Marketplace Vendor Insights - AWS Audit Manager automated assessments not well designed / AWSVendorInsightsConformancePackv1

Hi, As a SaaS ISV selling a product on the AWS Marketplace, I decided to use the AWS Audit Manager continuous automated assessment documented in Step 4 here: https://docs.aws.amazon.com/marketplace/latest/userguide/vendor-insights-setting-up.html.

However, the stacks and stacksets that it references (Github repo) (associated with conformance pack "AWSVendorInsightsConformancePackv1") , create AWS resources that themselves violate the checks/postures embodied in the said automated assessment, creating a downward spiral of work that never reaches a finish line:

Example of non-compliant S3 buckets created by AWSVendorInsightsConformancePackv1 that are flagged as non-compliant

Another head-scratcher rule is "no inline policies" in IAM User, Roles, or Groups; when AWS's first-party configuration wizards routinely use this. Inline Policies are impossible to avoid: shown here created by AWS Systems Manager easy configuration wizard, and the VendorInsights CF stackset

Please recall the AWSVendorInsightsConformancePackv1 scripts if they are so clearly unhelpful to a Marketplace ISV to reach any reasonable finish line.

Thanks, Sid

Themen

Sicherheit, Identität & Konformität AWS Marketplace

Relevanter Inhalt

Wie verkaufe ich eine Amazon EC2 Reserved Instance auf dem Reserved Instance Marketplace?
AWS OFFICIALAktualisiert vor einem Jahr
Welche Unterstützung ist für AWS-Marketplace-Regelgruppen für AWS WAF verfügbar?
AWS OFFICIALAktualisiert vor 2 Jahren
Wie kann ich meine Software-Abonnements bei AWS Marketplace einsehen?
AWS OFFICIALAktualisiert vor 2 Jahren
Wie behebe ich AWS Marketplace-Verbindungsfehler in meinen AWS Glue-ETL-Aufträgen?
AWS OFFICIALAktualisiert vor 3 Monaten