Key Security Control Guidance

Implementing robust security controls is fundamental to protecting Amazon Selling Partner API applications and the sensitive seller data they process. This guide outlines essential security controls that align with Amazon's Data Protection Policy (DPP) and Acceptable Use Policy (AUP). Solution providers must implement these key security controls to build secure and compliant applications that protect customer data and maintain Amazon marketplace access.

Amazon Data Protection Policy (DPP) requirements

The Amazon Data Protection Policy contains two categories related to security requirements:

• Section 1. General Security Requirements, which includes requirements for all Solution providers building SP-API applications.
• Section 2. Additional Security Requirements for Personally Identifiable Information (PII), which includes additional requirements for Solution providers performing restricted operations on SP-API that involve personally identifiable information (PII).

This guide addresses all applicable DPP requirements.

Critical response requirements and timelines

Solution providers must abide by the following critical response requirements and timelines. Failure to follow these requirements can result in regulatory violations and loss of SP-API access.

Immediate response requirements

To effectively respond to critical security risks, solution providers must:

• Notify Amazon at [email protected] within 24 hours of any security incident.
• Disable and remove access for terminated employees within 24 hours.
• Resolve critical-risk vulnerabilities within seven days of discovery.
• Resolve high-risk vulnerabilities within 30 days of discovery.
• Delete personally identifiable information (PII) within 30 days after order delivery.

Operational requirements

To maintain SP-API access and DPP compliance, solution providers must perform the following tasks at the required cadences:

Data retention limits

To minimize security exposure and ensure compliance, solution providers must adhere to the following data retention limits:

Baseline security controls

Establish the foundational protection measures that are required for all SP-API applications.

Password and authentication

This control relates to section 1.4 Credential Management of the DPP.

Compromised credentials provide direct access to databases, servers, and customer data. Attackers use Brute Force Password attacks and other methods to steal credentials for financial gain.

Solution providers must:

• Establish password complexity requirements: minimum 12 characters with mixed case letters, numbers, and special characters, and must not include any part of the user’s name.
• Configure password history to prevent reuse of the last 10 passwords and configure password lifecycle settings with a minimum password age of 1 day and a maximum password expiration period of 365 days.
• Deploy Multifactor Authentication (MFA) for all accounts that use approved second factors (TOTP, hardware tokens, or biometric authentication).
• Implement encryption at rest for all SP-API credentials using industry-standard encryption (minimum AES-128, recommended AES-256) and store within a secure key management systems to prevent unauthorized access.
• Rotate API keys annually with automated processes and maintain key inventories.
• Use directory services such as AWS Directory Service or Microsoft Active Directory for centralized enforcement.
• Implement account lockout controls by monitoring anomalous usage patterns and failed authentication attempts. User accounts must be locked after 10 or fewer unsuccessful login attempts.
• Encrypt all information in transit using secure protocols such as TLS 1.2 or higher, SFTP, and SSH-2, and enforce this control across all applicable internal and external endpoints. Where transport-level encryption terminates in untrusted multi-tenant infrastructure (for example, untrusted proxies), message-level encryption must be used.
• Permanently and securely delete Information in accordance with Amazon’s deletion notices within 30 days of Amazon’s request, unless retention is required to meet legal, tax, or regulatory obligations. Non-PII data must be deleted within 18 months unless longer retention is required by applicable laws or regulations.

Asset management

This control relates to section 2.3 Asset Management of the DPP.

Solution providers must not store PII on removable media, personal devices, or unsecured public cloud apps (for example, publicly shared Google Drive links) unless encrypted with AES-128 (or higher) or RSA-2048 encryption. Lost devices and unauthorized cloud storage frequently result in data breaches.

Solution providers must:

• Maintain quarterly inventories of all devices, systems, and applications that handle PII.
• Establish baseline security configurations with regular patches and updates across all managed assets.
• Restrict PII storage to approved systems only. Prohibit removable media, personal devices, or unsecured cloud applications.
• Implement data loss prevention (DLP) tools to monitor and prevent unauthorized data movement.
• Ensure secure disposal of printed materials that contain PII through approved destruction methods.
• Implement formal change control processes.
• Maintain segregation of duties between change approvers and testers for all systems that handle PII.

Access review

This control relates to section 1.2 Access Management of the DPP.

Excessive user access and dormant accounts create security vulnerabilities. Attackers exploit over-privileged accounts and shared credentials to gain unauthorized access to sensitive data.

Solution providers must:

• Establish formal user access registration processes with unique identifiers for each person and eliminate generic, shared, or default login credentials.
• Apply least privilege and grant minimum necessary access to all user and service accounts.
• Implement baselining mechanisms to ensure only required user accounts maintain access to information.
• Prohibit employees and contractors from storing information on personal devices.
• Conduct quarterly reviews of all personnel and services with access to information.
• Disable and remove access within 24 hours for terminated employees.

Data protection controls

Protect customer data from unauthorized access and ensure compliant data handling.

Data encryption at rest

This control relates to section 2.4 Encryption at Rest of the DPP.

Unencrypted data at rest exposes customer PII to unauthorized access through compromised systems, physical device theft, or insider threats. Without proper encryption and key management, organizations cannot adequately protect customer data.

Solution providers must:

• Create data classification documents that identify all data that require encryption.
• Use AES-128 or RSA-2048 bit keys (or higher) to encrypt all PII data.
• Apply encryption to end-device drives, servers, databases, and backup storage systems.
• Encrypt SP-API keys and credentials and never expose them in plain text.
• Deploy Key Management Systems (KMS) that cover the complete key lifecycle.
• Use cryptographically secure methods to generate keys and store the keys in dedicated KMS with access controls.
• Rotate encryption keys at least annually and revoke compromised keys immediately.

For additional guidance on how to identify systems that require encryption, refer to the Data classification whitepaper.

Anti-malware controls

This control relates to section 1.1 Network Protection of the DPP.

Malware attacks through phishing emails, compromised websites, and malicious downloads can steal credentials and exfiltrate customer PII. Robust anti-malware defenses prevent data breaches and business disruption.

Solution providers must:

• Apply network segmentation and implement network firewalls, access control lists, and intrusion detection/prevention systems (IDS/IPS).
• Deploy and maintain up-to-date antivirus software on all servers and endpoints that access SP-API data.
• Implement endpoint protection solutions that prevent users from disabling anti-virus software.
• Update anti-virus and anti-malware tools at least monthly.
• Restrict system access to approved internal employees who have completed annual data protection and IT security awareness training ("Approved Users").
• Maintain secure coding practices and implement Group Policy (Windows) or Mobile Device Management (MDM) solutions to enforce security policies.
• Deploy security information and event management (SIEM) systems to correlate security events and detect advanced threats.
• Adopt Software Development Life Cycle (SDLC) frameworks with integrated security testing.

Data retention processes

This control relates to section 2.1 Data Retention of the DPP.

Retaining customer PII beyond defined business or regulatory requirements may increase the organization’s exposure and introduce potential compliance considerations. Many solution providers store complete customer records when only specific non-PII elements are needed for business operations.

Solution providers must:

• Implement clear data tagging systems to distinguish PII from non-PII data.
• Document data classification schemas and ensure consistent application across all storage systems.
• Retain PII for no longer than 30 days after order delivery unless required by law for specific compliance purposes.
• Retain non-PII data for up to 18 months maximum unless longer retention is required by applicable laws.
• Use secure deletion methods that follow industry-standard sanitization processes (NIST 800-88).
• Archive PII in encrypted storage only when required by law for longer retention periods.

Monitoring and incident response controls

Identify security threats and contain incidents with speed.

Identification of potential incidents

This control relates to section 2.6 Logging and Monitoring of the DPP.

Security incidents often go undetected for extended periods, allowing attackers to establish persistence and exfiltrate sensitive data. Robust monitoring identifies threats that target SP-API applications and unauthorized PII access.

Solution providers must:

• Retain security logs for at least 12 months and implement centralized log collection from all systems that handle Amazon data.
• Ensure that logs capture event data that includes success/failure status, timestamps, user identities, access attempts, data changes, and system errors.
• Maintain log integrity through access controls and exclude PII unless required by legal or regulatory requirements.
• Deploy Security Information and Event Management (SIEM) systems or Intrusion Detection & Prevention Systems for threat detection.
• Review logs in real-time using automated analysis tools or conduct bi-weekly manual reviews to catch suspicious activities.
• Monitor all access channels, including service APIs, storage-layer APIs, administrative dashboards, and user interfaces.
• Deploy dark web monitoring services and data exfiltration detection systems to monitor for unauthorized data movement beyond protected boundaries.
• Monitor for multiple unauthorized API calls, unexpected request rates, and anomalies in access patterns.
• Document all monitoring alarm investigations in formal Incident Response Plans.

Incident management procedures

This control relates to section 1.6 Risk Management and Incident Response Plan of the DPP.

Poor incident management leads to extended data exposure, regulatory penalties, and reputation damage. Structured incident response procedures enable rapid containment and recovery.

Solution providers must:

• Maintain thorough incident response plans approved by senior management and reviewed every six months and updated after major infrastructure changes or lessons learned.
• Include all standard incident response phases (preparation, identification, containment, eradication, recovery, lessons learned) with specific procedures for different incident types.
• Establish annual risk assessment and management processes reviewed by senior management and document roles, responsibilities, and decision-making authority for all team members.
• Designate an Incident Management Point of Contact (IMPOC) and maintain current IMPOC contact details.
• Maintain updated contact lists with clear internal escalation paths and notify Amazon at [email protected] within 24 hours of detecting security incidents.
• Establish procedures for notifying government agencies as required by law and create customer communication protocols for incident status updates.

Vulnerability management

This control relates to section 2.7 Vulnerability Management of the DPP.

Unpatched vulnerabilities create entry points that attackers exploit to compromise SP-API applications and access customer data. Systematic vulnerability identification and timely remediation prevent security breaches.

Solution providers must:

• Conduct vulnerability scanning at least every 30 days across all systems that process or store Amazon data.
• Perform annual penetration testing using qualified security professionals or third-party firms and scan application code prior to each software release.
• Test both external-facing infrastructure and internal systems with professional tools and methodologies.
• Remediate critical risk vulnerabilities within 7 days and high-risk vulnerabilities within 30 days of discovery.
• Review AWS Penetration Testing guidance before testing AWS services.
• Maintain geographically separated secondary/backup sites with defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).

Third-party risk management controls

Prevent risks associated with third-party subcontractors and vendors.

This control relates to section 2.8 Subcontractors of the DPP.

Third-party vendors with inadequate security practices can compromise SP-API applications and customer data. Proper risk assessment ensures these parties maintain security standards.

Solution providers must:

• Conduct annual risk assessments of all vendors and subcontractors before granting access to Amazon data.

Key takeaways and next steps

• Implement the ten essential security controls outlined in this guide to achieve compliance with Amazon's Data Protection Policy and maintain SP-API access.
• Prioritize critical response requirements including 24-hour incident notification, 7-day critical vulnerability remediation, and 30-day PII deletion to avoid compliance violations.
• Establish robust third-party risk management programs.
• Review your current security posture against these controls and develop a formal implementation plan with assigned responsibilities and timelines.
• Regularly review and update your security controls to address evolving threats and policy requirements.
• Consult the latest version of the Data Protection Policy and Acceptable Use Policy for the most up-to-date compliance requirements.

Notices

Amazon sellers and Solution providers are responsible for making their own independent assessment of the information in this document. This document: (a) is for informational purposes only, (b) represents current practices, which are subject to change without notice, and (c) does not create any commitments or assurances from Amazon.com Services LLC (Amazon) and its affiliates, suppliers, or licensors. Amazon Selling Partner API (Amazon SP-API) products or services are provided "as is" without warranties, representations, or conditions of any kind, whether express or implied. The responsibilities and liabilities of Amazon regarding SP-API and Sellar Central are controlled by Amazon's agreements (including the Amazon Selling Partner API Developer Agreement or the Amazon Selling Partner API License Agreement), and this document is not part of, nor does it modify, any agreement between Amazon and any party.