Security considerations for Amazon Selling Partner API Guard

When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This shared model reduces your operational burden because AWS operates, manages, and controls the components including the host operating system, the virtualization layer, and the physical security of the facilities in which the services operate. For more information about AWS security, visit AWS Cloud Security.

AWS Identity and Access Management (IAM) Roles

  • AWS IAM roles allow customers to assign granular access policies and permissions to services and users on the AWS Cloud. Selling Partner API Guard creates IAM roles that grant AWS Lambda functions access to create Regional resources. Selling Partner API Guard creates the following roles:
  • AWS Lambda Execution Role: This role gives Lambda handlers permissions to perform the following operations:
    • Allow the support infrastructure to send email notifications
    • Add/modify/delete Amazon EventBridge subscriptions
    • Start/stop the security services scan
    • Create/terminate the Amazon EC2 instance process
  • Amazon EC2 instance role: This role is created and attached to the EC2 instance to allow sufficient permissions to make API calls to respective AWS services. It has permissions to make the S3 calls to download the required artifacts for running CLI commands.
  • Amazon S3 access policy: This policy is restricted to the necessary IAM roles that limit artifact retrieval.

Security groups

Selling Partner API Guard's security groups are designed to control and isolate network traffic on your Amazon EC2 instances. We recommend that you review the security groups and further restrict access on a quarterly basis. As part of creation of Amazon EC2 instances, Selling Partner API Guard creates a new Security Group with the GuardCLI tag, which restricts the network access to two ip ranges for SSH protocol with following requirements.

  • Session Manager IP Prefix: Selling Partner API Guard fetches the dynamic range of SSM IP Range and provide access in Security Group. This ensures that Selling Partner API Guard creates a browser-based session on the Amazon EC2 instance and runs CLI commands using the session link generated during the run time.
  • Your own AWS IP Prefix: Selling Partner API Guard fetches your IP prefix during the run time and allows necessary permissions to access on your local network.