AWS Security ChangesHomeSearch

AWS marketplace medium security documentation change

Service: marketplace · 2025-07-01 · Security-related medium

File: marketplace/latest/userguide/saas-guidelines.md

Summary

Removed legacy SaaS architecture guidelines (pre-May 2025) and consolidated requirements under a single 'Guidelines' section effective May 1, 2025

Security assessment

The removal of previous guidelines deleted specific security requirements like mandatory AWS-hosted components, secure provisioning via STS/IAM, and documentation for customer-deployed resources. This could relax security expectations for SaaS products unless equivalent requirements exist in the new consolidated guidelines (not shown in the diff).

Diff

diff --git a/marketplace/latest/userguide/saas-guidelines.md b/marketplace/latest/userguide/saas-guidelines.md
index c864907e8..122f90269 100644
--- a//marketplace/latest/userguide/saas-guidelines.md
+++ b//marketplace/latest/userguide/saas-guidelines.md
@@ -93 +93 @@ The following topics list and describe the architecture guidelines for SaaS prod
-  * Guidelines effective May 1, 2025
+  * Guidelines
@@ -97 +96,0 @@ The following topics list and describe the architecture guidelines for SaaS prod
-  * Current guidelines effective until April 30, 2025
@@ -101,2 +100 @@ The following topics list and describe the architecture guidelines for SaaS prod
-
-### Guidelines effective May 1, 2025
+### Guidelines
@@ -106 +104 @@ The following topics list and describe the architecture guidelines for SaaS prod
-The following guidelines go into effect on May 1, 2025. 
+The following guidelines are effective as of May 1, 2025. 
@@ -163 +161 @@ For more information on SaaS architectures, refer to the [SaaS Architecture Fund
-To receive the special designation that your product is deployed on AWS, [update your product's architecture details](./saas-product-settings.html#updating-architecture-details) in the AWS Marketplace Management Portal. Select a hosting pattern that is deployed on AWS and upload an architecture diagram that AWS reviews. For hosting patterns that AWS Marketplace considers deployed on AWS, refer to Guidelines effective May 1, 2025 in the previous section. If your hosting pattern changes, you must update your product's architecture details.
+To receive the special designation that your product is deployed on AWS, [update your product's architecture details](./saas-product-settings.html#updating-architecture-details) in the AWS Marketplace Management Portal. Select a hosting pattern that is deployed on AWS and upload an architecture diagram that AWS reviews. For hosting patterns that AWS Marketplace considers deployed on AWS, refer to Guidelines in the previous section. If your hosting pattern changes, you must update your product's architecture details.
@@ -211,35 +208,0 @@ For more information, see [What is Architecture Diagramming?](https://aws.amazon
-### Current guidelines effective until April 30, 2025
-
-All SaaS products must adhere to the following architecture guidelines:
-
-###### Note
-
-For guidelines after April 30, 2025, refer to Guidelines effective May 1, 2025.
-
-  * A portion of your application must be hosted in an AWS account that you own.
-
-  * All application components should be hosted in infrastructure you manage. Applications that require additional resources in the customer’s infrastructure must follow these guidelines:
-
-    * Provision resources in a secure way, such as using the AWS Security Token Service (AWS STS) or AWS Identity and Access Management (IAM). 
-
-    * Provide additional documentation, including a description of all provisioned AWS services, IAM policy statements, and how an IAM role or user is deployed and used in the customer’s account. 
-
-    * Include a notification in the product description that explains that if the customer incurs additional AWS infrastructure charges separate from their AWS Marketplace transaction, they're responsible for paying the additional infrastructure charges.
-
-    * If your product deploys an agent, you must provide instructions to the customer that describe how to deploy it in their AWS account.
-
-    * Applications that require resources running in the customer's infrastructure will have an additional review by AWS Marketplace, which can take 2-4 weeks.
-
-  * Successfully call the AWS Marketplace APIs from the AWS account that registered as a provider and submitted the SaaS publishing request. The SaaS pricing model determines which APIs should be called:
-
-    * SaaS contracts – [GetEntitlements](https://docs.aws.amazon.com/marketplaceentitlement/latest/APIReference/API_GetEntitlements.html) in the AWS Marketplace Entitlement Service.
-
-    * SaaS contracts with consumption – [GetEntitlements](https://docs.aws.amazon.com/marketplaceentitlement/latest/APIReference/API_GetEntitlements.html) in the AWS Marketplace Entitlement Service and [BatchMeterUsage](https://docs.aws.amazon.com/marketplacemetering/latest/APIReference/API_BatchMeterUsage.html) in the AWS Marketplace Metering Service.
-
-    * SaaS subscriptions – [BatchMeterUsage](https://docs.aws.amazon.com/marketplacemetering/latest/APIReference/API_BatchMeterUsage.html) in the AWS Marketplace Metering Service.
-
-  * SaaS products offered exclusively in the AWS GovCloud (US) Regions must explain the architectural boundaries between other AWS Regions and the AWS GovCloud (US) Regions, use cases for the product, and the workloads not recommended for the product.
-
-
-
-