Vendor Insights assessment data for a product**

1. Sign in to the AWS Management Console and open the [AWS Marketplace console](https://console.aws.amazon.com/marketplace/).

1. Choose **Vendor Insights**.

1. From the **Product detail** page, choose a product, and then choose **Unsubscribe**.

1. Read the terms presented with unsubscribing to AWS Marketplace Vendor Insights data.

1. Type **Unsubscribe** in the text input field, then choose **Unsubscribe**.

   A success message appears, which indicates that you unsubscribed from AWS Marketplace Vendor Insights data and will no longer be charged for access.

# Viewing the security profile of a product with AWS Marketplace Vendor Insights
<a name="buyer-vendor-insights-view-profile"></a>

AWS Marketplace Vendor Insights gathers security data from sellers. A product's security profile displays updated information about the product's security, resiliency, compliance, and other factors needed for your assessment. This information supports buyers like you by helping you to procure trusted software that continuously meets industry standards. For each software as a service (SaaS) product that it assesses, AWS Marketplace Vendor Insights gathers the evidence-based information for multiple security controls.

**Topics**
+ [Dashboard in AWS Marketplace Vendor Insights](#dashboard-vendor-insights)
+ [Viewing the security profile of a SaaS product](#view-data)
+ [Understanding control categories](#control-categories)

## Dashboard in AWS Marketplace Vendor Insights
<a name="dashboard-vendor-insights"></a>

The dashboard presents the compliance artifacts and security control information for a software product that is gathered by AWS Marketplace Vendor Insights. Evidence-based information for all security [control categories](#control-category-sets) is provided such as a change in data residency or certification expiration. The consolidated dashboard provides compliance information changes. AWS Marketplace Vendor Insights removes the need for you to create additional questionnaires and use risk assessment software. With a consistently updated and validated dashboard, you can continuously monitor the software's security control after procurement.

## Viewing the security profile of a SaaS product
<a name="view-data"></a>

AWS Marketplace Vendor Insights helps you make decisions about a seller's software. AWS Marketplace Vendor Insights extracts data from a seller's evidence-based information across 10 control categories and multiple controls. You can view profile and summary information for a SaaS product on the dashboard or select control categories to learn more about data gathered. You must be subscribed to the product and granted access to view compliance information through the profile.

1. Sign in to the AWS Management Console and open the [AWS Marketplace console](https://console.aws.amazon.com/marketplace/).

1. Choose **Vendor Insights**.

1. From **Vendor Insights**, choose a product. 

1. On the **Profile detail** page, choose the **Security and compliance** tab.
**Note**  
A number in a red circle indicates the number of non-compliant controls.

1. For **Control categories**, choose the text under any of the listed categories to view more information. 
   + Choose the first control name (**Do you have a policy/procedure to ensure compliance with applicable legislative, regulatory and contractual requirements?**).
   + Read the information presented. You can also view reports from AWS Artifact third-party report or view exceptions from the auditor.
   + Select the product name in the navigation above to return to the **Product detail** page.

## Understanding control categories
<a name="control-categories"></a>

AWS Marketplace Vendor Insights provides you with evidence-based information from multiple controls within 10 control categories. AWS Marketplace Vendor Insights gathers the information from three sources: vendor production accounts, vendor self-assessment, and vendor ISO 27001 and SOC 2 Type II reports. For more information about these sources, see [AWS Marketplace Vendor Insights](buyer-vendor-insights.md).

The following list provides a description of each control category:

Access management  
Identifies, tracks, manages, and controls access to a system or application.

Application security  
Verifies if security was incorporated into the application when designing, developing, and testing it.

Audit, compliance, and security policy  
Evaluates an organization's adherence to regulatory requirements.

Business resiliency and continuity  
Evaluates the organization’s ability to quickly adapt to disruptions while maintaining business continuity.

Data security  
Protects data and assets.

End user device security  
Protects portable end user devices and the networks they are connected to from threats and vulnerabilities.

Human resources  
Evaluates the employee related division for handling of sensitive data during processes such as hiring, paying, and terminating employees.

Infrastructure security  
Protects critical assets from threats and vulnerabilities.

Risk management and incident response  
Evaluates the level of risk deemed acceptable and the steps taken to respond to risks and attacks.

Security and configuration policy  
Evaluates the security policies and security configurations that protect an organization's assets.

### Control category sets
<a name="control-category-sets"></a>

The following tables provide detailed information for each category with information about the values for each category gathered. The following list describes the type of information within each column of the table:
+ **Control set** – Controls are assigned to a control set, and each control reflects the security function of its category. Each category has multiple control sets.
+ **Control name** – Name of the policy or procedure. "Requires manual attestation" means written confirmation or documentation of the policy or procedure is required.
+ **Control description** – Questions, information, or documentation needed about this policy or procedure.
+ **Evidence extraction detail** – Information and context needed about the control to further obtain the data needed for this category.
+ **Sample value** – Example given for guidance to what a compliance value for this category might look like so that it's in accordance with regulatory standards.

**Topics**
+ [Control category sets](#control-category-sets)
+ [Access management controls](#access-management)
+ [Application security controls](#application-security)
+ [Audit and compliance controls](#audit-comp-controls)
+ [Business resiliency controls](#business-resiliency)
+ [Data security controls](#data-security-controls)
+ [End user device security controls](#end-user-device-security)
+ [Human resources controls](#human-resources)
+ [Infrastructure security controls](#infrastructure-security)
+ [Risk management and incident response controls](#risk-management-incident-response)
+ [Security and configuration policy controls](#security-configuration-policy)

### Access management controls
<a name="access-management"></a>

Access management controls identify, track, manage, and control access to a system or application. This table lists the values and descriptions for access management controls.

[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-vendor-insights-view-profile.html)

### Application security controls
<a name="application-security"></a>

Application security controls verify if security was incorporated into the application when designing, developing, and testing it. This table lists the values and descriptions for application security policy controls.

[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-vendor-insights-view-profile.html)

### Audit and compliance controls
<a name="audit-comp-controls"></a>

Audit and compliance controls evaluates an organization's adherence to regulatory requirements. This table lists the values and descriptions for audit and compliance controls.

[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-vendor-insights-view-profile.html)

### Business resiliency controls
<a name="business-resiliency"></a>

Business resiliency controls evaluate the organization’s ability to quickly adapt to disruptions while maintaining business continuity. This table lists the values and descriptions for business resiliency policy controls.

[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-vendor-insights-view-profile.html)

### Data security controls
<a name="data-security-controls"></a>

Data security controls protect data and assets. This table lists the values and descriptions for data security controls.

[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-vendor-insights-view-profile.html)

### End user device security controls
<a name="end-user-device-security"></a>

End user device security controls protect portable end user devices and the networks they are connected to from threats and vulnerabilities. This table lists the values and descriptions for end user device security policy controls.

[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-vendor-insights-view-profile.html)

### Human resources controls
<a name="human-resources"></a>

Human resources controls evaluate the employee related division for handling of sensitive data during processes such as hiring, paying, and terminating employees. This table lists the values and descriptions for human resources policy controls.

[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-vendor-insights-view-profile.html)

### Infrastructure security controls
<a name="infrastructure-security"></a>

Infrastructure security controls protect critical assets from threats and vulnerabilities. This table lists the values and descriptions for infrastructure security policy controls.

[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-vendor-insights-view-profile.html)

### Risk management and incident response controls
<a name="risk-management-incident-response"></a>

Risk management and incident response controls evaluate the level of risk deemed acceptable and the steps taken to respond to risks and attacks. This table lists the values and descriptions for risk management and incident response policy controls.

[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-vendor-insights-view-profile.html)

### Security and configuration policy controls
<a name="security-configuration-policy"></a>

Security and configuration policy controls evaluate security policies and security configurations that protect an organization's assets. This table lists the values and descriptions for security and configuration policy controls.

[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-vendor-insights-view-profile.html)

# Exporting snapshots as a buyer using AWS Marketplace Vendor Insights
<a name="buyer-vendor-insights-export-snapshot"></a>

A *snapshot* is a point-in-time posture of a security profile. Exporting snapshots provides a way to download and review data offline, review evidence data, and compare products.

You can export to JSON or CSV formats.

**To export a snapshot**

1. Sign in to the AWS Management Console and open the [AWS Marketplace console](https://console.aws.amazon.com/marketplace/).

1. Choose **Vendor Insights**.

1. From **Vendor Insights**, choose a product.

1. From the **Security and compliance** tab, go to the **Summary** section, and then choose **Export**. 

1. From the dropdown list, choose **Download (JSON) ** or **Download (CSV)**.

# Controlling access in AWS Marketplace Vendor Insights
<a name="buyer-vendor-insights-controlling-access"></a>

AWS Identity and Access Management (IAM) is an AWS service that helps you control access to AWS resources. IAM is an AWS service that you can use with no additional charge. If you're an administrator, you control who can be *authenticated* (signed in) and *authorized* (have permissions) to use AWS Marketplace resources. AWS Marketplace Vendor Insights uses IAM to control access to seller data, assessments, seller self-attestation, and industry standard audit reports.

The recommended way to control who can do what in AWS Marketplace Management Portal is to use IAM to create users and groups. Then you add the users to the groups, and manage the groups. You can assign a policy or permissions to the group that provide read-only permissions. If you have other users that need read-only access, you can add them to the group you created rather than adding permissions to their AWS account.

A *policy* is a document that defines the permissions that apply to a user, group, or role. The permissions determine what users can do in AWS. A policy typically allows access to specific actions, and can optionally grant that the actions are allowed for specific resources, like Amazon EC2 instances, Amazon S3 buckets, and so on. Policies can also explicitly deny access. A *permission* is a statement within a policy that allows or denies access to a particular resource. 

**Important**  
All of the users that you create authenticate by using their credentials. However, they use the same AWS account. Any change that a user makes can impact the whole account. 

 AWS Marketplace has permissions defined to control the actions that someone with those permissions can take in AWS Marketplace Management Portal. There are also policies that AWS Marketplace creates and manages that combine several permissions. The `AWSMarketplaceSellerProductsFullAccess` policy gives the user full access to products in the AWS Marketplace Management Portal. 

For more information about the actions, resources, and condition keys that are available, see [Actions, resources, and condition keys for AWS Marketplace Vendor Insights](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplacevendorinsights.html) in the *Service Authorization Reference*. 

## Permissions for AWS Marketplace Vendor Insights buyers
<a name="permissions-vi-buyers"></a>

You can use the following permissions in IAM policies for AWS Marketplace Vendor Insights. You can combine permissions into a single IAM policy to grant the permissions you want. 

## `GetProfileAccessTerms`
<a name="get-profile-access-terms"></a>

`GetProfileAccessTerms` allows users to retrieve necessary terms to review, accept, and get access to a AWS Marketplace Vendor Insights profile.

Action groups: Read-only and read-write.

Required resources: `SecurityProfile`.

## `ListEntitledSecurityProfiles`
<a name="list-entitled-sec-profiles"></a>

`ListEntitledSecurityProfiles` allows users to list all security profiles they have an active entitlement to read.

Action groups: Read-only, list-only, and read-write.

Required resources: None

## `ListEntitledSecurityProfileSnapshots`
<a name="list-entitled-sec-profile-snapshots"></a>

`ListEntitledSecurityProfileSnapshots` allows users to list the security profile snapshots for a security profile that they have an active entitlement to read.`SecurityProfile`.

Action groups: Read-only, list-only, and read-write.

Required resources: `SecurityProfile`

## `GetEntitledSecurityProfileSnapshot`
<a name="get-entitled-sec-profile-snapshot"></a>

`GetEntitledSecurityProfileSnapshot` allows users to get the details of a security profile snapshot for a security profile that they have an active entitlement to read.

Action groups: Read-only and read-write.

Required resources: `SecurityProfile`