AWS Marketplace Vendor Insights – Simplify Third-Party Software Risk Assessments

{"value":"[AWS Marketplace Vendor Insights](https://aws.amazon.com/marketplace/features/vendor-insights) is a new capability of [AWS Marketplace](https://aws.amazon.com/marketplace/). It simplifies third-party software risk assessments when procuring solutions from the AWS Marketplace.\n\n\nIt helps you to ensure that the third-party software continuously meets your industry standards by compiling security and compliance information, such as data privacy and residency, application security, and access control, in one consolidated dashboard.\n\nAs a security engineer, you may now complete third-party software risk assessment in a few days instead of months. You can now:\n\n- Quickly discover products in AWS Marketplace that meet your security and certification standards by searching for and accessing Vendor Insights profiles.\n- Access and download current and validated information, with evidence gathered from the vendors’ security tools and audit reports. Reports are available for download on [AWS Artifact](https://aws.amazon.com/artifact/) third-party reports (now available in preview).\n- Monitor your software’s security posture post-procurement and receive notifications for security and compliance events.\n\nAs a software vendor, you can now reduce the operational burden of responding to buyer requests for risk assessment information. It gives your customers a self-service access experience. You can now:\n\n- **Build your product’s security profile** by uploading your [ISO 27001](https://www.iso.org/isoiec-27001-information-security.html) or [SOC2 Type 2](https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/serviceorganization-smanagement.html) report and completing a software risk assessment with [AWS Audit Manager](https://aws.amazon.com/audit-manager/).\n- **Store and share** your compliance reports such as ISO 27001 and SOC2 Type 2, using [AWS Artifact](https://aws.amazon.com/artifact/) third-party reports (preview).\n- **View and approve** your buyer requests for viewing security controls and compliance artifacts stored in Vendor Insights.\n\n### ++Let’s See It in Action++\nI want to procure a solution on the AWS Marketplace. But before purchasing the product, as a security engineer, I want to review its compliance. I navigate to the [AWS Marketplace](https://aws.amazon.com/marketplace/) page of the [AWS Management Console](https://console.aws.amazon.com/). I use the faceted search on the left side [to select vendors that are ISO 27001 compliant](https://aws.amazon.com/marketplace/search?VENDOR_INSIGHTS=SECURITY_PROFILES&filters=VENDOR_INSIGHTS).\n\n\n\n\nI select a product. On the Product Overview page, I select **View assessment data** on the top right side (not shown on the screenshot). Then, I can see the overview page, which shows the **Security certification received** and the **Expiration date**.\n\n\n\nI select the **Security and compliance** tab and see that I need to request access to see the detailed security and compliance information. I select the **Request access** button on the top right side to ask the vendor for access to their compliance documents.\n\n\n\n\nOn the next page, I fill in the **Your information** form with my details, and I select **Request access**.\n\n\n\nThe **Next Steps** section details what will happen next. The seller will contact me to sign a nondisclosure agreement (NDA). The seller will notify AWS Marketplace when the NDA is signed. Then, I will be granted access to Vendor Insights data.\n\nThe process can take a few days. For this demo, I switch to a fictional product—Everest—for which I have access to the compliance data. Here is the **Security and compliance** tab when my request for access is accepted.\n\nThe **Summary section** shows how many controls are available. It reports how many have been validated with evidence and how many have been self-reported by the seller. It also shows how many noncompliant controls are reported.\n\nI can scroll down the page to see the details for multiple categories: Audit, compliance and security policy, Data security, Access management, Application security, Risk management and incident response, Business resiliency and continuity, End user device security, Infrastructure security, Human resources, and Security and configuration policy. The screenshot does not show all of them.\n\n\n\n\nI select the detail for **Access control** and see the list under **Control name**. For each of them, I can see the compliance for **SOC2 Type 2, ISO 27001**, and the **Vendor self-assessment.**\n\n\n\n\nI select the noncompliant one to get the details and the explanation the vendor provided.\n\n\n\nIf needed, I might also use [AWS Artifact](https://aws.amazon.com/artifact/) third-party reports (preview) to download the compliance reports.\n\n\n### ++For Software Vendors++\nAs a software vendor, you can create a security profile for your SaaS products on [AWS Marketplace](https://aws.amazon.com/marketplace/) and share this profile with your prospective and existing buyers. It helps you to reduce the manual work for engineering and security teams to respond to your customer questionnaires.\n\nTo create a security profile, you will need to complete a self-assessment using [AWS Audit Manager](https://aws.amazon.com/audit-manager/) on your marketplace management AWS account, share the current SOC2 Type II and ISO27001 compliance artifacts, if available, and turn on automated assessment using Audit Manager and [AWS Config](https://aws.amazon.com/config/) on your production AWS accounts.\n\nOur team has created an [AWS CloudFormation](https://aws.amazon.com/cloudformation/) template to automate the onboarding steps. You can find the technical resources, such as the setup guide and the onboarding templates, on [our GitHub repository](https://github.com/aws-samples/aws-marketplace-vendor-assessment-onboarding). Once the profile is created, Vendor Insights will keep your security profile up to date by using automated evidence from Audit Manager and [AWS Config](https://aws.amazon.com/config/). The updates to your profile are sent as notifications. Your security and compliance team can review the updates before they are shared with buyers.\n\n\nWith Vendor Insights, you manage access to your product’s security profile by approving the buyer’s subscription requests. When a buyer requests access, Vendor Insights shares their contact information over email to your compliance or deal-desk operations team. They can complete the NDA with the buyer and notify AWS Marketplace to grant the buyer access to your security profile. You can also request AWS Marketplace to revoke the buyer’s subscription on a later day if you don’t want to share your product’s security and compliance posture information with the buyer anymore.\n\nThe entire process is documented in the [AWS Marketplace Vendor Insights seller guide](https://docs.aws.amazon.com/marketplace/latest/userguide/vendor-insights.html).\n\n### ++Pricing and Availability++\nVendor Insights is now available in [all AWS Regions where AWS Marketplace is available](https://docs.aws.amazon.com/marketplace/latest/buyerguide/supported-regions.html).\n\nThe pricing model is very simple; there is no charge involved for using AWS Marketplace Vendor Insights.\n\nFor buyers, you can access and download assets during your procurement phase. You lose access to the Vendor Insights profile if you have not purchased the product after 60 days. When you purchase the product, you keep access to the product’s security profile for continuous monitoring of its compliance status.\n\nFor sellers, AWS Marketplace doesn’t charge to activate and use Vendor Insights. You will incur fees for using Audit Manager and [AWS Config](https://aws.amazon.com/cn/config/?trk=cndc-detail).\n\nGo and [start your risk assessments on the AWS Marketplace today](https://aws.amazon.com/marketplace/features/vendor-insights).\n\n-- [seb](https://twitter.com/sebsto)\n\n\n\n\n### [Sébastien Stormacq](https://aws.amazon.com/blogs/aws/author/stormacq/)\nSeb has been writing code since he first touched a Commodore 64 in the mid-eighties. He inspires builders to unlock the value of the AWS cloud, using his secret blend of passion, enthusiasm, customer advocacy, curiosity and creativity. His interests are software architecture, developer tools and mobile computing. If you want to sell him something, be sure it has an API. Follow him on Twitter @sebsto.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n","render":"<p><a href=\\"https://aws.amazon.com/marketplace/features/vendor-insights\\" target=\\"_blank\\">AWS Marketplace Vendor Insights</a> is a new capability of <a href=\\"https://aws.amazon.com/marketplace/\\" target=\\"_blank\\">AWS Marketplace</a>. It simplifies third-party software risk assessments when procuring solutions from the AWS Marketplace.</p>\\n<p>It helps you to ensure that the third-party software continuously meets your industry standards by compiling security and compliance information, such as data privacy and residency, application security, and access control, in one consolidated dashboard.</p>\n<p>As a security engineer, you may now complete third-party software risk assessment in a few days instead of months. You can now:</p>\n<ul>\\n<li>Quickly discover products in AWS Marketplace that meet your security and certification standards by searching for and accessing Vendor Insights profiles.</li>\n<li>Access and download current and validated information, with evidence gathered from the vendors’ security tools and audit reports. Reports are available for download on <a href=\\"https://aws.amazon.com/artifact/\\" target=\\"_blank\\">AWS Artifact</a> third-party reports (now available in preview).</li>\\n<li>Monitor your software’s security posture post-procurement and receive notifications for security and compliance events.</li>\n</ul>\\n<p>As a software vendor, you can now reduce the operational burden of responding to buyer requests for risk assessment information. It gives your customers a self-service access experience. You can now:</p>\n<ul>\\n<li><strong>Build your product’s security profile</strong> by uploading your <a href=\\"https://www.iso.org/isoiec-27001-information-security.html\\" target=\\"_blank\\">ISO 27001</a> or <a href=\\"https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/serviceorganization-smanagement.html\\" target=\\"_blank\\">SOC2 Type 2</a> report and completing a software risk assessment with <a href=\\"https://aws.amazon.com/audit-manager/\\" target=\\"_blank\\">AWS Audit Manager</a>.</li>\\n<li><strong>Store and share</strong> your compliance reports such as ISO 27001 and SOC2 Type 2, using <a href=\\"https://aws.amazon.com/artifact/\\" target=\\"_blank\\">AWS Artifact</a> third-party reports (preview).</li>\\n<li><strong>View and approve</strong> your buyer requests for viewing security controls and compliance artifacts stored in Vendor Insights.</li>\\n</ul>\n<h3><a id=\\"Lets_See_It_in_Action_17\\"></a><ins>Let’s See It in Action</ins></h3>\\n<p>I want to procure a solution on the AWS Marketplace. But before purchasing the product, as a security engineer, I want to review its compliance. I navigate to the <a href=\\"https://aws.amazon.com/marketplace/\\" target=\\"_blank\\">AWS Marketplace</a> page of the <a href=\\"https://console.aws.amazon.com/\\" target=\\"_blank\\">AWS Management Console</a>. I use the faceted search on the left side <a href=\\"https://aws.amazon.com/marketplace/search?VENDOR_INSIGHTS=SECURITY_PROFILES&amp;filters=VENDOR_INSIGHTS\\" target=\\"_blank\\">to select vendors that are ISO 27001 compliant</a>.</p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/54ea2ddad8d9461d816fe381ee51c35f_image.png\\" alt=\\"image.png\\" /></p>\n<p>I select a product. On the Product Overview page, I select <strong>View assessment data</strong> on the top right side (not shown on the screenshot). Then, I can see the overview page, which shows the <strong>Security certification received</strong> and the <strong>Expiration date</strong>.</p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/b8a7b09b3327450d951cf44f89a604f3_image.png\\" alt=\\"image.png\\" /></p>\n<p>I select the <strong>Security and compliance</strong> tab and see that I need to request access to see the detailed security and compliance information. I select the <strong>Request access</strong> button on the top right side to ask the vendor for access to their compliance documents.</p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/11dd2ed7b55241c6abb873d42b6a8aac_image.png\\" alt=\\"image.png\\" /></p>\n<p>On the next page, I fill in the <strong>Your information</strong> form with my details, and I select <strong>Request access</strong>.</p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/1ec3c447578b4f7da685eb759b6019bb_image.png\\" alt=\\"image.png\\" /></p>\n<p>The <strong>Next Steps</strong> section details what will happen next. The seller will contact me to sign a nondisclosure agreement (NDA). The seller will notify AWS Marketplace when the NDA is signed. Then, I will be granted access to Vendor Insights data.</p>\\n<p>The process can take a few days. For this demo, I switch to a fictional product—Everest—for which I have access to the compliance data. Here is the <strong>Security and compliance</strong> tab when my request for access is accepted.</p>\\n<p>The <strong>Summary section</strong> shows how many controls are available. It reports how many have been validated with evidence and how many have been self-reported by the seller. It also shows how many noncompliant controls are reported.</p>\\n<p>I can scroll down the page to see the details for multiple categories: Audit, compliance and security policy, Data security, Access management, Application security, Risk management and incident response, Business resiliency and continuity, End user device security, Infrastructure security, Human resources, and Security and configuration policy. The screenshot does not show all of them.</p>\n<p><img src=\\"https://dev-media.amazoncloud.cn/0e01a9aea4a04fed9dbf14314fc0701e_image.png\\" alt=\\"image.png\\" /></p>\n<p>I select the detail for <strong>Access control</strong> and see the list under <strong>Control name</strong>. For each of them, I can see the compliance for <strong>SOC2 Type 2, ISO 27001</strong>, and the <strong>Vendor self-assessment.</strong></p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/1e4f0fedb580427c8e06ba6fec43548c_image.png\\" alt=\\"image.png\\" /></p>\n<p>I select the noncompliant one to get the details and the explanation the vendor provided.</p>\n<p><img src=\\"https://dev-media.amazoncloud.cn/0e8636bebc9d4daa9380112317ae25e4_image.png\\" alt=\\"image.png\\" /></p>\n<p>If needed, I might also use <a href=\\"https://aws.amazon.com/artifact/\\" target=\\"_blank\\">AWS Artifact</a> third-party reports (preview) to download the compliance reports.</p>\\n<h3><a id=\\"For_Software_Vendors_59\\"></a><ins>For Software Vendors</ins></h3>\\n<p>As a software vendor, you can create a security profile for your SaaS products on <a href=\\"https://aws.amazon.com/marketplace/\\" target=\\"_blank\\">AWS Marketplace</a> and share this profile with your prospective and existing buyers. It helps you to reduce the manual work for engineering and security teams to respond to your customer questionnaires.</p>\\n<p>To create a security profile, you will need to complete a self-assessment using <a href=\\"https://aws.amazon.com/audit-manager/\\" target=\\"_blank\\">AWS Audit Manager</a> on your marketplace management AWS account, share the current SOC2 Type II and ISO27001 compliance artifacts, if available, and turn on automated assessment using Audit Manager and <a href=\\"https://aws.amazon.com/config/\\" target=\\"_blank\\">AWS Config</a> on your production AWS accounts.</p>\\n<p>Our team has created an <a href=\\"https://aws.amazon.com/cloudformation/\\" target=\\"_blank\\">AWS CloudFormation</a> template to automate the onboarding steps. You can find the technical resources, such as the setup guide and the onboarding templates, on <a href=\\"https://github.com/aws-samples/aws-marketplace-vendor-assessment-onboarding\\" target=\\"_blank\\">our GitHub repository</a>. Once the profile is created, Vendor Insights will keep your security profile up to date by using automated evidence from Audit Manager and <a href=\\"https://aws.amazon.com/config/\\" target=\\"_blank\\">AWS Config</a>. The updates to your profile are sent as notifications. Your security and compliance team can review the updates before they are shared with buyers.</p>\\n<p>With Vendor Insights, you manage access to your product’s security profile by approving the buyer’s subscription requests. When a buyer requests access, Vendor Insights shares their contact information over email to your compliance or deal-desk operations team. They can complete the NDA with the buyer and notify AWS Marketplace to grant the buyer access to your security profile. You can also request AWS Marketplace to revoke the buyer’s subscription on a later day if you don’t want to share your product’s security and compliance posture information with the buyer anymore.</p>\n<p>The entire process is documented in the <a href=\\"https://docs.aws.amazon.com/marketplace/latest/userguide/vendor-insights.html\\" target=\\"_blank\\">AWS Marketplace Vendor Insights seller guide</a>.</p>\\n<h3><a id=\\"Pricing_and_Availability_71\\"></a><ins>Pricing and Availability</ins></h3>\\n<p>Vendor Insights is now available in <a href=\\"https://docs.aws.amazon.com/marketplace/latest/buyerguide/supported-regions.html\\" target=\\"_blank\\">all AWS Regions where AWS Marketplace is available</a>.</p>\\n<p>The pricing model is very simple; there is no charge involved for using AWS Marketplace Vendor Insights.</p>\n<p>For buyers, you can access and download assets during your procurement phase. You lose access to the Vendor Insights profile if you have not purchased the product after 60 days. When you purchase the product, you keep access to the product’s security profile for continuous monitoring of its compliance status.</p>\n<p>For sellers, AWS Marketplace doesn’t charge to activate and use Vendor Insights. You will incur fees for using Audit Manager and AWS Config.</p>\n<p>Go and <a href=\\"https://aws.amazon.com/marketplace/features/vendor-insights\\" target=\\"_blank\\">start your risk assessments on the AWS Marketplace today</a>.</p>\\n<p>– <a href=\\"https://twitter.com/sebsto\\" target=\\"_blank\\">seb</a></p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/9074ddd3472f4413acc417cad3986b30_image.png\\" alt=\\"image.png\\" /></p>\n<h3><a id=\\"Sbastien_Stormacqhttpsawsamazoncomblogsawsauthorstormacq_87\\"></a><a href=\\"https://aws.amazon.com/blogs/aws/author/stormacq/\\" target=\\"_blank\\">Sébastien Stormacq</a></h3>\\n<p>Seb has been writing code since he first touched a Commodore 64 in the mid-eighties. He inspires builders to unlock the value of the AWS cloud, using his secret blend of passion, enthusiasm, customer advocacy, curiosity and creativity. His interests are software architecture, developer tools and mobile computing. If you want to sell him something, be sure it has an API. Follow him on Twitter @sebsto.</p>\n"}