AWS partner-central documentation change
Summary
Restructured documentation to introduce detailed user personas with role-specific managed policy recommendations, expanded policy mapping guidance, and added context about Amazon Q access.
Security assessment
The changes emphasize security best practices like least-privilege access by mapping specific personas to granular managed policies, but there is no evidence of addressing a concrete security vulnerability. The documentation adds clarity about IAM policy assignments and explicitly notes that all listed policies grant access to Amazon Q (an operational feature), which helps users understand access implications.
Diff
diff --git a/partner-central/latest/getting-started/managed-policy-mappings.md b/partner-central/latest/getting-started/managed-policy-mappings.md index 91b507505..e480603a9 100644 --- a//partner-central/latest/getting-started/managed-policy-mappings.md +++ b//partner-central/latest/getting-started/managed-policy-mappings.md @@ -5 +5 @@ -# Managed policy mappings +Understanding Partner Central Personas and Policy MappingCommon AWS Partner Central User Personas @@ -7 +7 @@ -The following table shows the managed policies that must be associated with IAM identities (users/roles) for each scenario. +# Mapping Partner Central Users to Managed Policies @@ -9 +9,11 @@ The following table shows the managed policies that must be associated with IAM -Scenario | User role | Required managed policies | Notes +## Understanding Partner Central Personas and Policy Mapping + +Each persona represents a distinct role within your partner organization with specific access needs to AWS Partner Central features. Match your users to these personas to assign the appropriate managed policy that grants necessary permissions while maintaining security best practices. + +###### Important + +All managed policies below grant users access to Amazon Q, an AI-powered assistant providing real-time support and guidance within AWS Partner Central. For more information on Amazon Q, see [here](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/what-is.html). + +## Common AWS Partner Central User Personas + +User persona | Persona Description | Recommended Partner Central Managed policies | Partner Central responsibilities @@ -11 +21,34 @@ Scenario | User role | Required managed policies | Notes -Full access to all AWS Partner Central and AWS Marketplace features | Alliance Lead + Marketplace | +IAM Administrator | This individual typically sits in IT Security, Information Security, or Governance/Compliance teams, but this varies by organization. They should have administrator access to the AWS account used to access AWS Partner Central. | This individual should have administrator rights within the AWS account in order to provision users' IAM permissions | + + * Collaborate with alliance lead/users to understand level of access required + * Onboard users to AWS IAM and provision access + * Audit user access + * Set up single sign-on to streamline access + + +Alliance Lead (Head of AWS Partnership, Director of Cloud Alliances) | Owns the AWS relationship and is responsible for driving growth of the AWS partnership through program alignment, co-sell readiness and cross-functional execution | + + * `AWSPartnerCentralFullAccess` + * `AWSMarketplaceFullAccess` + +These policies combined provision these users with full read and write access to all features in AWS Partner Central. For a detailed breakdown of what this policy contains, see [here](https://docs.aws.amazon.com/partner-central/latest/getting-started/security-iam-awsmanpol.html). | + + * Manages ACE co-sell pipeline + * Submits and tracks program applications + * Oversees partner progress via the Scorecard and benefits eligibility + * Approves MP listings, funding and program applications, solutions and marketing assets + * Manages company profile + * Defines user permissions requires and collaborates with IAM Administrator to provision access in IAM + + +Program Coordinator (Partner Operations Manager, Alliance Team Member, APN Program Administrator) | Collaborates closely with Alliance Lead to distribute oversight responsibilities by supporting tracking of requirements, management of submissions and ensuring compliance. | + + * `AWSPartnerCentralFullAccess` + * `AWSMarketplaceFullAccess` + +These users are essentially an extension of the Alliance Lead and require similar permissions. These policies combined provisions these users with full read and write access to all features in AWS Partner Central. For a detailed breakdown of what this policy contains, see [here](https://docs.aws.amazon.com/partner-central/latest/getting-started/security-iam-awsmanpol.html). | + + * Tracks certifications, scorecard metrics and program deadlines + * Submits documentation for programs, listings, solutions and funding + * Coordinates across teams to gather and submit inputs + * Handles operational issues @@ -13,2 +56,31 @@ Full access to all AWS Partner Central and AWS Marketplace features | Alliance L - 1. `AWSPartnerCentralFullAccess` - 2. `AWSMarketplaceSellerFullAccess` + +Marketing Manager (Partner Marketing Manager, Channel Marketing Lead) | The Marketing Manager builds awareness and drives demand for AWS-aligned offerings. They develop campaigns, create content, and apply for joint marketing programs. | + + * `AWSPartnerCentralMarketingManager` + * `AWSPartnerCentralBenefitIncentive` (only applicable if this persona is also responsible for managing funding programs/allocation) + +| + + * Create and list solutions and products on the AWS Marketplace + * Create case studies + * Manage campaigns + * Manage funding such as Market Development Funds (MDF) + + +Sales Manager (Account Manager, Account Executive, Business Development Manager) | Accelerate revenue by sourcing, registering and closing AWS-related deals in collaboration with AWS field teams. | `AWSPartnerCentralOpportunityManagement` This policy grants users the ability to view and edit the entire pipeline of opportunities within your AWS Partner Central account. This policy is designed for team members who are actively working on partner opportunities and need access to opportunity management features, but don't require access to all Partner Central capabilities. This policy also provides access to other general purpose features, like the ability to access partner documentation, contact support, and track progress with the Scorecard. | + + * Registers co-sell opportunities + * Accepts and manages AWS-referred leads + * Maintains co-sell opportunity hygiene + * Views pipeline metrics and reports on opportunity status and progress + + +Integration Engineer/Developer | Technical user supporting the partner alliances team with building and maintaining CRM integrations connecting partner systems to AWS Partner Central APIs | `AWSFullAccessSandboxFullAccess` | + + * Design and implement integrations + + +Technical Lead | The Technical Lead is the engineer or architect who ensures their organization's solutions meet AWS technical standards and program requirements. They design and implement scalable cloud architectures, provide technical guidance across teams, and optimize solutions for performance, security, and cost. | + + * `AWSPartnerCentralFullAccess` + * `AWSMarketplaceSellerProduct` @@ -17 +88,0 @@ Full access to all AWS Partner Central and AWS Marketplace features | Alliance L -Access parity to Partner Central 2.0 Alliance Lead and Alliance Team | Alliance Lead | @@ -19,2 +90,6 @@ Access parity to Partner Central 2.0 Alliance Lead and Alliance Team | Alliance - 1. `AWSPartnerCentralFullAccess` - 2. `AWSMarketplaceSellerProductsFullAccess` + * Create solutions and submit Foundational Technical Reviews + * Apply for programs or specializations and support with technical supporting documentation + * Access to AWS technical documentation and enablement not available publicly + + +Funding Program Manager | The Funding Program Manager owns financial operations tied to AWS—tracking revenue, reconciling payments, and managing funding audits and reporting. | `PartnerCentralIncentiveBenefitManagement` This policy provides access to manage incentive and benefit programs within AWS Partner Central. | @@ -22,4 +97,3 @@ Access parity to Partner Central 2.0 Alliance Lead and Alliance Team | Alliance -| `AWSMarketplaceSellerProductsFullAccess` gives access to solution management which is moved to [AWS Marketplace](https://docs.aws.amazon.com/marketplace/latest/userguide/user-guide-for-sellers.html) -Access parity to Partner Central 2.0 ACE user and ACE manager | ACE manager | `AWSPartnerCentralOpportunityManagement` | -Access parity to Partner Central 2.0 Marketing staff | Marketing staff | `AWSPartnerCentralMarketingManagement` | -Access parity to Partner Central 2.0 Channel user | Channel user | There are 2 options here: + * Create new fund requests + * Manage claims processes + * View and manage all historical fund requests @@ -27,2 +100,0 @@ Access parity to Partner Central 2.0 Channel user | Channel user | There are 2 o - 1. `AWSPartnerCentralChannelManagement` - 2. `AWSPartnerCentralChannelHandshakeApprovalManagement` @@ -30,5 +101,0 @@ Access parity to Partner Central 2.0 Channel user | Channel user | There are 2 o -| `AWSPartnerCentralChannelManagement` \- for full access. `AWSPartnerCentralChannelHandshakeApprovalManagement` \- for channel handshake approvals (subset of full access, ideally should be used by recipient AWS account that receives [Channel handshake](https://docs.aws.amazon.com/partner-central/latest/getting-started/channel-management.html)) -Technical staff | Access parity to Partner Central 2.0 Technical staff | `AWSMarketplaceSellerProductsFullAccess` | -Full access to all AWS Partner Central features | | `AWSPartnerCentralFullAccess` | As solution have moved to [AWS Marketplace](https://docs.aws.amazon.com/marketplace/latest/userguide/user-guide-for-sellers.html), solution management is not part of this access -Access parity to Partner Central 2.0 Cloud admin | | Not applicable | Depending on which access control service is used by partners, they should use managed policies from [IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html), [Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/security-iam-awsmanpol.html), or other mechanisms from external identity providers -Access parity to Partner Central 2.0 Standard user | | Not applicable | Standard user did not grant access to Partner Central 2.0 features.