AWS Marketplace CloudFormation Stack – Overview & Permissions

Last updated: November 21, 2025

This document outlines the AWS CloudFormation stack components Clazar deploys, including the required roles, permissions, and supporting services such as CAS and SDDS.

1. What the Clazar AWS CloudFormation Stack Includes

Clazar provides a set of CloudFormation templates to automatically configure all required AWS Marketplace, CAS, and SDDS components in your AWS account.

Main Stack Template

https://clazar-public-dev.s3.amazonaws.com/aws_stacks/clazar-aws-marketplace-stack-template.yaml

Nested Stack Templates

These templates collectively configure IAM roles, SQS, SNS subscriptions, Lambda functions, CAS/SDDS buckets, and Marketplace permissions required for Clazar to function.

2. Required Permissions to Run the CloudFormation Stack

Before launching the stack, ensure the AWS Seller Account and Marketplace project setup is complete.

Prerequisites

  • AWS Seller Account setup completed

  • Access to Clazar → Integrations → AWS

  • Ability to launch CloudFormation stacks

  • IAM permissions to create roles, policies, SNS/SQS resources, Lambda, and S3 bucket access

3. CloudFormation Deployment Flow

Step 1: Launch Stack

Navigate to:
Clazar Platform → Integrations → Cloud Marketplace → AWS → Launch Stack

This opens the Quick Create Stack page in AWS CloudFormation.

Step 2: Acknowledge Required Capabilities

CloudFormation will create AWS resources on your behalf, including IAM roles, policies and Lambda functions.
You must acknowledge:

  • The stack will create and modify AWS resources

  • IAM roles & permissions will be provisioned

  • Custom resources/Lambda functions will run during creation

Step 3: Create Stack

Click Create Stack to begin deployment.
Status outcomes:

  • Connected → All resources deployed successfully

  • Error → Stack rolled back due to configuration issues

4. Permissions & Roles Created by the Stack

A. Clazar Role

Role assumed by Clazar to perform all Marketplace and reporting actions.

Permissions:

  • sts:AssumeRole

  • Applied to Clazar Account root (arn:aws:iam::<ClazarAccountId>:root)

B. Clazar Role Policy Access

Used by Clazar to verify its policies.

Permissions:

  • iam:GetRole

  • iam:ListRolePolicies

  • iam:GetRolePolicy

  • iam:PassRole

C. Clazar Reporter Function

A Lambda function used once to report stack outputs to Clazar.

Permissions:

  • AWSLambdaBasicExecutionRole

  • sts:AssumeRole

D. Clazar SQS

Used to receive Marketplace, CAS, and SDDS notifications.

Includes:

  • SQS queue

  • SQS access policies

  • SNS topic subscriptions

  • Allow policies for SNS → SQS message delivery

E. Marketplace Access Policies

Grants Clazar full Marketplace management ability.

Permissions:

  • aws-marketplace:*

  • aws-marketplace-management:*

  • vendor-insights:*

SNS Access Permissions:

  • sns:Subscribe

  • sns:Unsubscribe

  • sns:GetTopicAttributes

  • sns:GetSubscriptionAttributes

  • sns:ListSubscriptionsByTopic

Targets:

  • aws-mp-subscription-notification-*

  • aws-mp-entitlement-notification-*

  • clazar-*

F. CAS & SDDS Components

CAS Bucket
Stores Commerce Analytics data.

CAS SNS Topic
Sends notifications when new CAS datasets are available.

Permissions:

  • marketplacecommerceanalytics:GenerateDataSet

S3 Access:

  • s3:GetObject

  • s3:ListBucket

  • s3:GetBucketRegion

KMS Access:

  • kms:Encrypt

  • kms:Decrypt

  • kms:DescribeKey

  • kms:GenerateDataKey

(Restricted to CAS/SDDS bucket encryption contexts)

5. CAS & SDDS Setup After Stack Creation

After the stack is completed:

CAS Setup

  1. Enroll via AWS CAS enrollment form

  2. Confirm Enrollment in Clazar

  3. Click Test Configuration

  4. Status becomes Connected if successful

SDDS Setup

  1. Enroll via AWS SDDS enrollment form

  2. Confirm enrollment in Clazar

  3. Test configuration

  4. Status updates to Connected

6. Support

If any stack, CAS, SDDS, or permission errors occur, contact Clazar Support for assistance.