AWS Security ChangesHomeSearch

AWS marketplace documentation change

Service: marketplace · 2026-05-07 · Documentation high

File: marketplace/latest/userguide/saas-guidelines.md

Summary

Added new 'Security policies' section outlining mandatory security requirements for SaaS products including vulnerability management, data handling disclosures, encryption standards, isolation, authentication, incident notification, and audit logging.

Security assessment

The change proactively establishes comprehensive security requirements but doesn't reference any specific vulnerability or incident. It sets baseline security expectations rather than addressing an existing issue.

Diff

diff --git a/marketplace/latest/userguide/saas-guidelines.md b/marketplace/latest/userguide/saas-guidelines.md
index 7fe3c9659..202b26545 100644
--- a//marketplace/latest/userguide/saas-guidelines.md
+++ b//marketplace/latest/userguide/saas-guidelines.md
@@ -7 +7 @@
-Product setup guidelinesCustomer information requirementsProduct usage guidelinesArchitecture guidelines
+Product setup guidelinesSecurity policiesCustomer information requirementsProduct usage guidelinesArchitecture guidelines
@@ -18,0 +19,2 @@ All products and their related metadata are reviewed when submitted to ensure th
+  * Security policies
+
@@ -46,0 +49,41 @@ All SaaS products must adhere to the following product setup guidelines:
+## Security policies
+
+All SaaS products must comply with the following security policies:
+
+  * Product must comply with local laws and regulations in jurisdictions applicable to your company and your customers, such as the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and others.
+
+  * Product must be free of known vulnerabilities, end-of-life software, malware, and other malicious code at the time of publishing. If security issues or vulnerabilities are detected post-publication, the seller must patch them.
+
+  * Seller must disclose their data handling practices to customers through customer-facing documentation or by request. This disclosure must include information about:
+
+    * Data collection
+
+    * Data storage
+
+    * Data usage
+
+    * Data sharing
+
+    * Data retention
+
+    * Data backup
+
+  * Seller must delete customer data when it is no longer necessary as defined in the End User License Agreement (EULA), or upon customer request. Deletion must occur within the timeframe specified in the EULA.
+
+  * Product must use industry-standard means of encryption to protect customer data in transit, and at rest.
+
+  * Product must isolate each customer's data and environment so that no other customer can access them, unless the customer explicitly permits access.
+
+  * Product must authenticate all customers before granting access to customer data.
+
+  * Seller must notify impacted customers about any security incident that could be relevant to them.
+
+  * Product must have a documented process for customers to report a security incident related to the product.
+
+  * Seller must enable audit logging of security-relevant events when the product processes customer data. Audit logs must be retained for at least 1 year and must be protected from tampering.
+
+
+
+
+**Recommendation:** For a more comprehensive review of your security posture, use the [AWS Well-Architected Framework](https://aws.amazon.com/architecture/well-architected/).
+