Information Security Policy
Security Objectives
- Protect confidentiality, integrity, and availability of company information assets.
- Protect Amazon Information and customer PII from unauthorized access, use, disclosure, alteration, or destruction.
- Maintain evidence sufficient for Amazon review, customer trust, legal compliance, and incident investigation.
- Reduce operational risk through documented controls, training, monitoring, and continuous improvement.
Information Security Governance
The Compliance & Security Officer is responsible for maintaining this policy, coordinating security controls, assigning control owners, reviewing exceptions, and reporting material risks to management.
Asset Management
- Maintain an inventory of systems, devices, applications, cloud accounts, databases, repositories, domains, and vendors that store or process Restricted Data.
- Assign an owner to each asset.
- Classify data as Public, Internal, Confidential, Restricted, or Amazon Information.
- Review the asset inventory at least annually and after material changes.
Credential and Secret Management
- Credentials, API keys, LWA tokens, database passwords, SSH keys, and encryption keys must not be hardcoded in source code.
- Secrets must be stored in approved secret management tools or encrypted configuration stores.
- SP-API/LWA credentials must be rotated at least every 180 days, upon employee departure where relevant, and immediately after suspected compromise.
- Repository secret scanning must be performed before deployment and during periodic reviews.
Endpoint and Malware Protection
- Company-managed computers must use supported operating systems, security updates, screen lock, anti-malware where applicable, and disk encryption where feasible.
- Personal devices must not store Amazon Information unless approved and protected by equivalent controls.
- USB and removable storage use for Restricted Data is prohibited unless explicitly approved and encrypted.
Network Security
- Administrative interfaces must be restricted by MFA, strong authentication, IP controls, VPN, zero-trust access, or equivalent controls.
- Firewalls and security groups must allow only necessary traffic.
- Default passwords, unused accounts, exposed management ports, and obsolete protocols must be disabled.
- External endpoints must support HTTPS and valid certificates.
Vulnerability and Patch Management
- Systems and applications must be patched on a risk-prioritized basis.
- Critical vulnerabilities should be remediated within 7 days and high vulnerabilities within 30 days when technically feasible.
- Exceptions require written risk acceptance, compensating controls, and target remediation date.
- Vulnerability scans and dependency checks should be retained as evidence.
Backup and Recovery
- Business-critical data must be backed up at a frequency appropriate to its operational importance.
- Backups containing Restricted Data must be encrypted and access-controlled.
- Restore tests should be performed at least annually.
- Backups must follow retention and deletion requirements.
Security Awareness
- Personnel must receive onboarding and annual training covering phishing, passwords, MFA, PII handling, Amazon Information, incident reporting, acceptable use, and confidentiality.
- Personnel must report suspected incidents immediately.
Policy Review
This Information Security Policy must be reviewed at least annually by Compliance & Security Officer and updated for new Amazon roles, new systems, new vendors, or material changes.