by Kevin Zhang, Solutions Architect, Selling Partner Developer Services | October 11, 2022
Amazon works hard to ensure that when customers entrust Amazon with data, that data remains secure. Therefore, stages of verification are required before granting access to restricted Selling Partner APIs. Once verification is passed and your application is listed in the Seller Central Appstore, an audit is one of the ways that Amazon ensures controls and safeguards are operating as they should.
This blog post guides you through Amazon’s security audit process from beginning to end. It is recommended to have security embedded during the early stages of development, rather than reactively fixing issues later. Consider the security best practices outlined in this blog post when building and scaling your application.
A security audit is the process Amazon uses to assess your environment and any associated documentation. Amazon utilizes an independent third party for this process. Stakeholders are then alerted of any potential security-related issues that need to be addressed to improve security posture, decrease attack surface, and mitigate risk. A security audit is not a guarantee of a vulnerability free environment, but a best effort by security professionals operating within constraints of time, understanding, and expertise.
In addition to Amazon’s own internal security processes and procedures, Amazon works to educate customers and Selling Partner Developers as to how they can keep accounts and information secure. Amazon understands that coordinating resources and meeting with an assessor can be a time-consuming process. This blog post offers guidance on how to best prepare for and pass the audits.
Amazon’s security audit requirements are driven through two policies which you agreed to when starting the process of developing a service for the Amazon Appstore.
Acceptable Use Policy (AUP)– Clarifies the appropriate use of the Amazon Services API (including the Marketplace Web Service API). In addition to the Amazon Services API Developer Agreement, Developers must comply with the following policies. Failure to comply may result in suspension or termination of Amazon Services API access.
Data Protection Policy (DPP) – The Data Protection Policy (DPP) governs the receipt, storage, usage, transfer, and disposal of Information, including the data vended and retrieved through the Amazon Services API (including the Marketplace Web Service API). This policy is applicable to all systems that store, process, or otherwise handle data vended and retrieved from the Amazon Services API. This Policy supplements the Amazon Services API Developer Agreement and the Acceptable Use Policy. Failure to comply may result in suspension or termination of Amazon Services API access.
- Amazon understands this may be difficult without a specialized resource on your team or when dealing with competing priorities and other business operations. During application development, and for continuous improvement, consider using web application vulnerability checklists from industry/knowledge leaders such as SANS Institute’s checklist for web applications (including examples of tools from top 3 cloud providers) and OWASP (foundation that raises awareness of top web vulnerabilities).
Security is included in one of the five pillars of Amazon’s Well Architected Framework. Best Practices include influencing your Identity and Access Management, Detection, Infrastructure Protection, Data Protection, and Incident Response processes. In addition, Amazon has compiled Guidance to address key security controls in SP-API integration for issues that are frequently observed from prior audits. Taking the time to analyze these and implementing safeguards is important when preparing for the audit, and helps improve overall security posture.
Amazon engages third-party assessors, through an international audit/consulting firm, to perform assessments to examine whether you are handling data in line with policy and industry best practices. At the start of the audit, the assessor sends an email to the individuals you listed as contacts during application registration.
If you need assistance, the assessor can provide troubleshooting guides and support for any questions you may encounter before, during, and after the security audit. You can also reach out to them directly via email or by opening a case via the help documentation they provide.
Being prepared ahead of time is the best way to ensure a smooth assessment.
- Be available - Provide the assessor with your available timeslots.
- Submit clear supporting documentation – Use quality information to prepare the data request list (DRL) that the assessor provides. This means providing supporting evidence (for example docs, PDFs, or screenshots) that demonstrate you have controls in place to meet AUP and DPP requirements. Submitting clear evidence and doing your part to explain to the assessor will reduce any confusion and ambiguity that could result in further questions.
- Types of supporting documents – Documented evidence requested by assessors will often require you to provide evidence. These may overlap with Amazon’s DPP and AUP, or other industry standards or regulatory audits such as SOX 404, GDPR, SOC, ISO, or PCI DSS. Examples of this include, but are not limited to: configuration screenshots, user activity logs, change management logs, authentication mechanisms, vulnerability reports, encryption mechanisms, and data retention. Having a reliable way to store or repeatedly generate this information upon request, will ease the burden of passing an audit for your team. The AWS Audit Manager is one tool to consider for automating evidence collection.
There are also steps you can take during an audit to help ensure things proceed smoothly. First, when assembling team resources, you’ll want to include someone familiar with application business use cases, application development practices, and network infrastructure. Assessors can meet with you on a virtual call for discussions.
Second, during the security audit, the assessors will walk through the documentation you provided and ask clarifying questions or request screen sharing to dive deeper into topics. Having your supporting documents on hand is essential at this stage.
After the security audit meeting, the assessor will take time for review and will then issue a report after a few business days. Be sure to whitelist email contacts that are provided to you and monitor communications during this time. Make sure messages from the auditor are not being sent to your spam folders.
In addition to monitoring communications, it is also important for correspondence to be maintained. If Amazon does not receive contact, enforcement actions such as revoking the ability to accept new authorizations may be applied.
After the audit is complete, the third-party assessor will share results with you via their web portal. Any issues where there are gaps (required action) in meeting policy and any recommendations (optional action) for improvement will be listed in the web portal.
At this time, you will be prompted to log in to the portal to start remediating issues by submitting the following:
- Plan of Approval (POA) – Submit your POA indicating how you will address the issue. Amazon provides pre-approved plans, or you can enter your own plan that suits your methodology. Amazon will review your plan to verify its effectiveness, to ensure time isn’t wasted on a solution that can’t be implemented. If you need assistance, a Solutions Architect from Amazon can communicate with you through the portal via comments.
- Remediation – Once the POA is approved, you can go ahead and implement the proposed solution. Next, upload supporting evidence (for example, doc, PDF, or screenshot) for the solution you have implemented. For this step, it is beneficial to be as detailed as possible.
If no issues were identified, or you have fully remediated all listed issues, then congratulations! You have completed the audit and have successfully demonstrated your commitment to securing customer trust.
By performing audits that verify security controls are in place, both Amazon and your organization can mitigate the risk of PII data exposure and misuse. Audits can take valuable time from team resources when employees have to spend time attending interviews, gathering requested documentation, and implementing remediation for audit issues. However, utilizing the guidance information shared in this blog post to prepare before, during, and after the audit can help alleviate some of that burden.
Begin with the end in mind – cooperate with the assessor’s requests and provide clear documentation. The more clear and detailed submissions are, the less opportunity for misunderstanding or you not getting credit for the hard work you’ve already implemented. During the audit, have the right personnel attending who can speak about your environment. After the audit, be mindful of communications such as timeline and priority on the audit issues identified.
Customers trust Amazon with their data and audits provide a way to evaluate security together. Issues identified should be seen as opportunities for improvement and Amazon appreciates your collaboration.
Have feedback on this post?
If you have questions or feedback on this post, we'd like to hear from you! Please vote and leave a comment using the tools at the bottom of this page.
Subscribe to updates via RSS feed.
Updated about 2 months ago