Clarification to issued LWA credentials awareness announcement
July 12th, 2023 by AbbyM_Amazon
On July 10, we issued an awareness announcement to remind developers that public exposure of Amazon LWA client credentials can lead to developer’s loss of access to the Selling Partner API. We understand that the title of this announcement may not have been as clear as we had intended, and we apologize for any misunderstanding.
Your security is important to us. Follow these best practices to keep your credentials secure:
- Rotate your LWA client credentials as soon as you are aware of an exposure, refer to the SP-API documentation on Rotating your application's LWA credentials. Important: After you generate a new LWA credential (client secret), you must update your credentials for any applications that call Amazon Selling Partner APIs.
- The following is a list of SP-API resources about how to protect your data:
- All Amazon SP-API developers are required to follow secure coding standards to uphold Personally Identifiable Information (PII) requirements in the DPP. Credentials and other sensitive information must never be hard-coded in your application code. Refer to Safeguarding Sensitive Credentials for SP-API Applications and Rotate your SP-API credentials using AWS.
- If an application is no longer in use, you may consider deleting your application by following the documentation to Delete an application from your developer account.
- You can configure code scanning to automatically identify vulnerabilities and errors in the code stored in your repository. Learn more at Github Configuring code scanning.