Guard Support

How do I manually clean up the Selling Partner API Guard EC2 Command Line Interface?

1. Sign in to the AWS CloudFormation console.
2. Navigate to the Amazon EC2 console
3. Select the EC2 instance.
4. Choose Delete.
5. Delete the Security Group associated with the name GuardSecurityGroup.
6. Delete the VPC associated with GuardCLI tags. For more information, refer to Delete your VPC in the Amazon Virtual Private Cloud User Guide.

Why am I not receiving emails from Selling Partner API Guard?

You might not receive an email because of your email filtering policies or SNS service communication.

You can expect Selling Partner API Guard to send the following emails during its lifecycle:

1. Subscription confirmation: This email is sent after the AWS CloudFormation stack is deployed. It prompts you to confirm your subscription to Selling Partner API Guard in order to receive follow-up email notifications.

2. Amazon EC2 instance provisioning: After confirming your subscription, Selling Partner API Guard sends an email with a link that automates the provisioning of the Amazon EC2 CLI, which is used to run Selling Partner API Guard commands. This email arrives in approximately 15 minutes. If you do not receive this email, you can use the following manual approach as a workaround:

   • Use Session Manager to connect to your Linux instance (Selling-Partner-API-Guard-EC2) and then proceed with next steps in Complete the Selling Partner API Guard EC2 CLI Setup.
   • If you don't have an EC2 instance after 30 mins, refer to Amazon EC2 CLI instance creation failed. How should I proceed with installation?

3. Report summary: This email is sent after the successful completion of a scan. It includes an Amazon S3 link to the scan's output. Alternatively, you can check the Amazon S3 bucket name from AWS CloudFormation Resources tab in the AWS Console. The stack name will be Selling-Partner-API-Guard-Stack and the Amazon S3 bucket name will use the following naming convention: StackName-GuardReportStorageBucket-. For example selling-partner-api-guard-guardreportstoragebucket-sghhktaxvjjk.

Amazon EC2 CLI instance creation failed. How should I proceed with installation?

Use the following steps to troubleshoot known issues for failures during Amazon EC2 client instance creation.

VPC creation failures

VPC failures can occur if the default maximum number of VPCs in an AWS account (5) is exceeded. If you are creating more than five VPCs, you must use the following steps to increase your quota before proceeding.

1. Sign in to the AWS Console.

2. Navigate to Service Quotas, then choose VPC Limits.

3. Choose Request quota increase.

4. Increase the quota value by one.

5. Choose Request.

   • The limit increase will be auto-approved within 15 mins.

6. After the limit increase request is approved, clean up the Selling Partner API Guard resources.

7. Delete the AWS CloudFormation stack.

8. Re-install Selling Partner API Guard.

For additional information on VPC Quotas, refer to Amazon VPC quotas in the Amazon Virtual Private Cloud documentation.

Internet Gateway failures

Internet Gateway failures can occur if the default maximum number of Internet Gateway instances in an AWS account (5) is exceeded. If you are creating more than 5 Internet Gateway instances, you must use the following steps to increase your quota before proceeding.

1. Sign in to the AWS Console.

2. Navigate to Service Quotas, then choose Internet Gateway limits.

3. Choose Request quota increase.

4. Increase the quota value by one.

5. Choose Request.

   • The limit increase will be auto-approved within 15 mins.

6. After the limit increase request is approved, clean up the Selling Partner API Guard resources.

7. Delete the AWS CloudFormation stack.

8. Re-install Selling Partner API Guard.

Amazon EC2 Amazon EBS encryption failure

Selling Partner API Guard creates an Amazon EC2 instance that enables Amazon EBS encryption. However, if you previously enabled Amazon EBS encryption with a custom KMS key, then the KMS key policy might not have the necessary permissions to allow Selling Partner API Guard to encrypt the Amazon EC2 instance volume.

Use the following steps to add the following KMS policy to the custom KMS key that allows EBS encryption by default.

1. Sign in to the AWS CloudFormation Console.
2. Search for Selling-Partner-API-Guard-Stack.
3. Choose Resources, then search for IAM Role with Logical ID - LambdaCustomExecutionRole95EB5515.
4. Copy the respective IAM ARN and replace <LAMBDA_IAM_ROLE_ARN_CREATED_BY_GUARD> in the following code block.

{
  "Sid": "Allow Guard Execution Role role use of the customer managed key",
  "Effect": "Allow",
  "Principal": {
    "AWS": [
      <LAMBDA_IAM_ROLE_ARN_CREATED_BY_GUARD>
    ]
  },
  "Action": [
    "kms:Encrypt",
    "kms:Decrypt",
    "kms:ReEncrypt*",
    "kms:GenerateDataKey*",
    "kms:DescribeKey",
    "kms:CreateGrant",
    "kms:RetireGrant"
  ],
  "Resource": "*"
}

5. Create the Amazon EC2 instance.
   1. Sign in to your AWS account.
   2. Choose the following Amazon EventBridge link: https://console.aws.amazon.com/events/home?/eventbus/default/rules/GuardEc2InstanceCreationScheduleRule
   3. Choose Enable.
   4. Open the Amazon EC2 instance link sent via email notification.

Where can I get technical support for Selling Partner API Guard?

Sign in to Seller Central and open a support case with Developer Support.