HomeDocumentationCode SamplesAPI ReferenceAnnouncementsModelsRelease NotesFAQGitHubVideos
Developer HubAPI StatusSupport
Documentation
Developer HubAPI StatusSupport

Network Protection Guidance

Implement comprehensive network protection controls to safeguard your SP-API integration.

Network protection consists of tools, rules, and configurations that are designed to protect the confidentiality, integrity, and accessibility of data. Internet-connected devices face potential attacks. Strong network protection protocols and policies protect your devices and network from unnecessary or malicious network traffic.

The Amazon Data Protection Policy requires solution providers to create a secure environment to reduce data loss risks and related vulnerabilities. Solution providers accept Amazon's Data Protection Policy and Acceptable Use Policy during the registration process.

Amazon conducts Data Security Assessments to verify solution provider compliance. Solution providers must maintain consistent network infrastructure protection protocols. This guide outlines network protection techniques and controls that satisfy Amazon's Data Protection Policy and Acceptable Use Policy requirements.

Amazon Data Protection Policy requirements

The Data Protection Policy under 1.1 Network Protection states that Solution providers must deploy network protection controls that include network firewalls and access control lists to deny unauthorized IP address access. Security mechanisms must include network segmentation, intrusion detection and prevention systems, and defense-in-depth methods to enhance firewall rulesets. IDS/IPS signature pattern-based detection must identify and block malicious network behavior. Solution providers must update anti-virus and anti-malware tools monthly and implement controls that prevent employee disablement of anti-virus software. System access remains restricted to Approved Users, defined as internal employees with coding and development responsibilities who complete both data protection and IT security awareness training.

Network segmentation and firewall filtering

Network segmentation splits large networks into smaller sub-networks to enhance access controls and security. IT administrators use network segregation and segmentation to control traffic flow within defined security perimeters and protect against intrusion. Network segregation creates divisions based on roles and functionality, while segmentation establishes boundaries between network components.

Network segmentation limits the spread of security breaches and reduces risk during attacks. Network firewalls establish perimeter-based segmentation by creating network boundaries and routing all traffic through controlled checkpoints. Solution providers must implement these best practices to comply with the following requirements:

  • Define strong network firewall policies based on a comprehensive risk analysis.
  • Segment networks with Virtual Local Area Networks (VLAN) or subnets.
  • Isolate guest access to networks through micro-segmentation.
  • Restrict user access within the company between perimeters.

Solution providers must implement the following enhanced defense-in-depth methods to complement firewall rulesets:

  • Implement IDS/IPS signature pattern-based detection mechanisms.
  • Use multiple layers of security controls.
  • Establish enhanced network segmentation with clear separation between security zones.
  • Implement strict access controls between segments.

The AWS Network Firewall provides a managed network firewall that monitors active connections and includes intrusion detection and prevention services for Amazon Virtual Private Cloud (Amazon VPC) environments.

The AWS Network Firewall placement within a simple architecture.

AWS Firewall Manager centralizes configuration and management of Network Firewalls across multiple accounts and applications. Administrators define firewall policies that specify rules for filtering VPC traffic. These policies apply consistently across the organization's AWS infrastructure.

AWS offers a suite of complementary security services. AWS WAF filters malicious web traffic, AWS Shield defends against Distributed Denial of Service (DDoS) attacks, and AWS Firewall Manager streamlines security policy enforcement. Together, these services provide comprehensive protection for AWS-hosted applications and resources.

Network access controls

Network access control tools allow businesses to check devices for compliance and prevent unauthorized devices from accessing corporate networks. As more employees use personal devices for work, organizations need network access control tools to maintain security.

Solution providers must protect both cloud services and on-premise networks. Network Access Controls and Access Control Lists (ACLs) serve different security functions. Network Access Controls authenticate user identities and trusted devices at network nodes, while ACLs filter traffic at the router level.

Amazon's Data Protection Policy requires identity and access management tools to control permissions by department, job, role, and team. These role-based controls track user actions and link system events to specific users. Solution providers must implement authorization and restriction processes for both on-premise and cloud devices to manage network access.

Access control requirements include:

  • Implement account lockout after 10 or fewer unsuccessful login attempts.
  • Use enhanced authentication monitoring to detect suspicious patterns.
  • Configure automated responses for suspicious activities.
  • Enforce multi-factor authentication for all user accounts without exception.
  • Regularly audit access patterns and automate alerting for unusual behavior.

Anti-malware

Internet-connected devices are vulnerable to malware, malicious code that infects host computers. Viruses, a type of malware, attach to programs and spread through emails, removable storage devices, and contaminated networks. Malware can delete or encrypt files, modify applications, or disable system functions.

Organizations must develop and implement effective malware incident prevention approaches based on prevalent attack vectors. Policies should address malware incident prevention and threat mitigation to contain malware incidents.

Antivirus software serves as the primary malware threat mitigation control. This software scans devices, identifies viruses, and removes them. Regular antivirus application updates protect against current threats. Enterprise Endpoint Security protection suits larger corporations with diverse endpoints. Advanced Endpoint Protection Platforms (EPP) provide firewall capabilities and heuristics with machine learning and containment.

Amazon's Data Protection Policy requires SP-API users to protect endpoints. All systems with user data access must have antivirus and anti-malware installed. Systems must run regular full system scans, not relying solely on on-access scans.

Solution providers must implement the following controls to prevent antivirus software disablement:

  • Configure antivirus software settings to prevent end-user disablement.
  • Require administrative privileges for antivirus configuration changes.
  • Configure automated alerts for IT teams when protection disablement is attempted.
  • Implement real-time monitoring and automated response procedures for malware detection.

Disable controls that turn off antivirus scans. Keep antivirus definitions up-to-date. Enable antivirus logging and alerting. Notify the IT team and initiate follow-up processes if antivirus is disabled.

Network-based intrusion detection systems and network intrusion prevention systems

Network-based intrusion detection systems (NIDS) monitor traffic patterns and detect malicious activity by analyzing network packets. Network intrusion prevention systems (NIPS) prevent attacks by ending TCP connections or blocking suspicious network activity through firewall commands. Solution providers must install NIDS and NIPS on network and endpoint devices. NIDS and NIPS that are properly implemented can detect threats in advance and stall powerful network assaults that conventional security controls cannot detect.

Amazon GuardDuty, a cloud-native NIDS service, uses VPC Flow Logs traffic data to detect threat behaviors. You can use Amazon GuardDuty to detect problematic traffic, get valuable insights, and solve access and security issues. Amazon GuardDuty can notify personnel of suspected compromises via email or SMS to facilitate threat reaction and mitigation.

Key takeaways and next steps

  • Implement comprehensive network and application protection measures as outlined in this document to comply with Amazon's Data Protection Policy.
  • Regularly review and update your security controls to address evolving threats and policy requirements.
  • Consult the latest version of the Data Protection Policy for the most up-to-date compliance requirements.

Notices

Amazon sellers and solution providers are responsible for independently assessing the information in this document. This document: (a) serves informational purposes only, (b) represents current practices subject to change, and (c) creates no commitments or assurances from Amazon.com Services LLC (Amazon) and its affiliates, suppliers or licensors. Amazon provides Amazon Services API products or services "as is" without warranties, representations, or conditions. This document neither forms part of nor modifies any agreement between Amazon and any party.

Updated about 4 hours ago