# AWS Marketplace Vendor Insights
<a name="vendor-insights"></a>

AWS Marketplace Vendor Insights is a feature that simplifies software risk assessments performed by organizations to safeguard procuring software they trust and meets their standards. With AWS Marketplace Vendor Insights, buyers can monitor the security profile of a product in near real-time from a single console. AWS Marketplace Vendor Insights can ease the procurement process for buyers and potentially increase sales for sellers. It reduces a buyer's assessment effort by providing a dashboard of the software product’s security and compliance information. 

All security and compliance information in the AWS Marketplace Vendor Insights dashboard is based on evidence gathered from the following sources:
+ Seller's self-attestation, including the AWS Marketplace Vendor Insights security self-assessment and Consensus Assessment Initiative Questionnaire (CAIQ)
+ Industry standard audit reports (for example, International Organization for Standardization ISO 27001)
+ AWS Audit Manager, which automates evidence collection from the seller's production environment

AWS Marketplace Vendor Insights gathers compliance artifacts and security control information about the product and presents it in a dashboard. The dashboard takes data from the seller's self-assessment, evidence from audit reports, and live evidence from AWS accounts. This data feeds into the security controls and then to the dashboard for buyers to review. Live evidence is the method of consistently updating data from multiple sources to present the most current information. AWS Config is enabled in the seller's environment. Data about configurations, backups enabled, and other information is updated automatically. For example, assume that the **Access Control ** for a product is **Compliant** and an Amazon Simple Storage Service (Amazon S3) bucket becomes public. The dashboard would display that the control's status changed from **Compliant** to **Undetermined**.

You must set up the baseline resources and infrastructure in your AWS accounts before using AWS Marketplace Vendor Insights. After setup is completed, AWS Marketplace Vendor Insights can gather information and generate security profiles for your software as a service (SaaS) products in AWS Marketplace. 

**Topics**
+ [Understanding AWS Marketplace Vendor Insights](vendor-insights-understanding.md)
+ [Setting up AWS Marketplace Vendor Insights](vendor-insights-setting-up.md)
+ [Viewing your AWS Marketplace Vendor Insights profile](vendor-insights-profile.md)
+ [Managing snapshots in AWS Marketplace Vendor Insights](vendor-insights-snapshot.md)
+ [Controlling access in AWS Marketplace Vendor Insights](vendor-insights-seller-controlling-access.md)

# Understanding AWS Marketplace Vendor Insights
<a name="vendor-insights-understanding"></a>

AWS Marketplace Vendor Insights gathers compliance artifacts and security control information for your product and presents it in a dashboard. The dashboard takes data from the product owner's self-assessment, evidence from audit reports, and live evidence from AWS accounts. This data feeds into the security controls and then to the dashboard for buyers to review. 

The dashboard presents the evidence-based information gathered by AWS Marketplace Vendor Insights from multiple security control categories. This provides insight with a near real-time view of the security profile and reduces discussions between the buyer and seller. Buyers can validate a seller's information completing assessments within a few hours. AWS Marketplace Vendor Insights provides a mechanism for sellers to keep security and compliance posture information up-to-date automatically. They can share it with buyers on-demand which eliminates the need to respond to questionnaires on a random basis.

AWS Marketplace Vendor Insights gathers the evidence-based information from three sources: 
+ **Your vendor self-assessment** – Supported self-assessments include the AWS Marketplace Vendor Insights security self-assessment and Consensus Assessment Initiative Questionnaire (CAIQ).
+ **Your production accounts** – Of the multiple controls, 25 controls support live evidence gathering from your production accounts. Live evidence for each control is generated by evaluating the configuration settings of your AWS resources using one or more AWS Config rules. AWS Audit Manager captures the evidence and prepares it for AWS Marketplace Vendor Insights to consume. The onboarding AWS CloudFormation template automates the prerequisite steps required for enabling live evidence gathering. AWS Config is enabled in the seller's environment. Data about configurations, backups enabled, and other information is updated automatically. For example, assume that the **Access Control ** for a product is **Compliant** and an Amazon S3 bucket becomes public. The dashboard would display that the control's status changed from **Compliant** to **Undetermined**.
  + Turning on AWS Config and the AWS Audit Manager service.
  + Creating AWS Config rules and the AWS Audit Manager automated assessment.
  + Provisioning the AWS Identity and Access Management (IAM) role so that AWS Marketplace Vendor Insights can pull assessment results.
+ **Your ISO 27001 and SOC2 Type II report** – The control categories are mapped to controls in the International Organization for Standardization (ISO) and System and Organization Controls (SOC2) reports. When you share these reports with AWS Marketplace Vendor Insights, it can extract relevant evidence from these reports and present it on the dashboard.

# Setting up AWS Marketplace Vendor Insights
<a name="vendor-insights-setting-up"></a>

The following procedure describes the high-level steps for setting up AWS Marketplace Vendor Insights on your AWS Marketplace software as a service (SaaS) listing. 

**To set up AWS Marketplace Vendor Insights on your SaaS listing**

1. [Create a security profile](#create-security-profile). 

1. (Optional) [Upload a certification](#upload-certification). 

1. [Upload a self-assessment](#upload-self-assessment). 

1. (Optional) [Enable AWS Audit Manager automated assessments](#enable-audit-manager-assessments). 

## Create a security profile
<a name="create-security-profile"></a>

A security profile provide your buyers with detailed insight into the security posture of your software product. A security profile uses associated data sources, including self-assessments, certifications, and AWS Audit Manager automated assessments.

**Note**  
You can create a limited number of security profiles. To create more security profiles, request a quota increase. For more information, see [AWS service quotas ](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html) in the *AWS General Reference*.

**To create a security profile**

1. Sign in using an IAM user or role with access to the AWS Marketplace seller account.

1. Choose **Products** and select **SaaS** to navigate to the **SaaS products** page.

1. Choose a **product**.

1. Choose the **Vendor Insights** tab, and then choose **Contact Support for adding security profile**.

1. Complete the form, and then choose **Submit**.

   The AWS Marketplace Seller Operations team will create the security profile. When the security profile is ready, they will send a notification email message to the recipients identified on the form.

## Upload a certification
<a name="upload-certification"></a>

A certification is a data source that provides evidence of your product’s security posture across multiple dimensions. AWS Marketplace Vendor Insights supports the following certifications:
+ FedRAMP certification – Validates compliance with U.S. government cloud security standards
+ GDPR compliance report – Demonstrates adherence to General Data Protection Regulation (GDPR) requirements, protecting personal data and individuals' rights to privacy
+ HIPAA compliance report – Demonstrates adherence to Health Insurance Portability and Accountability Act (HIPAA) regulations, safeguarding protected health information
+ ISO/IEC 27001 audit report – Confirms compliance with International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001, emphasizing information security standards
+ PCI DSS audit report – Demonstrates compliance with security standards set by the PCI Security Standards Council
+ SOC 2 Type 2 audit report – Confirms compliance with Service Organizational Control (SOC) data privacy and security controls

**To upload a certification**

1. On the **Vendor Insights** tab, navigate to the **Data sources** section.

1. Under **Certifications**, choose **Upload certification**.

1. Under **Certification details**, provide the requested information and upload the certification.

1. (Optional) Under **Tags**, add new tags.
**Note**  
For information about tags, see [Tagging your AWS resources](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html) in the *Tagging AWS Resources User Guide*.

1. Choose **Upload certification**. 
**Note**  
The certification is automatically associated with the current security profile. You can also associate certifications that you've already uploaded. On the product detail page, choose **Associate certification** under **Certifications**, select a certification from the list, and choose **Associate certification**.  
After you upload the certification, you can download it using the **Download certification** button on the product detail page. You can also update the certification details using the **Update certification** button.

   The certification status changes to **ValidationPending** until the certification details are validated. An alternate status appears during and after the data source is processed:
   + **Available **– The data source was uploaded and system validations completed successfully.
   + **AccessDenied** – The data source's external source reference is no longer accessible for AWS Marketplace Vendor Insights to read.
   + **ResourceNotFound** – The data source's external source reference is no longer available for VendorInsights to read.
   + **ResourceNotSupported** – The data source was uploaded but the provided source isn't supported, yet. For details about the validation error, refer to the status message.
   + **ValidationPending** – The data source was uploaded but system validations are still running. There's no action item for you at this stage. The status is updated to Available, ResourceNotSupported, or ValidationFailed.
   + **ValidationFailed** – The data source was uploaded, but the system validation failed for one or more reasons. For details about the validation error, refer to the status message.

## Upload a self-assessment
<a name="upload-self-assessment"></a>

A self-assessment is a type of data source that provides evidence of your product’s security posture. AWS Marketplace Vendor Insights supports the following self-assessments:
+ AWS Marketplace Vendor Insights self-assessment
+ Consensus Assessment Initiative Questionnaire (CAIQ). For more information, see [What is CAIQ](https://cloudsecurityalliance.org/blog/2021/09/01/what-is-caiq), on the Cloud Security Alliance web site.

**To upload a self-assessment**

1. Open the AWS Marketplace console at [https://console.aws.amazon.com/marketplace](https://console.aws.amazon.com/marketplace).

1. On the **Vendor Insights** tab, navigate to the **Data sources** section.

1. Under **Self-assessments**, choose **Upload self-assessment**.

1. Under **Self-assessment details**, complete the following information:

   1. **Name** – Enter a name for the self-assessment.

   1. **Type** – Choose an assessment type from the list.
**Note**  
If you chose **Vendor Insights Security Self-Assessment**, then choose **Download template** to download the self-assessment. Choose **Yes**, **No**, or **N/A** for each answer in the spreadsheet.

1. To upload the completed assessment, choose **Upload self-assessment**.

1. (Optional) Under **Tags**, add new tags.
**Note**  
For information about tags, see [Tagging your AWS resources](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html) in the *Tagging AWS Resources User Guide*.

1. Choose **Upload self-assessment**.
**Note**  
The self-assessment is automatically associated with the current security profile. You can also associate self-assessments that you've already uploaded. On the product detail page, choose **Associate self-assessment** under **Self-assessments**, select a self-assessment from the list, and choose **Associate self-assessment**.  
After you upload a self-assessment, you can download it using the **Download self-assessment** button on the product detail page. You can also update the self-assessment details using the **Update self-assessment** button.

   The status is updated to one of the following:
   + **Available** – The data source was uploaded and system validations completed successfully.
   + **AccessDenied** – The data source's external source reference is no longer available for VendorInsights to read.
   + **ResourceNotFound** – The data source's external source reference is no longer available for VendorInsights to read.
   + **ResourceNotSupported** – The data source was uploaded but the provided source isn't supported, yet. For details about the validation error, refer to the status message.
   + **ValidationPending** – The data source was uploaded, but system validations are still running. There's no action item for you at this stage. The status is updated to Available, ResourceNotSupported, or ValidationFailed.
   + **ValidationFailed** – The data source was uploaded, but the system validation failed for one or more reasons. For details about the validation error, refer to the status message.

## Enable AWS Audit Manager automated assessments
<a name="enable-audit-manager-assessments"></a>

AWS Marketplace Vendor Insights uses multiple AWS services to automatically gather evidence for your security profile.

You need the following AWS services and resources for automated assessments:
+ **AWS Audit Manager** – To simplify AWS Marketplace Vendor Insights setup, we use CloudFormation Stacks and StackSets, which take care of provisioning and configuring the necessary resources. The stack set creates an automated assessment containing controls that are automatically populated by AWS Config.

  For more information about AWS Audit Manager, see the [AWS Audit Manager User Guide](https://docs.aws.amazon.com/audit-manager/latest/userguide/what-is.html).
+ **AWS Config** – The stack set deploys an AWS Config conformance pack to set up the necessary AWS Config rules. These rules allow the Audit Manager automated assessment to gather live evidence for other AWS services deployed in that AWS account. For more information about AWS Config features, see the [AWS Config Developer Guide](https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html).
**Note**  
You might notice increased activity in your account during your initial month of recording with AWS Config when compared to subsequent months. During the initial bootstrapping process, AWS Config reviews all the resources in your account that you have selected for AWS Config to record.  
If you run ephemeral workloads, you might see increased activity from AWS Config as it records configuration changes associated with creating and deleting these temporary resources. An *ephemeral workload* is a temporary use of computing resources that are loaded and run when needed.  
Examples of ephemeral workloads include Amazon Elastic Compute Cloud (Amazon EC2) spot instances, Amazon EMR jobs, AWS Auto Scaling, and AWS Lambda. To avoid the increased activity from running ephemeral workloads, you can run these types of workloads in a separate account with AWS Config turned off. This approach avoids increased configuration recording and rule evaluations.
+ **Amazon S3** – The stack set creates the following two Amazon Simple Storage Service buckets: 
  + **vendor-insights-stack-set-output-bucket-\$1account number\$1** – This bucket contains outputs from the stack set run. The AWS Marketplace Seller Operations team uses the outputs to complete your automated data source creation process.
  + **vendor-insights-assessment-reports-bucket-\$1account number\$1** – AWS Audit Manager publishes assessment reports to this Amazon S3 bucket. For more information about publishing assessment reports, see [Assessment reports](https://docs.aws.amazon.com/audit-manager/latest/userguide/assessment-reports.html) in the *AWS Audit Manager User Guide*.

    For more information about Amazon S3 features, see the [Amazon S3 User Guide](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html).
+ **IAM** – The onboarding stack set provisions the following AWS Identity and Access Management (IAM) roles in your account: 
  + When the `VendorInsightsPrerequisiteCFT.yml` template is deployed, it creates the administrator role `AWSVendorInsightsOnboardingStackSetsAdmin` and the run role `AWSVendorInsightsOnboardingStackSetsExecution`. The stack set uses the administrator role to deploy the required stacks into multiple AWS Regions simultaneously. The administrator role assumes the execution role to deploy the necessary parent and nested stacks as part of the AWS Marketplace Vendor Insights setup process. For more information about self-managed permissions, see [Grant self-managed permissions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs-self-managed.html) in the *CloudFormation User Guide*.
  + The `AWSVendorInsightsRole` role provides AWS Marketplace Vendor Insights with access to read the assessments in AWS Audit Manager resources. AWS Marketplace Vendor Insights displays the evidence found on the assessments on your AWS Marketplace Vendor Insights profile. 
  + The `AWSVendorInsightsOnboardingDelegationRole` provides AWS Marketplace Vendor Insights with access to list and read objects in the `vendor-insights-stack-set-output-bucket` bucket. This capability allows the AWS Marketplace Catalog Operations team to assist you with setting up an AWS Marketplace Vendor Insights profile.
  + The `AWSAuditManagerAdministratorAccess` role provides administrative access to enable or disable AWS Audit Manager, update settings, and manage assessments, controls, and frameworks. You or your team can assume this role to take actions for automated assessments in AWS Audit Manager.

To enable AWS Audit Manager automated assessments, you must deploy the onboarding stacks.

### Deploy the onboarding stacks
<a name="deploy-onboarding-stacks"></a>

To simplify AWS Marketplace Vendor Insights setup, we use CloudFormation Stacks and StackSets, which take care of provisioning and configuring the necessary resources. If you have a multiple account or multiple AWS Region SaaS solution, StackSets allow you to deploy the onboarding stacks from a central management account.

For more information about CloudFormation StackSets, see [Working with CloudFormation StackSets](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html) in the *AWS CloudFormation User Guide*.

AWS Marketplace Vendor Insights setup requires that you use the following CloudFormation templates: 
+ `VendorInsightsPrerequisiteCFT` – Sets up the necessary administrator role and permissions to run CloudFormation StackSets in your account. Create this stack in your seller account. 
+ `VendorInsightsOnboardingCFT` – Sets up the required AWS services and configures the appropriate IAM permissions. These permissions allow AWS Marketplace Vendor Insights to gather data for the SaaS product running in your AWS accounts and display the data on your AWS Marketplace Vendor Insights profile. Create this stack in both your seller account and production accounts that are hosting your SaaS solution through StackSets.

#### Create the VendorInsightsPrerequisiteCFT stack
<a name="create-prerequisite-cft"></a>

By running the `VendorInsightsPrerequisiteCFT` CloudFormation stack, you set up IAM permissions to start onboarding stack sets. 

**To create the VendorInsightsPrerequisiteCFT stack**

1. Review and download the latest `VendorInsightsPrerequisiteCFT.yml` file from the [AWS Samples Repo for Vendor Insights templates folder](https://github.com/aws-samples/aws-marketplace-vendor-assessment-onboarding) on the GitHub website. 

1. Sign in to the AWS Management Console using your AWS Marketplace seller account, and then open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).

1. In the CloudFormation console navigation pane, choose **Stacks**, and then choose **Create stack** and **With new resources (standard)** from the dropdown. (If the navigation pane is not visible, in the upper left corner, select and expand the navigation pane.)

1. Under **Specify template**, choose **Upload a template file**. To upload the `VendorInsightsPrerequisiteCFT.yml` file that you downloaded, use **Choose file**. Then choose **Next**.

1. Enter a name for the stack, and then choose **Next**.

1. (Optional) Configure the stack options as you want. 

   Choose **Next**.

1. On the **Review** page, review your choices. To make changes, choose **Edit** in the area in which you want to change. Before you can create the stack, you must select the acknowledgement check boxes in the **Capabilities** area. 

   Choose **Submit**.

1. After the stack is created, choose the **Resources** tab and make note of the following roles that are created:
   + `AWSVendorInsightsOnboardingStackSetsAdmin`
   + `AWSVendorInsightsOnboardingStackSetsExecution`

#### Create the VendorInsightsOnboardingCFT stack set
<a name="deploy-onboarding-stacks"></a>

By running the `VendorInsightsOnboardingCFT` CloudFormation stack set, you set up the required AWS services and configure the appropriate IAM permissions. This allows AWS Marketplace Vendor Insights to gather data for the SaaS product running in your AWS account and display it in your AWS Marketplace Vendor Insights profile. 

If you have a multiple account solution or if you have separate seller and production accounts, you must deploy this stack across multiple accounts. StackSets allow you to do this from the management account that you created the prerequisites stack on.

The stack set is deployed using self-managed permissions. For more information, see [Create a stack set with self-managed permissions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-getting-started-create.html#stacksets-getting-started-create-self-managed) in the *AWS CloudFormation User Guide*. 

**To create the VendorInsightsOnboardingCFT stack set**

1. Review and download the latest `VendorInsightsOnboardingCFT.yml` file from the [AWS Samples Repo for Vendor Insights templates folder](https://github.com/aws-samples/aws-marketplace-vendor-assessment-onboarding) on the GitHub website.

1. Sign in to the AWS Management Console using your AWS Marketplace seller account, and then open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/)..

1. In the CloudFormation console navigation pane, choose **Create StackSet**. (If the navigation pane is not visible, in the upper left corner, select and expand the navigation pane.)

1. Under **Permissions**, for the administrator role choose **IAM role name**, and then choose **AWSVendorInsightsOnboardingStackSetsAdmin** for the role name from the dropdown.

1. Enter **AWSVendorInsightsOnboardingStackSetsExecution** as the **IAM execution role name**.

1. Under **Specify template**, choose **Upload a template file**. To upload the `VendorInsightsOnboardingCFT.yml` file that you downloaded, use **Choose file** and then choose **Next**.

1. Provide the following StackSet parameters, and then choose **Next**. 
   + `CreateVendorInsightsAutomatedAssessment` – This parameter sets up the AWS Audit Manager automated assessment in your AWS account. If you have separate management and production accounts, this option should only be selected for production accounts and *not* for the management account.
   + `CreateVendorInsightsIAMRoles` – This parameter provisions an IAM role that allows AWS Marketplace Vendor Insights to read the assessment data in your AWS account.
   + `PrimaryRegion` – This parameter sets the primary AWS Region for your SaaS deployment. This is the Region where the Amazon S3 bucket is created in your AWS account. If your SaaS product is deployed to only one Region, that Region is the primary Region.

1. Configure the StackSet options as you want. Keep the **Execution** configuration as **Inactive**, and then choose **Next**.

1. Configure the deployment options. If you have a multiple account solution, you can configure the stack set to deploy across multiple accounts and Regions as a single operation. Choose **Next**.
**Note**  
If you have a multiple account solution, we do *not* recommend deploying to all accounts as a single stack set. Pay close attention to the parameters defined in step 7. You might want to enable or disable some parameters, depending on the type of accounts that you're deploying to. StackSets apply the same parameters to all specified accounts in a single deployment. You can reduce deployment time by grouping accounts in a stack set, but you still need to deploy multiple times for a multiple account solution.
**Important**  
If you're deploying to multiple Regions, the first Region that you list must be the `PrimaryRegion`. Leave the **Region Concurrency** option as the default setting of **Sequential**. 

1. On the **Review** page, review your choices. To make changes, choose **Edit** in the area in which you want to change. Before you can create the stack set, you must select the acknowledgement check box in the **Capabilities** area. 

   Choose **Submit**.

   The stack set takes about 5 minutes per Region to complete.

# Viewing your AWS Marketplace Vendor Insights profile
<a name="vendor-insights-profile"></a>

Your profile in AWS Marketplace Vendor Insights provides important information for buyers to use as they assess your product. For data protection purposes, we recommend that you protect your AWS account credentials and set up individual users with AWS Identity and Access Management (IAM). With that approach, each user is given only the permissions necessary to fulfill their job duties. For more information about creating users with IAM, see [Creating or using groups](marketplace-management-portal-user-access.md#creating-iam-groups). 

Buyers can assess your product by using the AWS Marketplace Vendor Insights dashboard. There, buyers can see a product overview that is defined by the data sources you add to your profile. The security profile is defined by multiple security controls in 10 categories. 

The 10 security categories used to define data are as follows:
+ Access management
+ Application security
+ Audit, compliance, and security policy
+ Business resiliency
+ Data security and privacy 
+ End user device and mobile security 
+ Human resources
+ Infrastructure security
+ Risk management and incident response
+ Security and configuration policy

For more information see [Understanding control categories](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-vendor-insights-view-profile.html#control-categories), in the *AWS Marketplace* *Buyer Guide*.

By setting up and using AWS Marketplace Vendor Insights, you agree to comply with AWS service terms and data privacy rules to keep user information private and secure. For more information about AWS data privacy terms, see [Data Privacy FAQ](https://aws.amazon.com/compliance/data-privacy-faq/). For more information about service terms, see [AWS service terms](https://aws.amazon.com/service-terms/). 

## View your security profile as a seller
<a name="view-security-profile"></a>

After completing the self-assessment and adding other live evidence, it's important to view your profile as a seller. You will want to review the information added to your profile.

**Note**  
This profile isn't visible to buyers until you request that the AWS Marketplace Vendor Insights support team update its visibility. After the support team completes the update, the security profile is accessible to buyers that signed your nondisclosure agreement (NDA).  
If you want to delete a subscriber's personally identifiable information (PII) data from your AWS Marketplace Vendor Insights profile, start a support case by contacting [Support](https://aws.amazon.com/contact-us).

**To view your security profile as buyers view it**

1. Sign in to the AWS Management Console.

1. Go to the [SaaS Product](https://aws.amazon.com/marketplace/management/products/saas) page in the portal.

1. Choose the product with an associated security profile.

1. Select the **Vendor Insights** tab, and then choose **View Latest Released Snapshot**.

1. On the **Overview** tab, all the certificate badges you uploaded are displayed.

1. Select the **Security and compliance** tab, where you can view data gathered from multiple controls. To view more details, choose each control set.

# Managing snapshots in AWS Marketplace Vendor Insights
<a name="vendor-insights-snapshot"></a>

A *snapshot* is a point-in-time posture of a security profile. In AWS Marketplace Vendor Insights, you can use snapshots to assess a seller's product at any given time. As the seller, you can compare the security postures of your profile at different times or the latest snapshots of different security profiles to support your decision making. Snapshots provide necessary security information in addition to providing transparency about freshness and source of the data.

In the AWS Marketplace console, in the AWS Marketplace Vendor Insights **Snapshot summary** section, you can view the following snapshot details for the creation and release schedule:
+ **Last created snapshot** – Snapshot last created for this profile.
+ **Next scheduled creation** – Snapshot scheduled to be created next.
+ **Creation frequency** – Length of time between snapshot creations or the frequency of creating snapshots.
+ **Next scheduled release** – Snapshot scheduled to be released next.
+ **Staging time** – Snapshot is staged for at least this length of time and then eligible to be released during a snapshot release event.
+ **Release frequency** – Length of time between release events.

In the **Snapshot list** section, the snapshot statuses are as follows:
+ **Released** – Snapshot is public and available to view for users with permission to this product.
+ **Pending release** – Snapshot completed or is in the mandatory minimum staging period and scheduled for the next release.
+ **Private** – Snapshot created before security profile activation or had validation errors and isn't visible to the public. Private snapshots remain only in seller visibility.

**Topics**
+ [Create a snapshot](#create-snapshot)
+ [View a snapshot](#view-snapshot)
+ [Export a snapshot](#export-snapshot)
+ [View latest released snapshot](#latest-released-snapshot)
+ [Postpone a snapshot release](#postpone-snapshot)
+ [Change preferences for the snapshot list](#update-preferences-snapshot)

## Create a snapshot
<a name="create-snapshot"></a>

To create a snapshot for your profile, follow these steps. You can create a maximum of 20 snapshots per day.

1. Sign in to the AWS Management Console and open the [AWS Marketplace console](https://console.aws.amazon.com/marketplace/).

1. Choose **Vendor Insights**.

1. From **Vendor Insights**, choose a product.

1. On the product profile page, go to the **Snapshot list**, and choose **Create new snapshot**.

1. A message notifies you that the snapshot schedule will change. Choose **Create**.
**Note**  
The snapshot schedule changes when a new snapshot is created. New snapshots are scheduled for the same time as your manually created snapshot. This message includes the new schedule.

The new snapshot is created within 30 minutes and added to the snapshot list. New snapshots are created with a **Pending release** status. No one can view new snapshots until the status changes to **Released**.

## View a snapshot
<a name="view-snapshot"></a>

To view a snapshot for your profile, follow these steps. 

1. Sign in to the AWS Management Console and open the [AWS Marketplace console](https://console.aws.amazon.com/marketplace/).

1. Choose **Vendor Insights**.

1. From **Vendor Insights**, choose a product. 

1. On the product profile page, go to the **Snapshot list**, and choose the **Snapshot ID** of the snapshot that you want to view.

1. When you're finished, choose **Back** to exit the snapshot view.

## Export a snapshot
<a name="export-snapshot"></a>

You can export to JSON or CSV formats. To export a snapshot, follow these steps.

1. Sign in to the AWS Management Console and open the [AWS Marketplace console](https://console.aws.amazon.com/marketplace/).

1. Choose **Vendor Insights**.

1. From **Vendor Insights**, choose a product. 

1. On the product profile page, go to the **Snapshot list**, and choose the **Snapshot ID** of the snapshot that you want to export.

1. Choose **Export**.

1. From the dropdown list, choose **Download (JSON) ** or **Download (CSV)**.

## View latest released snapshot
<a name="latest-released-snapshot"></a>

The latest released snapshot is what users use to view and assess your product's health. It's important to know what is in your latest released snapshot to ensure that you're portraying your product with accurate information. To view the latest snapshot for your profile, follow these steps. 

1. Sign in to the AWS Management Console and open the [AWS Marketplace console](https://console.aws.amazon.com/marketplace/).

1. Choose **Vendor Insights**.

1. From **Vendor Insights**, choose a product. 

1. On the product profile page, go to the **Snapshot list**, and choose the **Snapshot ID** of the snapshot that you want to view.

1. Choose **View latest released snapshot**.

1. When you're finished, choose **Back** to exit the snapshot view.

## Postpone a snapshot release
<a name="postpone-snapshot"></a>

To delay the release of a snapshot to your profile, you can postpone a snapshot release for a specific **Snapshot ID**.

1. Sign in to the AWS Management Console and open the [AWS Marketplace console](https://console.aws.amazon.com/marketplace/).

1. Choose **Vendor Insights**.

1. From **Vendor Insights**, choose a product. 

1. On the product profile page, go to the **Snapshot list**, and choose the **Snapshot ID** of the snapshot for which you want to postpone the release.

1. From the **Snapshot summary**, choose **Postpone snapshot release**.

1. A message notifes you that the snapshot schedule will change. Choose **Postpone**.

A success message appears, indicating that you have successfully postponed the snapshot release for this product.

## Change preferences for the snapshot list
<a name="update-preferences-snapshot"></a>

After creating a snapshot, you can change the preferences of how a snapshot is viewed in the **Snapshot list**. 

1. Sign in to the AWS Management Console and open the [AWS Marketplace console](https://console.aws.amazon.com/marketplace/).

1. Choose **Vendor Insights**.

1. From **Vendor Insights**, choose a product.

1. On the product profile page, go to the **Snapshot list**, and choose the **Snapshot ID** of the snapshot that you want to change.

1. Choose the preferences icon. You can customize the following preferences for your snapshot:
   + **Page size** – Select how many snapshots you want listed on each page: **10 resources**, **20 resources**, or **50 resources** per page.
   + **Wrap lines** – Select an option to wrap lines to view the entire record.
   + **Time format** – Select whether you want **Absolute**, **Relative**, or **ISO**.
   + **Visible columns** – Select options that you want visible for the snapshot details: **Snapshot ID**, **Status**, and **Date created** .

# Controlling access in AWS Marketplace Vendor Insights
<a name="vendor-insights-seller-controlling-access"></a>

AWS Identity and Access Management (IAM) is an AWS service that helps you control access to AWS resources. IAM is an AWS service that you can use with no additional charge. If you're an administrator, you control who can be *authenticated* (signed in) and *authorized* (have permissions) to use AWS Marketplace resources. AWS Marketplace Vendor Insights uses IAM to control access to seller data, assessments, seller self-attestation, and industry standard audit reports.

The recommended way to control who can do what in AWS Marketplace Management Portal is to use IAM to create users and groups. Then you add the users to the groups, and manage the groups. You can assign a policy or permissions to the group that provide read-only permissions. If you have other users that need read-only access, you can add them to the group you created rather than adding permissions for the user.

A *policy* is a document that defines the permissions that apply to a user, group, or role. The permissions determine what users can do in AWS. A policy typically allows access to specific actions, and can optionally grant that the actions are allowed for specific resources, like Amazon EC2 instances, Amazon S3 buckets, and so on. Policies can also explicitly deny access. A *permission* is a statement within a policy that allows or denies access to a particular resource. 

**Important**  
All of the users that you create authenticate by using their credentials. However, they use the same AWS account. Any change that a user makes can impact the whole account. 

 AWS Marketplace has permissions defined to control the actions that someone with those permissions can take in the AWS Marketplace Management Portal. There are also policies that AWS Marketplace created and manages that combine several permissions. The `AWSMarketplaceSellerProductsFullAccess` policy gives the user full access to products in the AWS Marketplace Management Portal. 

For more information about the actions, resources, and condition keys that are available, see [Actions, resources, and condition keys for AWS Marketplace Vendor Insights](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplacevendorinsights.html) in the *Service Authorization Reference*. 

## Permissions for AWS Marketplace Vendor Insights sellers
<a name="permissions-aws-vendor-insights-sellers"></a>

You can use the following permissions in IAM policies for AWS Marketplace Vendor Insights. You can combine permissions into a single IAM policy to grant the permissions you want. 

## `CreateDataSource`
<a name="create-data-source"></a>

`CreateDataSource` allows the user to create a new data source resource. Supported data sources are:
+ SOC2Type2AuditReport
+ ISO27001AuditReport
+ AWSAuditManagerSecurityAutomatedAssessment
+ FedRAMPCertification
+ GDPRComplianceReport
+ HIPAAComplianceReport
+ PCIDSSAuditReport
+ SecuritySelfAssessment

Action groups: Read-write

Required resources: None

Creates resources: `DataSource`

## `DeleteDataSource`
<a name="delete-data-source"></a>

`DeleteDataSource` allows the user to delete a data source that they own. A data source must be disassociated from any profile to be deleted. For more information, see [`AssociateDataSource`](#assoc-data-source). 

Action groups: Read-write

Required resources: `DataSource`

## `GetDataSource`
<a name="get-data-source"></a>

`GetDataSource` allows the user to retrieve the details of a data source. Details of a data source include metadata information such as associated timestamps, original creation parameters, and processing information, if any.

Action groups: Read-only, read-write

Required resources: `DataSource`

## `UpdateDataSource`
<a name="update-data-source"></a>

`UpdateDataSource` allows the user to update the details of a data source. Details include metadata information, such as the name and source information (for example, roles, source Amazon Resource Name (ARN), and source content).

Action groups: Read-only, read-write

Required resources: `DataSource`

## `ListDataSources`
<a name="list-data-source"></a>

`ListDataSources` allows the user to list the data sources that they own.

Action groups: Read-only, read-write, list-only

Required resources: None

## `CreateSecurityProfile`
<a name="list-data-source"></a>

`CreateSecurityProfile` allows the user to create a new security profile. A security profile is a resource to manage how and when a snapshot is generated. Users can also control how buyers can access snapshots by controlling the status and applicable terms of the profile.

Action groups: Read-only, read-write, list-only

Required resources: None

Creates resources: `SecurityProfile`

## `ListSecurityProfiles`
<a name="list-sec-profile"></a>

`ListSecurityProfiles` allows the user to list the security profiles that they own.

Action groups: Read-only, read-write, list-only

Required resources: None

## `GetSecurityProfile`
<a name="create-sec-profile"></a>

`CreateSecurityProfile` allows users to get the details of a security profile. 

Action groups: Read-only and read-write

Required resources: `SecurityProfile`

## `AssociateDataSource`
<a name="assoc-data-source"></a>

`AssociateDataSource` allows users to associate an existing `DataSource` with an AWS Marketplace Vendor Insights profile. Users can control the content of the snapshot by associating or disassociating a data source to a profile.

Action groups: Read-write

Required resources: `SecurityProfile` and `DataSource`

## `DisassociateDataSource`
<a name="disassociate-data-source"></a>

`DisassociateDataSource` allows users to disassociate an existing `DataSource` with an AWS Marketplace Vendor Insights profile. Users can control the content of the snapshot by associating or disassociating a data source to a profile.

Action groups: Read-write

Required resources: `SecurityProfile` and `DataSource`

## `UpdateSecurityProfile`
<a name="update-security-profile"></a>

`UpdateSecurityProfile` allows users to modify security profile attributes such as name and description. 

Action groups: Read-write

Required resources: `SecurityProfile`

## `ActivateSecurityProfile`
<a name="activate-sec-profile"></a>

`ActivateSecurityProfile` allows users to set an `Active` status for a security profile. After a security profile is activated, new snapshots can be created in a `Staged` state which makes it possible to release them if other conditions are met. For more information, see [`UpdateSecurityProfileSnapshotReleaseConfiguration`](#update-sec-profile-snapshot-release-config).

An `Active` security profile with at least one `Released` snapshot is eligible for AWS Marketplace Vendor Insights discovery for end users.

Action groups: Read-write

Required resources: `SecurityProfile`

## `DeactivateSecurityProfile`
<a name="deactivate-sec-profile"></a>

`DeactivateSecurityProfile` allows users to set an `Inactive` status for a security profile. This terminal state for a security profile is equivalent to taking down the profile from shared state. Users can only deactivate a security profile if there are no active subscribers to the profile.

Action groups: Read-write

Required resources: `SecurityProfile`

## `UpdateSecurityProfileSnapshotCreationConfiguration`
<a name="update-sec-profile-snapshot-creation-config"></a>

`UpdateSecurityProfileSnapshotCreationConfiguration` allows users to define custom schedules for the snapshot creation configuration. The default creation configuration of weekly creation can be overridden with this action.

Users can use this action to change the schedule including to cancel a schedule, postpone the schedule to a future date, or initiate a new snapshot creation for an earlier time.

Action groups: Read-write

Required resources: `SecurityProfile`

## `UpdateSecurityProfileSnapshotReleaseConfiguration`
<a name="update-sec-profile-snapshot-release-config"></a>

`UpdateSecurityProfileSnapshotReleaseConfiguration` allows users to define custom schedules for the snapshot release configuration. The default creation configuration of weekly releases with a two-day staging period to review can be overridden with this action.

Users can use this action to change the schedule including to cancel a schedule or postpone the schedule to a future date.

Action groups: Read-write

Required resources: `SecurityProfile`

## `ListSecurityProfileSnapshots`
<a name="list-sec-profile-snapshots"></a>

`ListSecurityProfileSnapshots` allows users to list the snapshots for a security profile that they own.

Action groups: Read-only, list-only, and read-write

Required resources: `SecurityProfile`

## `GetSecurityProfileSnapshot`
<a name="get-sec-profile-snapshots"></a>

`GetSecurityProfileSnapshot` allows users to get the snapshots for a security profile that they own.

Action groups: Read-only and read-write

Required resources: `SecurityProfile`

## `TagResource`
<a name="tag-resource"></a>

`TagResource` allows users to add new tags to a resource. Supported resources are `SecurityProfile` and `DataSource`.

Action groups: Tagging

Optional resources: `SecurityProfile` and `DataSource`

## `UntagResource`
<a name="untag-resource"></a>

`UntagResource` allows users to remove tags from a resource. Supported resources are `SecurityProfile` and `DataSource`.

Action groups: Tagging

Optional resources: `SecurityProfile` and `DataSource`

## `ListTagsForResource`
<a name="list-tags-for-resource"></a>

`ListTagsForResource` allows users to list resource tags for a resource. Supported resources are `SecurityProfile` and `DataSource`.

Action groups: Read-only

Optional resources: `SecurityProfile` and `DataSource`

## Additional resources
<a name="additional-resources"></a>

 The following resources in the *IAM User Guide* provide more information about getting started and using IAM:
+  [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) 
+  [Managing IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage.html) 
+  [Attach a policy to an IAM user group](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_attach-policy.html) 
+  [ IAM Identities (users, user groups, and roles)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html) 
+  [Create an IAM user in your AWS account](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) 
+  [Create IAM user groups](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_create.html) 
+  [Controlling access to AWS resources using policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_controlling.html)