Automated Guard Deployment
Deploy Amazon Selling Partner API Guard.
Use the following steps to deploy Selling Partner API Guard on AWS. Before you launch Selling Partner API Guard, review the Cost, Architecture overview, Security, and other considerations discussed in this guide.
Time to deploy: Approximately 25 minutes
Prerequisites
- Sign in to Amazon Seller Central account.
- Sign in to your AWS account.
- Identify the AWS partition to test Selling Partner API Guard. Selling Partner API Guard supports AWS and AWS-CN.
- Choose a valid email address for reports and notifications.
Step 1. Launch the stack
This automated AWS CloudFormation template deploys Selling Partner API Guard in the AWS Cloud. You must complete the prerequisites before launching the stack.
Note
You are responsible for the cost of the AWS services used while running Selling Partner API Guard. For more details, visit the Cost section in this guide, and refer to the pricing webpage for each AWS service.
-
Sign in to Seller Central.
-
From the top-left menu, choose Apps and Services.
-
Choose Develop Apps.
-
Select the *Selling Partner API Guard** link.
-
Choose Get Started to launch the
CloudFormation
template in the AWS Console. -
Review the following template parameters and modify them as necessary.
Parameter Default Description Stack name
Selling-Partner-API-Guard-Stack
Stack name associated with the CloudFormation
stack. This field cannot be changed.Developer email
<Requires input> Email address which will receive Selling Partner API Guard setup-related emails and generated reports. Merchant token
<Requires input> Unique merchant token for a Seller Central account. This value can be fetched from the Merchant Token information on the Seller Central Account Info page. -
On the Review page, review and confirm the settings.
-
Select the box acknowledging that AWS
CloudFormation
might create IAM resources. -
Choose Create stack to deploy the stack.
You can view the status of the stack in the AWS CloudFormation
console in the Status column.
Step 2. Complete the Selling Partner API Guard EC2 CLI setup
Important
You will receive two emails containing communication from Selling Partner API Guard. You can verify the authenticity of the email by matching the AWS account ID from the emails to the account ID for the AWS account that is performing the installation.
After the AWS CloudFormation
stack deploys, you will receive an email prompting you to confirm your subscription to Selling Partner API Guard. This email should arrive within 10 minutes.
-
Open the first emailed link to confirm your subscription.
After confirming your subscription, you will receive a second email with a link that automates the provision of the
Amazon EC2 CLI
, which is an endpoint for running Selling Partner API Guard commands. This email should arrive within 15 minutes. -
Open the second emailed link to launch Session Manager.
-
Run the following command to navigate to the directory:
cd GuardCli/
-
Run the following command to enable AWS Security services:
sudo ./guardcli enable_services
-
Choose Yes or No to enable the following Scan Rules:
- Scan your S3 buckets for unencrypted PII data (Amazon Macie)
- Scan your AWS account for possible malicious activity and DPP requirements (Amazon GuardDuty)
- Scan the IAM roles your AWS account that are shared with an external entity to understand if those are intended (IAM Access Analyzer)
- Scan your EC2 instances for unintended network vulnerabilities (Amazon Inspector)
Note
Selling Partner API Guard will not make modifications to your prior configurations.
Step 3. Invoke Selling Partner API Guard and generate a security report
-
Run the following command to invoke Lambda handlers to complete the scan:
sudo ./guardcli start_scan
-
Choose Yes to share report findings with Amazon. This option allows the Selling Partner API team to receive the same report that you receive. Alternatively, you can use the following command to share findings with Amazon within 30 days of the scan.
sudo ./guardcli report_to_amazon
-
A report is generated after 24 hours. The report is emailed to the email provided in the stack parameters and is stored in the Amazon S3 bucket created by the
CloudFormation
stack.Selling Partner API Guard automatically disables the AWS Security Services triggered in the scan. It also automatically deletes the Amazon EC2 instance and VPC after 30 days. You have the option to delete these resources immediately after receiving the report. For more information, refer to the Uninstall Amazon Selling Partner API Guard section of this guide.
Updated 4 months ago