Why Clazar Requests Access to Your AWS Environment
Last updated: July 23, 2025
At Clazar, we prioritize security, transparency, and customer control. When you deploy our AWS CloudFormation stack, it provisions a set of resources that allow us to deliver a seamless AWS Marketplace experience. This article outlines why we request specific levels of access, what we do with it, and how itโs securely managed.
๐ฏ What Access Are We Requesting?
When launching the Clazar CloudFormation stack, the following resources are created in your AWS account:
1. IAM Role for Secure Access (ClazarRoleStack)
Purpose: Allows Clazar to assume a secure, scoped IAM Role using an external ID.
Use Case: Lets us interact with AWS APIs on your behalf (e.g., to read Marketplace data).
Security: Follows AWS best practices for cross-account access. You define the role name and external ID.
2. S3 & SNS Integration for Marketplace Data
Purpose: Optional setup for reading data from AWS services like:
CAS (Commerce Analytics Service)
SDDS (Software Delivery and Distribution Service)
Use Case: Receive sales, usage, and customer entitlement data in real-time.
Security: We only access files or messages related to your Marketplace operations.
3. SQS Queue for Event Processing
Purpose: Queue to capture and forward relevant Marketplace events.
Use Case: Enables efficient, asynchronous event processing.
Security: Integrated with your defined role and permission-scoped to only this queue.
4. Marketplace Access (Optional)
Controlled by:
AllowMarketplaceAccessparameter.Purpose: Lets Clazar manage Marketplace listings (e.g., pricing, products) on your behalf.
Use Case: Only used if you explicitly opt in.
Security: Can be disabled at any time.
๐ Why Does Clazar Need This Access?
Access TypeWhy It's NeededWhat Clazar Does | ||
IAM Role | Secure, auditable API access | Retrieve Marketplace data, report to AWS |
CAS/SDDS Buckets & Topics | AWS-required data feeds | Parse and report usage, entitlements |
SQS Queue | Event-driven architecture | Handle data updates and sync in real-time |
Marketplace Access (Optional) | Manage listings programmatically | Update SKUs, pricing only when requested |
โ Security, Control & Compliance
Least Privilege: Access is restricted to only whatโs required.
Transparent: You can review and audit every permission in the CloudFormation template.
Revocable: The IAM Role can be disabled or deleted at any time.
Encrypted Channels: All communication is encrypted, and no persistent credentials are stored.
๐ง Optional Parameters You Control
ParameterDescriptionDefault | ||
| Grants Clazar permission to manage listings |
|
| Existing SNS topics if already enrolled | Optional |
| Custom S3 buckets for analytics | Optional |
๐ Need Help?
If you have any questions about these permissions or would like to review them with our team, please contact support. We're happy to walk through the access in detail and customize the stack to meet your internal compliance needs.