SP-API Guard FAQ

General

How is Selling Partner API Guard different from existing AWS security services and other third party tools?

Selling Partner API Guard checks your controls in the context of the Amazon's Data Protection Policy. It is not designed to replace other security services you are currently using for non-Selling Partner API compliance purpose.

What are the benefits of using Selling Partner API Guard?

• Time savings - Selling Partner API Guard maps your controls to policy requirements, which means that you don’t need to manually collect documentation and screenshots. It also recommends remediation steps so that you can quickly revise your architecture.

• Control over your assessments - For every scan, you can choose whether or not to share your findings report with Amazon. Selling Partner API Guard gives you full ownership to continuously assess and manage your security.

• Support - The Selling Partner API Team offers you Solution Architect support for remediation and Developer Support in troubleshooting so that you can focus on growing your business.

What if I’m not currently using some of the AWS services that Selling Partner API Guard scans?

Selling Partner API Guard will enable necessary underlying AWS services in order to perform scans. After the scans are complete (24 hours), Selling Partner API Guard will automatically turn off any services that were activated for the scan.

Will Selling Partner API Guard affect my existing AWS services?

No, the AWS services that you already use will not be affected. Selling Partner API Guard will perform scans independently of your current setup, and will not alter any existing configurations.

How does Selling Partner API Guard protect my company’s confidential data?

Selling Partner API Guard follows the Least Privilege Principle by only collecting data that is necessary to set up the tool, including account information and IAM roles to grant a trust relationship. Selling Partner API Guard findings reports contain information about type and severity of security risk, policy reference, and remediation recommendations. Selling Partner API Guard will also collect operational information necessary to improve its scan rules such as error rates. However, it does not collect data about the specific tools within your environment or proprietary information itself, nor does it share that information with Amazon.

How do I submit a feature request?

You can open a support case with Developer Support.

Troubleshooting

How do I manually clean up the Selling Partner API Guard EC2 Command Line Interface?

1. Sign in to the AWS CloudFormation console.
2. Navigate to the Amazon EC2 console
3. Select the EC2 instance.
4. Choose Delete.
5. Delete the Security Group associated with the name GuardSecurityGroup.
6. Delete the VPC associated with GuardCLI tags. For more information, refer to Delete your VPC in the Amazon Virtual Private Cloud User Guide.

Why am I not receiving emails from Selling Partner API Guard?

You might not receive an email because of your email filtering policies or SNS service communication.

You can expect Selling Partner API Guard to send the following emails during its lifecycle:

1. Subscription confirmation: This email is sent after the AWS CloudFormation stack is deployed. It prompts you to confirm your subscription to Selling Partner API Guard in order to receive follow-up email notifications.

2. Amazon EC2 instance provisioning: After confirming your subscription, Selling Partner API Guard sends an email with a link that automates the provisioning of the Amazon EC2 CLI, which is used to run Selling Partner API Guard commands. This email arrives in approximately 15 minutes. If you do not receive this email, you can use the following manual approach as a workaround:

   • Use Session Manager to connect to your Linux instance (Selling-Partner-API-Guard-EC2) and then proceed with next steps in Complete the Selling Partner API Guard EC2 CLI Setup.
   • If you don't have an EC2 instance after 30 mins, refer to Amazon EC2 CLI instance creation failed. How should I proceed with installation?

3. Report summary: This email is sent after the successful completion of a scan. It includes an Amazon S3 link to the scan's output. Alternatively, you can check the Amazon S3 bucket name from AWS CloudFormation Resources tab in the AWS Console. The stack name will be Selling-Partner-API-Guard-Stack and the Amazon S3 bucket name will use the following naming convention: StackName-GuardReportStorageBucket-. For example selling-partner-api-guard-guardreportstoragebucket-sghhktaxvjjk.

Amazon EC2 CLI instance creation failed. How should I proceed with installation?

Use the following steps to troubleshoot known issues for failures during Amazon EC2 client instance creation.

VPC creation failures

VPC failures can occur if the default maximum number of VPCs in an AWS account (5) is exceeded. If you are creating more than five VPCs, you must use the following steps to increase your quota before proceeding.

1. Sign in to the AWS Console.

2. Navigate to Service Quotas, then choose VPC Limits.

3. Choose Request quota increase.

4. Increase the quota value by one.

5. Choose Request.

   • The limit increase will be auto-approved within 15 mins.

6. After the limit increase request is approved, clean up the Selling Partner API Guard resources.

7. Delete the AWS CloudFormation stack.

8. Re-install Selling Partner API Guard.

For additional information on VPC Quotas, refer to Amazon VPC quotas in the Amazon Virtual Private Cloud documentation.

Internet Gateway failures

Internet Gateway failures can occur if the default maximum number of Internet Gateway instances in an AWS account (5) is exceeded. If you are creating more than 5 Internet Gateway instances, you must use the following steps to increase your quota before proceeding.

1. Sign in to the AWS Console.

2. Navigate to Service Quotas, then choose Internet Gateway limits.

3. Choose Request quota increase.

4. Increase the quota value by one.

5. Choose Request.

   • The limit increase will be auto-approved within 15 mins.

6. After the limit increase request is approved, clean up the Selling Partner API Guard resources.

7. Delete the AWS CloudFormation stack.

8. Re-install Selling Partner API Guard.

Amazon EC2 Amazon EBS encryption failure

Selling Partner API Guard creates an Amazon EC2 instance that enables Amazon EBS encryption. However, if you previously enabled Amazon EBS encryption with a custom KMS key, then the KMS key policy might not have the necessary permissions to allow Selling Partner API Guard to encrypt the Amazon EC2 instance volume.

Use the following steps to add the following KMS policy to the custom KMS key that allows EBS encryption by default.

1. Sign in to the AWS CloudFormation Console.

2. Search for Selling-Partner-API-Guard-Stack.

3. Choose Resources, then search for IAM Role with Logical ID - LambdaCustomExecutionRole95EB5515.

4. Copy the respective IAM ARN and replace <LAMBDA_IAM_ROLE_ARN_CREATED_BY_GUARD> in the following code block.

   JSON

   {
   "Sid": "Allow Guard Execution Role role use of the customer managed key",
   "Effect": "Allow",
   "Principal": {
       "AWS": [
       <LAMBDA_IAM_ROLE_ARN_CREATED_BY_GUARD>
       ]
   },
   "Action": [
       "kms:Encrypt",
       "kms:Decrypt",
       "kms:ReEncrypt*",
       "kms:GenerateDataKey*",
       "kms:DescribeKey",
       "kms:CreateGrant",
       "kms:RetireGrant"
   ],
   "Resource": "*"
   }
   

5. Create the Amazon EC2 instance.

   1. Sign in to your AWS account.
   2. Choose the following Amazon EventBridge link: https://console.aws.amazon.com/events/home?/eventbus/default/rules/GuardEc2InstanceCreationScheduleRule
   3. Choose Enable.
   4. Open the Amazon EC2 instance link sent via email notification.

Where can I get technical support for Selling Partner API Guard?

You can open a support case with Developer Support.