27 lines
1.6 KiB
Plaintext
27 lines
1.6 KiB
Plaintext
|
Amazon Marketplace Web Service credentials are designed to authenticate and authorize Amazon sellers.
|
||
|
|
|
||
|
|
|
||
|
|
If your application interacts with Amazon MWS then it requires credentials to access all the resources it needs to function properly. The credential authenticates to a seller account which can have access to ressources like products, orders, price or shipment informations.
|
||
|
|
|
||
|
|
Therefore only administrators should have access to the MWS credentials used by your application.
|
||
|
|
|
||
|
|
|
||
|
|
As a consequence, MWS credentials should not be stored along with the application code as they would grant special privilege to anyone who has access to the application source code.
|
||
|
|
|
||
|
|
|
||
|
|
Credentials should be stored outside of the code in a file that is never committed to your application code repository.
|
||
|
|
|
||
|
|
If possible, a better alternative is to use your cloud provider's service for managing secrets. On AWS this service is called https://aws.amazon.com/fr/secrets-manager/[Secret Manager].
|
||
|
|
|
||
|
|
When credentials are disclosed in the application code, consider them as compromised and revoke them immediately.
|
||
|
|
|
||
|
|
|
||
|
|
== See
|
||
|
|
|
||
|
|
* https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication
|
||
|
|
* https://cwe.mitre.org/data/definitions/798[MITRE, CWE-798] - Use of Hard-coded Credentials
|
||
|
|
* https://cwe.mitre.org/data/definitions/259[MITRE, CWE-259] - Use of Hard-coded Password
|
||
|
|
* https://wiki.sei.cmu.edu/confluence/x/OjdGBQ[CERT, MSC03-J.] - Never hard code sensitive information
|
||
|
|
* https://www.sans.org/top25-software-errors/#cat3[SANS Top 25] - Porous Defenses
|
||
|
|
|