CASE 85 · TARN · 2025
AWS Marketplace, with procurement in the loop again.
A defence systems integrator had 47 active AWS Marketplace subscriptions, most of them purchased by engineers with the corporate card permissions Marketplace grants. Procurement found out about each one only on the invoice. We built a governance layer with private offers, subscription approvals, and an org-level marketplace block.
Defence systems integrator
LANDING ZONE
2025
RESULTS
What changed, by the numbers.
SHADOW PROCUREMENT
0
PRIVATE OFFERS NEGOTIATED
8
SUBSCRIPTION-APPROVAL LATENCY
< 1d
SOX CONTROLS
IN COMPLIANCE
HOW IT WENT
The SOX auditors had flagged it: procurement controls didn’t apply to AWS Marketplace, and Marketplace spend had grown past the threshold where that was acceptable. The engineering team didn’t want to lose the speed of self-service; procurement didn’t want to lose visibility.
We landed in the middle. SCPs blocked direct Marketplace subscriptions across the org by default; an approval workflow (integrated with the existing procurement system) routed each request to procurement, with a 1-day SLA. For the eight highest-spend products, procurement negotiated private offers, capturing $340k in annual savings.
Shadow procurement dropped to zero — every subscription is now procurement-visible by default. The 1-day approval latency was fast enough that engineering stopped complaining. The SOX finding cleared.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.