This policy applies to all Nestos Shop systems and staff operating SellerUX services that handle Amazon Information.
1) Password requirements for systems handling Amazon Information
- Minimum length: 14 characters.
- Complexity: must include upper-case letters, lower-case letters, numbers, and special characters.
- Passwords must not include any part of the account owner name.
- Minimum password age: 1 day.
- Maximum password expiration period: 365 days.
2) Authentication and account protections
- MFA is required for all user accounts handling Amazon Information.
- Account lockout and anomaly detection controls are enforced on repeated failed authentication attempts.
- Shared, generic, and default credentials are prohibited for production access.
3) Credential storage and handling
- Amazon API keys and secrets are stored encrypted at rest.
- Secrets are never hardcoded in source code, docs, or ticketing systems.
- Access to secrets is limited by least privilege and subject to audit logging.
4) Lifecycle and review
- Access rights are reviewed at least quarterly and removed promptly for terminated users.
- Credential compromise triggers immediate key/password rotation and incident-handling procedures.
- Backend user records track password hash, MFA state, expiration metadata, failed login attempts, and lockout state for security administration.