If you're running a SaaS business, listing on AWS Marketplace can streamline procurement, help customers optimize their AWS spend, and accelerate sales cycles. Here's what we learned and what you need to know to list your product.

Business

Simplified Procurement

SaaS products procured through the AWS Marketplace are part of the AWS bill. This is especially relevant for large organizations with complex procurement processes - if they already use AWS, everything is already set up. This can literally shorten the entire process by weeks.

PPA/EDP Commitment

Organizations with considerable AWS spending ($1M+ yearly) can negotiate discounts (Private Pricing Agreements/Enterprise Discount Programs). Think of PPAs/EDPs as AWS Savings Plans, but instead of being tied to compute services, they apply to the entire AWS bill [1].

AWS Marketplace spending counts toward the committed spending up to a negotiated percentage (usually 25% of the AWS bill). Some companies literally need to spend money to pay less. Why not help them and give them something in return?

There is one important remark, though: only products deployed on AWS qualify for this. Your product must run entirely on AWS except for DNS, CDN, and IdP, which can be from third parties [2] [3].

Technical

Before we dive into the details, here are a few important notes:

• You publish your product on the AWS Marketplace from your AWS account. Consider using a dedicated AWS account for your Marketplace integration. This helps with security (isolating permissions), billing (separating Marketplace revenue), and simplifying IAM policies. Your system must call the AWS Marketplace APIs with credentials from this account. Moreover, AWS publishes messages about your customers' subscriptions to SNS topics managed by AWS. Ideally, you set up an SQS queue that listens to those topics. This queue must also be in the same AWS account you used for the listing.

• Consider having one AWS Marketplace product per environment. Of course, you will publish only the production one. You can allow specific AWS accounts to see and subscribe to your (private) products.

• This post applies to Software-as-a-Service, one of the deployment models supported by the AWS Marketplace, among Server (IAM, container, and machine learning) and AWS Data Exchange. Each model has a different listing fee.

• This post applies to the SaaS contract pricing model, in which the buyer subscribes to your product for a specific timeframe (monthly/yearly) and pays in advance. It does not cover usage-based pricing or additional metered usage (i.e., your customer uses more than the selected plan offers), which AWS also supports.

• While AWS supports free trials, you must configure them separately and they are not converted into paid subscriptions [4] (unlike other deployment models).

There are two flows you must consider for the technical integration with the AWS Marketplace:

1. The sync flow, in which the buyer subscribes and accesses your app from the AWS portal.

AWS sends a POST request containing the x-amzn-marketplace-token token. In most cases, you want to redirect the buyers to your registration page so they can register in your system. You must call the ResolveCustomer API with the token to get more information about the buyer. You can also call the GetEntitlements API to get information about the subscription (e.g., the selected plan).

Here is how Cyscale handles this flow:

The ResolveCustomer API returns the customer identifier and the buyer's AWS account ID. This is your only chance to read the buyer's AWS account ID. So, if you need it, retrieve it when the buyer accesses your app and store it because the AWS Marketplace token expires in one hour. The only way to generate another token is if the buyer presses the "Set Up" button again in the AWS Marketplace console.

The GetEntitlements API returns the dimensions selected by the buyer. In our case, it will always return one dimension since we configured our listing with the "Single dimension per contract" purchasing option. Choose the "Single dimension per contract" purchasing option if your product is based on pricing plans. Each plan will be represented by one dimension. Here is the response for one of our (test) subscriptions:

{
  "Entitlements": [
    {
      "ProductCode": "dhgrl37r44c37uvg41c945by1",
      "Dimension": "pro",
      "CustomerIdentifier": "jg8fj222dyc",
      "Value": {
        "IntegerValue": 1
      },
      "ExpirationDate": "2025-03-06T14:07:47.111000+02:00"
    }
  ]
}

Another helpful tip is that you can call these APIs using the AWS CLI:

aws meteringmarketplace resolve-customer \
  --registration-token 'MC9ozVKlQ9CUw2YeSfSrcqtX4ZG0HcRxuXUTUfETzrp8lFfhk42TEEmi3iFEgDj09YXUc5kSJUuDhvVpF6bxPi+1sH+QmYQrYTdcTV+55yTOLHqw88+8rTFnUXjeQ/LBqdYOInx+wCwzXdAmTgmZk2xham0rfVWBreKrrfclW33YBgOJCrqwMA==' \
  --region eu-west-1

aws marketplace-entitlement get-entitlements \
  --region us-east-1 \
  --product-code dhgrl37r44c26uvg41c945by1 \
  --filter CUSTOMER\_IDENTIFIER=jg8fj333dyc

Notice that you can call the GetEntitlements API only in the us-east-1 region.

Be careful when configuring the dimensions for your listing: once saved, you cannot change existing dimensions (except their description) without a support ticket.

2. The async flow, in which AWS notifies you of changes to the subscription.

There are two SNS topics you must listen to: one for changes to the contract (e.g., new contract, renewal, upgrade, or expiry) and one for changes to the subscription (e.g., payment successful). These are explained very well in the AWS documentation.

Here is how Cyscale handles this flow:

One aspect to be careful of here is the order of operations. Your system might receive messages about a subscription before the buyer accesses your product from the AWS Marketplace. CustomerIdentifier will help you correlate requests and messages. Here are a few notes about the CustomerIdentifier field:

• CustomerIdentifier is unique per buyer and per product.
• If the same buyer subscribes to multiple different AWS Marketplace products, they will have a different CustomerIdentifier for each product.
• However, if a buyer unsubscribes and resubscribes to the same product, they will receive the same CustomerIdentifier.

Also, if you create multiple marketplace listings, either filter the messages based on the product-code or set up different SQS queues. The latter will give you better security.

Additional Resources

Here are some resources that helped us list Cyscale on the AWS Marketplace:

• New 2023: Best practices guide to successfully list your SaaS contract solution in AWS Marketplace (AWS Blog article)
• Successfully testing your SaaS listing in AWS Marketplace (AWS Blog article)
• AWS Marketplace - Serverless integration for SaaS products (Example) (AWS reference/example implementation)
• AWS Marketplace seller workshop
• How to create a free trial offer for SaaS contract products in AWS Marketplace (AWS Blog article)

Ending Notes

Integrating with the AWS Marketplace, while not extremely complex, requires a good amount of reading and experimenting. The entire process took us around seven person days (PDs), 2.5 days only for researching and reading.

You can check out our listing here: Cyscale Cloud Security (CNAPP/CSPM)