AMAZON VENDOR SECURITY POLICY
Subject to change as set forth below. Save a copy of this version as needed for your internal records.
Last updated: September 11, 2024
1. SCOPE. Supplier will comply with these security requirements (the “
Security Policy”). This Security Policy does not limit any of Supplier’s other contractual or legal obligations. To the extent there is a conflict between this Security Policy and other agreements between Supplier and Amazon, Supplier will comply with the more restrictive requirements that better protect Amazon Information. Any references in other agreements between Supplier and Amazon to the Third Party Security Requirements will be construed to be references to this Security Policy.
2. UPDATES.
2.1 Amazon may make commercially reasonable updates to this Security Policy from time to time, which will become effective 30 days after the “Last updated” date of this Security Policy. Supplier agrees to be bound by the updated Security Policy once the updates come into effect.
2.2 If Supplier wants to receive advance notice of these updates before they become effective, Supplier may subscribe to receive update notices using the subscription form provided on this
Security Policy webpage. Supplier will ensure that all Supplier contact information provided for the update notice subscription is up-to-date and accurate at all times. Supplier will be deemed to have received any update notice when it is sent via email, regardless of whether or not Supplier actually receives the update notice.
3. PERMITTED PURPOSE.
3.1 Express Authorization. Supplier may Process only the Amazon Information expressly authorized under the Agreement and solely for the purpose of providing the products or services under the Agreement (the “
Permitted Purpose”).
3.2 Data Retention. Supplier will retain Amazon Information only for the purpose of, and as long as is necessary for, the Permitted Purpose.
3.3 Express Limitations. Supplier will not otherwise: (a) Process any Amazon Information, even if Anonymized; (b) transfer, rent, barter, trade, sell, loan, lease, or otherwise distribute or make available to any third-party, any Amazon Information, even if Anonymized; or (c) develop, train, or improve any Artificial Intelligence (AI) or Machine Learning (ML) models using Amazon Information, even if Anonymized.
4. MINIMUM SECURITY REQUIREMENTS. Supplier will maintain physical, administrative, and technical safeguards consistent with industry best practices (including the International Organization for Standardization’s (“
ISO”) standards 27001 and 27002, the National Institute of Standards and Technology (“
NIST”) Cybersecurity Framework, or other
similar standards). The safeguards maintained by Supplier will include the minimum requirements described below in Sections 4.1 – 4.18.
similar standards). The safeguards maintained by Supplier will include the minimum requirements described below in Sections 4.1 – 4.18.
4.1 Written Information Security Program. Supplier will have a written information security program that: (a) includes appropriate policies, procedures, and standards that meet the requirements set out in this Security Policy; (b) designates a security point of contact who is responsible for communicating and managing security issues (including Security Incidents); (c) is reviewed at least annually and updated as necessary; and (d) applies to Personnel. Supplier will monitor and enforce its information security program and address violations.
4.2 Patch Management. Supplier will keep Covered Information Systems up-to-date with the latest upgrades, updates, bug fixes, and new versions. Supplier will implement mitigations for unpatchable assets.
4.3 Logging. Supplier will collect, manage, and retain audit, event, and security logs, including: (a) log data about all use (both authorized and unauthorized) of Amazon’s accounts or credentials provided to Supplier for a Permitted Purpose, and (b) log data about any impersonation of, or attempt to impersonate, Amazon personnel or Personnel that have access to Amazon Information or Covered Information Systems. Such logs will contain sufficient data to identify as to each logged event: (i) the Personnel or account initiating the event, (ii) the time of the event, and (iii) the system, data, or other resource impacted. Supplier will regularly analyze such logs to help detect, investigate, and recover from unauthorized activity.
4.4 Malware Defenses. Supplier will (a) deploy anti-malware software or an equivalent security control to all Covered Information Systems; (b) maintain the anti-malware software's or equivalent security control's updates, signatures, and configurations; and (c) configure systems to detect, prevent, and remediate the installation, spread, and execution of malicious or unauthorized code.
4.5 Risk Management Program. Supplier will have a written information security risk management program, which defines processes for risk analysis, risk treatment, risk acceptance, and exceptions.
4.6 Security Awareness Training. Supplier will provide training on information security and data privacy to Personnel upon hire and at least annually thereafter. Supplier will also ensure that Personnel are timely informed of updates to Supplier's security and data privacy policies.
4.7 Data Inventory. Supplier will document and maintain information regarding (a) what Amazon Information it is Processing and (b) how and where that Amazon Information is Processed (e.g., in an up-to-date architecture diagram). Upon Amazon’s request, Supplier will provide this information to Amazon.
4.8 Security Testing.
4.8.1 Supplier will perform annual testing to ensure they meet the requirements of this Security Policy.
4.8.2 Supplier will perform penetration testing of Supplier’s security defenses at least annually. The penetration testing will include: (a) testing from inside and outside of Supplier’s network, (b) social engineering (e.g., phishing simulations), and (c) security testing for wireless networks. Supplier will address identified vulnerabilities as part of its vulnerability management program. Upon Amazon’s request, Supplier will provide to Amazon the results of such penetration testing and vulnerability remediation.
4.9 Network Security. Supplier will protect Covered Information Systems by restricting unauthorized network access, especially from external networks. Supplier will maintain and configure firewalls or other equivalent security controls to protect systems from unauthorized access and will review firewall rule sets at least annually to ensure valid, documented business cases exist for all rules.
4.10 Suitable Environment. Supplier will only Process Amazon Information in an environment suitable to its purpose and will not Process Amazon Information in a test environment, unless permitted under the Agreement.
4.11 Encryption. Supplier will encrypt all Amazon Information at rest and in transit across external networks in accordance with industry best practices. If Amazon Information is transmitted on internal Supplier networks, it will be transmitted through an encrypted protocol that meets industry best practices. Supplier will manage and secure encryption keys in accordance with industry best practices.
4.12 Controlled Use of Administrative Privileges. Supplier will manage administrative functions in accordance with the NIST Cybersecurity Framework or ISO 27002. Supplier will, at a minimum, separate administrative accounts from standard accounts and restrict administrative accounts to only those capabilities necessary to perform administrative functions. Supplier will log all administrative account actions in a manner attributable to an individual user. Administrative capabilities provided to a standard account will be on a least-privilege basis and logged in a manner attributable to an individual user.
4.13 Access Control.
4.13.1 Unique IDs. Supplier will assign individual, unique IDs to Personnel with access to Amazon Information or Covered Information Systems, including accounts with administrative access.
4.13.2 “Need To Know” Only. Supplier will restrict access to Amazon Information and Covered Information Systems to only Personnel with a “need-to-know” for a Permitted Purpose.
4.13.3 User Access Review. Supplier will, at least once every 90 days, review the list of Personnel and services with access to Amazon Information and Covered Information Systems, and remove access from accounts that no longer require it.
4.13.4 Single Sign-On (SSO). Any Supplier services that require Amazon personnel authentication must integrate with an Amazon identity provider (e.g., Amazon Federate) to provide such authentication. Such services must not use Supplier-provided or Supplier-managed credentials for authentication.
4.14 Password Management.
4.14.1 Strong Passwords. Supplier will not use manufacturer-supplied defaults for system passwords and other security parameters on any Covered Information Systems. Supplier will mandate and ensure the use of system-enforced “strong passwords” in accordance with the best practices described in NIST SP 800-63B on all Covered Information Systems. Supplier will require that all passwords and access credentials are kept confidential and not shared among Personnel.
4.14.2 Lockout. Supplier will maintain and enforce “account lockout” by disabling accounts with access to Amazon Information or Covered Information Systems when an account exceeds no more than ten (10) consecutive incorrect password attempts.
4.15 Remote Access; Multi-Factor Authentication. Supplier will implement multi-factor authentication (i.e., requiring at least two factors to authenticate a user) for remote access to any Supplier network, system, application, or other asset.
4.16 “In Bulk” Access. For purposes of this section, “in bulk” access means accessing data by means of database query, report generation, or any other mass transfer of data.
4.16.1 Except as expressly set forth in the Agreement or otherwise by Amazon in writing, Supplier will not access, and will not permit access to, Amazon Information “in bulk” whether Amazon Information is in an Amazon- or Supplier-controlled database or stored using any other method, including storage in file-based archives (e.g., flat files).
4.16.2 Where Amazon authorizes “in bulk” access, Supplier will: (a) limit such access only to specified Personnel with a “need to know”, and (b) require explicit authorization and logging of such access in accordance with the requirements of Section 4.3. Upon Amazon’s
request in coordination with Section 10 security reviews or Section 11 Security Incidents, Supplier will provide to Amazon all logs on “in-bulk” access referenced in this section.
request in coordination with Section 10 security reviews or Section 11 Security Incidents, Supplier will provide to Amazon all logs on “in-bulk” access referenced in this section.
4.17 Data Segregation. Supplier will physically or logically segregate Amazon Information from Supplier’s and any third-party’s information at all times. If segregation is not possible, Supplier will ensure that Amazon Information is distinguishable from other information for logging, deletion, and incident response purposes.
4.18 Supplier Personnel Security.
4.18.1 Supplier will take all reasonable precautions to ensure that Personnel granted access to Amazon Information will maintain its confidentiality and use it only for a Permitted Purpose. These precautions must include imposing confidentiality requirements through a nondisclosure agreement or Supplier policy.
4.18.2 For any Personnel that (a) no longer needs access to Amazon Information or (b) no longer qualifies as Supplier Personnel, Supplier will terminate access to Amazon Information and Covered Information Systems within 24 hours. If any Personnel retain access to Amazon Information or Covered Information Systems more than 24 hours after either (a) or (b) occur, Supplier will notify Amazon of this continued access within 24 hours of Supplier becoming aware of it by emailing security@amazon.com.
5. PAYMENT SECURITY REQUIREMENTS. If Supplier has access to or will Process payment cardholder data, Supplier will comply with the latest version of the Payment Card Industry Data Security Standard (PCI DSS).
6. SUBCONTRACTORS.
6.1 Supplier will not subcontract or delegate any of its obligations under this Security Policy to any third party (collectively, “
Subcontractors”) without Amazon’s prior written consent. Notwithstanding the existence or terms of any subcontract or delegation, Supplier will remain responsible for the full performance of its obligations under this Security Policy. The terms and conditions of this Security Policy will be binding upon Supplier’s Subcontractors and Subcontractors’ Personnel.
6.2 If Supplier uses any Subcontractor Covered Information Systems, Supplier will perform a security review of the Subcontractor Covered Information Systems and their security controls and will, upon Amazon's request, provide Amazon with periodic reporting about the Subcontractor Covered Information Systems’ security controls in the format requested by Amazon (e.g., Statement on Standards for Attestation Engagements no. 16 (SSAE 16)).
7. ACCESS TO AMAZON-MANAGED INFORMATION SYSTEMS. Amazon may grant Supplier the right to Process Amazon Information via web portals or other non-public websites or extranets (each, an “
Amazon-Managed Information System”) only for the Permitted Purpose. If Amazon permits Supplier to Process any Amazon Information using an Amazon-Managed Information System, Supplier and its Personnel must comply with the following requirements:
7.1 Accounts. Supplier will ensure that Supplier Personnel use only the Amazon-Managed Information System account(s) that Amazon designated for each individual and will require Supplier Personnel to keep their access credentials confidential and not share them.
7.2 Systems. Supplier and its Personnel will use Amazon-Managed Information Systems only through computing or processing systems or applications (a) running operating systems managed by Supplier and that use full disk encryption, and (b) meet the requirements of Sections 4.2 (Patch management), 4.4 (Malware defenses), and 4.9 (Network security).
7.3 Restrictions. Unless approved in advance in writing by Amazon, Supplier and its Personnel will not download, mirror, or permanently store any Amazon Information from any Amazon-Managed Information System on any medium.
7.4 Account Termination. For any Personnel that (a) no longer needs access to the Amazon-Managed Information System or (b) no longer qualifies as Supplier Personnel (e.g., the individual leaves Supplier’s employment), Supplier will immediately (within a maximum of 24 hours) terminate such Personnel's access to the Amazon-Managed Information System or notify Amazon to remove such access.
8. AMAZON DOMAINS OR URLS. Any domain or URL that Supplier provides for Amazon’s sole use must not be issued by Supplier to, or re-used by, any third party for at least 5 years after termination of the Agreement.
9. DATA RETURN AND DELETION; MEDIA FORENSIC DESTRUCTION.
9.1 Data Return and Deletion. Upon Amazon’s request, Supplier will promptly (but within no more than 72 hours) return to Amazon and permanently and securely delete all Amazon Information in accordance with Amazon’s notice requiring return and/or deletion. Supplier will also permanently and securely delete all live (online or network accessible) instances of the Amazon Information within 30 days after the earlier of completion of the Permitted Purpose or termination or expiration of the Agreement. If requested by Amazon, Supplier will certify in writing that all Amazon Information has been deleted. For clarity, this section will not apply to Archival Copies pursuant to Section 9.3.
9.2 Data Sanitization. All Amazon Information deleted by Supplier will be deleted in accordance with the Minimum Sanitization Recommendations contained in NIST SP 800-88 Revision 1, Guidelines for Media Sanitization (December 18, 2014, Appendix A) for purging the relevant type of device. In the absence of guidance in NIST SP 800-88 for the relevant type of device, Supplier will destroy the device containing Amazon Information in one of the following ways: (a) purging as defined in NIST SP 800-88, (b) destroying as defined in NIST SP 800-88, or (c) through such other standards Amazon may require based on the classification and sensitivity of the Amazon Information.
9.3 Archival Copies. If Supplier is required by law to retain archival copies of Amazon Information, Supplier will not use archived Amazon Information for any other purpose and
will remain bound by all its obligations under this Security Policy. Any archived Amazon Information must be encrypted and stored where the Covered Information System hosting or storing the encrypted Amazon Information does not have access to a copy of the key(s) used for encryption. Any offline or “cold” (i.e., not available for immediate or interactive use) backup must be stored in a physically secure facility.
will remain bound by all its obligations under this Security Policy. Any archived Amazon Information must be encrypted and stored where the Covered Information System hosting or storing the encrypted Amazon Information does not have access to a copy of the key(s) used for encryption. Any offline or “cold” (i.e., not available for immediate or interactive use) backup must be stored in a physically secure facility.
9.4 Media Forensic Destruction. Before disposing of any hardware, software, or any other media that contains, or has at any time contained, Amazon Information, Supplier will perform a complete forensic destruction of the hardware, software, or other media in accordance with NIST SP 800-88, Appendix A. This destruction requirement will not apply to storage media to which Supplier does not have physical access or control. In such cases, Supplier will ensure that Amazon Information is securely deleted when no longer needed following industry best practices.
9.4.1 Unless Supplier receives express advance written consent from Amazon, Supplier will not sell, resell, donate, refurbish, or otherwise transfer any hardware, software, or other media that has at any time contained Amazon Information unless it has been forensically
destroyed in accordance with this Section.
10. SECURITY REVIEWS. Upon Amazon’s request, Supplier will: (a) complete an Amazon risk assessment, (b) provide evidence requested by Amazon to validate Supplier’s compliance with this Security Policy, (c) permit Amazon or a third party appointed on its behalf to perform a review of Supplier’s compliance with this Security Policy, and/or (d) provide to Amazon all logs referenced in Section 4.3 in the Open Cybersecurity Schema Framework (OCSF) format. If Supplier requires that any evidence be reviewed in person or in an on-site inspection rather than providing such evidence for Amazon’s review remotely, Supplier will bear the cost of travel and other expenses related to such on-site inspection. If any assessment or review identifies any findings, Supplier will, at Supplier’s sole cost and expense, promptly take all reasonable actions necessary to remediate those findings to Amazon’s reasonable satisfaction and within an agreed-upon timeframe.
11. SECURITY INCIDENTS.
11.1 Security Incident Notice. Supplier will notify Amazon as soon as possible, but no later than 24 hours after Supplier knows or reasonably believes there has been unauthorized access, collection, acquisition, use, transmission, disclosure, corruption, or loss of Amazon Information or a Covered Information System (a “Security Incident”). Supplier will send Security Incident notifications to security@amazon.com.
11.2 Incident Response Plan. Supplier will maintain a written incident response plan and provide a copy of it to Amazon upon request. Supplier will remedy each Security Incident in a timely manner following Supplier’s written incident response plan and industry best practices. Supplier will review, test, and (if needed) update the plan at least annually.
11.3 Cooperation With Amazon. Supplier will (a) assist Amazon’s investigation of the Security Incident; (b) facilitate interviews with Personnel and others involved in the Security Incident or response; (c) keep written details of Supplier's Security Incident investigation and response; and (d) make available to Amazon all relevant records, logs, files, data reporting, forensic reports, investigation reports, and other materials requested by Amazon.
11.4 Third-Party Notifications. Unless required otherwise by law, Supplier will obtain Amazon’s prior written consent before: (a) notifying any third party (including any regulatory authority or customer) of any Security Incident; or (b) identifying Amazon in any notification or public statement regarding any Security Incident. Unless required otherwise by law, Amazon will have the right to determine whether notice of a Security Incident is to be provided to any third party and the form, timing, and content of such notice.
12. NOTICE OF LEGAL PROCESS. Notice of legal process. Except where prohibited by law, if Amazon Information is being sought in response to legal process or other applicable law, Supplier will provide sufficient notice to Amazon to enable Amazon to seek a protective order or other appropriate remedy.
13. DEFINITIONS.
13.1 “Agreement” means any agreement that references this Security Policy.
13.2 “Amazon” means Amazon.com, Inc. and its affiliates.
13.3
“Amazon Information” means: (a) all Amazon Confidential Information (as defined in any other agreement between the parties); (b) all data, records, files, content, or information, in any form, acquired, accessed, collected, received, stored, or maintained by Supplier or its affiliates, from or on behalf of Amazon, or otherwise in connection with the Agreement; and (c) information derived from (a) or (b), even if Anonymized.
13.4 “Anonymize” means to Process any data or information (including Amazon Information) in a manner or form that does not identify, permit identification of, and is not otherwise attributable to Amazon, or any user, device identifier, source, product, service, context, or brand thereof.
13.5 “Covered Information Systems” means any systems that Supplier uses to Process Amazon Information.
13.6 “Personnel” means Supplier’s or Subcontractor’s employees, agents, Subcontractors, and other authorized users of its systems and network resources.
13.7 “Process” means to perform any operation on data, such as access, use, collection, receipt, storage, alteration, transmission, dissemination or otherwise making available, erasure, or destruction.
13.8 "Supplier” means each supplier, vendor, or contractor defined in an Agreement and any other provider subject to an Agreement.