Security Objectives

  • Protect confidentiality, integrity, and availability of company information assets.
  • Protect Amazon Information and customer PII from unauthorized access, use, disclosure, alteration, or destruction.
  • Maintain evidence sufficient for Amazon review, customer trust, legal compliance, and incident investigation.
  • Reduce operational risk through documented controls, training, monitoring, and continuous improvement.

Information Security Governance

The Compliance & Security Officer is responsible for maintaining this policy, coordinating security controls, assigning control owners, reviewing exceptions, and reporting material risks to management.

Asset Management

  • Maintain an inventory of systems, devices, applications, cloud accounts, databases, repositories, domains, and vendors that store or process Restricted Data.
  • Assign an owner to each asset.
  • Classify data as Public, Internal, Confidential, Restricted, or Amazon Information.
  • Review the asset inventory at least annually and after material changes.

Credential and Secret Management

  • Credentials, API keys, LWA tokens, database passwords, SSH keys, and encryption keys must not be hardcoded in source code.
  • Secrets must be stored in approved secret management tools or encrypted configuration stores.
  • SP-API/LWA credentials must be rotated at least every 180 days, upon employee departure where relevant, and immediately after suspected compromise.
  • Repository secret scanning must be performed before deployment and during periodic reviews.

Endpoint and Malware Protection

  • Company-managed computers must use supported operating systems, security updates, screen lock, anti-malware where applicable, and disk encryption where feasible.
  • Personal devices must not store Amazon Information unless approved and protected by equivalent controls.
  • USB and removable storage use for Restricted Data is prohibited unless explicitly approved and encrypted.

Network Security

  • Administrative interfaces must be restricted by MFA, strong authentication, IP controls, VPN, zero-trust access, or equivalent controls.
  • Firewalls and security groups must allow only necessary traffic.
  • Default passwords, unused accounts, exposed management ports, and obsolete protocols must be disabled.
  • External endpoints must support HTTPS and valid certificates.

Vulnerability and Patch Management

  • Systems and applications must be patched on a risk-prioritized basis.
  • Critical vulnerabilities should be remediated within 7 days and high vulnerabilities within 30 days when technically feasible.
  • Exceptions require written risk acceptance, compensating controls, and target remediation date.
  • Vulnerability scans and dependency checks should be retained as evidence.

Backup and Recovery

  • Business-critical data must be backed up at a frequency appropriate to its operational importance.
  • Backups containing Restricted Data must be encrypted and access-controlled.
  • Restore tests should be performed at least annually.
  • Backups must follow retention and deletion requirements.

Security Awareness

  • Personnel must receive onboarding and annual training covering phishing, passwords, MFA, PII handling, Amazon Information, incident reporting, acceptable use, and confidentiality.
  • Personnel must report suspected incidents immediately.

Policy Review

This Information Security Policy must be reviewed at least annually by Compliance & Security Officer and updated for new Amazon roles, new systems, new vendors, or material changes.