Architecture overview

Reference architecture diagram for Amazon Selling Partner API Guard

Amazon Selling Partner API Guard reference architecture diagram

The AWS CloudFormation template deploys the following workflows and services:

  • Amazon Simple Storage Service (Amazon S3): Stores reports and is leveraged to install Selling Partner API Guard artifacts
  • Amazon Simple Notification Service (Amazon SNS): Sends Selling Partner API Guard communications to users and reports findings to Amazon upon user permission
  • AWS Lambda: Lambda handlers support workflows including the JobsLambda, ReportLambda, DisableLambda, Cleanup Lambda, Report to Amazon Lambda, and the CLI Setup Lambda.
  • Amazon EventBridge: Supports Selling Partner API Guard’s workflows and handles dependencies between functional logic
  • AWS Identity and Access Management (IAM) Roles: Create permissions for Selling Partner API Guard to scan AWS infrastructure

The template also creates a virtual private cloud (VPC), subnets, Security Groups, and an Amazon Linux 2 Amazon EC2 instance

The template sends a browser-based EC2 session link the user’s email address. You can use that link to connect to the Amazon EC2 instance and then run the following command line interface (CLI) commands on your AWS infrastructure.

  • enable_services: This command starts AWS Security services including Amazon Macie, Amazon GuardDuty, Amazon Inspector, AWS IAM Access Analyzer, AWS Security Hub, and AWS Config. Services started with this command are automatically stopped after 24 hours.
  • start_scan: This command initiates Selling Partner API Guard scanning based on your configurations. You will receive an email report 24 hours after running this command.
  • cleanup_guard_interface: This command cleans up resources including the VPC, security group, and EC2 instance.
  • report_to_amazon: This command reports findings to Amazon.