Automated Deployment

Deployment instructions for Amazon Selling Partner API Guard

Use the following steps to deploy Selling Partner API Guard on AWS. Before you launch Selling Partner API Guard, review the Cost, Architecture overview, Security, and other considerations discussed in this guide.

Time to deploy: Approximately 25 minutes


  1. Sign in to Amazon Seller Central account.
  2. Sign in to your AWS account.
  3. Identify the AWS partition to test Selling Partner API Guard. Selling Partner API Guard supports AWS and AWS-CN.
  4. Choose a valid email address for reports and notifications.

Step 1. Launch the stack

This automated AWS CloudFormation template deploys Selling Partner API Guard in the AWS Cloud. You must complete the prerequisites before launching the stack.



You are responsible for the cost of the AWS services used while running Selling Partner API Guard. For more details, visit the Cost section in this guide, and refer to the pricing webpage for each AWS service.

  1. Sign in to Seller Central.
  2. From the top-left menu, choose Apps and Services.
  3. Choose Develop Apps.
  4. Select the Selling Partner API Guard link.
  5. Choose Get Started to launch the CloudFormation template in the AWS Console.
  6. Review the following template parameters and modify them as necessary.
Stack nameSelling-Partner-API-Guard-StackStack name associated with the CloudFormation stack. This field cannot be changed.
Developer email<Requires input>Email address which will receive Selling Partner API Guard setup-related emails and generated reports.
Merchant token<Requires input>Unique merchant token for a Seller Central account. This value can be fetched from the Merchant Token information on the Seller Central Account Info page.
  1. On the Review page, review and confirm the settings.
  2. Select the box acknowledging that AWS CloudFormation might create IAM resources.
  3. Choose Create stack to deploy the stack.

You can view the status of the stack in the AWS CloudFormation console in the Status column.

Step 2. Complete the Selling Partner API Guard EC2 CLI setup



You will receive two emails containing communication from Selling Partner API Guard. You can verify the authenticity of the email by matching the AWS account ID from the emails to the account ID for the AWS account that is performing the installation.

After the AWS CloudFormation stack deploys, you will receive an email prompting you to confirm your subscription to Selling Partner API Guard. This email should arrive within 10 minutes.

  1. Open the first emailed link to confirm your subscription.

After confirming your subscription, you will receive a second email with a link that automates the provision of the Amazon EC2 CLI, which is an endpoint for running Selling Partner API Guard commands. This email should arrive within 15 minutes.

  1. Open the second emailed link to launch Session Manager.

  2. Run the following command to navigate to the directory:

cd GuardCli/
  1. Run the following command to enable AWS Security services:
sudo ./guardcli enable_services
  1. Choose Yes or No to enable the following Scan Rules:
    • Scan your S3 buckets for unencrypted PII data (Amazon Macie)
    • Scan your AWS account for possible malicious activity and DPP requirements (Amazon GuardDuty)
    • Scan the IAM roles your AWS account that are shared with an external entity to understand if those are intended (IAM Access Analyzer)
    • Scan your EC2 instances for unintended network vulnerabilities (Amazon Inspector)



Selling Partner API Guard will not make modifications to your prior configurations.

Step 3. Invoke Selling Partner API Guard and generate a security report

  1. Run the following command to invoke Lambda handlers to complete the scan:
sudo ./guardcli start_scan
  1. Choose Yes to share report findings with Amazon. This option allows the Selling Partner API team to receive the same report that you receive. Alternatively, you can use the following command to share findings with Amazon within 30 days of the scan.
sudo ./guardcli report_to_amazon
  1. A report is generated after 24 hours. The report is emailed to the email provided in the stack parameters and is stored in the Amazon S3 bucket created by the CloudFormation stack.

Selling Partner API Guard automatically disables the AWS Security Services triggered in the scan. It also automatically deletes the Amazon EC2 instance and VPC after 30 days. You have the option to delete these resources immediately after receiving the report. For more information, refer to the Uninstall Amazon Selling Partner API Guard section of this guide.