Components of Amazon Selling Partner API Guard

Selling Partner API Guard uses AWS Security services with custom configurations to scan AWS infrastructure for any potential security vulnerabilities. Selling Partner API Guard leverages Amazon Macie, Amazon GuardDuty, Amazon Inspector, AWS IAM Access Analyzer, AWS Security Hub, and AWS Config to scan their respective Security domains. This section contains high-level details about each AWS Security service’s domain.

  • Amazon Macie:This service inspects Amazon S3 Buckets. It detects unencrypted personally identifiable information (PII) data like names, credit card details, social security numbers, and more. It can also provide security configuration details such as encryption standards regarding Amazon S3 objects and public accessibility. Selling Partner API Guard limits Amazon Macie costs below $300 per scan by identifying unencrypted S3 buckets first, and then performing sample scanning of those buckets.
  • Amazon GuardDuty: This service inspects network flow in and out to your VPCs, Amazon S3 events, AWS CloudTrail, and domain name system (DNS). It analyzes logs and detects anomalies in pattern. It also checks for malware-related findings on your Amazon EC2 instances, Amazon ECS, and Amazon EKS. Selling Partner API Guard limits GuardDuty cost per scan through a 24-hour time-bound job and a $100 cap on cost.
  • Amazon Inspector: This service inspects Amazon EC2 instances and Amazon ECR repositories. It checks for software vulnerabilities and unintended network exposure. Amazon Inspector findings are more important based on critical ports such as TCP and HTTPS. It also checks for any known vulnerabilities and reports based on the criticality of those findings.
  • AWS IAM AccessAnalyzer: This service focus on the permissions that are provided externally (outside the zone of trust). It helps lessen third-party data sharing risks.
  • AWS Config: This service has many AWS-managed rules which can detect security threats on your configuration. For example, it can detect whether or not your Amzon S3 bucket is publicly exposed.
  • AWS Security Hub: This service validates certain security standards by leveraging default and custom config rules. Security Hub also aggregates all the findings from the other security services (Amazon Macie, Amazon GuardDuty, etc.)