Security Best Practices

This page lists best practices to consider when designing your product.

Best Practices

The Amazon Developer Services Agreement requires that developers must implement all reasonable security measures to prevent unauthorized access to the Alexa Service.

Use the following guidance to ensure that your product meets security best practices:

  • Use secure software update distribution, incorporating cryptographic signing, so that only authentic and authorized updates are applied to the device.

  • Have a software maintenance update strategy that specifically defines how software updates will be created and distributed within a reasonable period of discovery when vulnerabilities are identified.

  • Include information on your website on how security researchers can notify you of a security vulnerability.

  • Develop and implement a security response plan that addresses a range of potential security incidents.

  • Use a secure, authenticated set up. Never include the transmission of credentials over a non-TLS session during set up.

  • Implement industry standard device hardening methods. For example, remove all unnecessary services and software from the device, validate input before processing it in services on the device, apply all relevant updates to open source software, and do not use default passwords.

  • Hire an independent security expert to conduct a security review of your product before product launches and when major software or hardware changes occur.

Notify Amazon immediately if you become aware of security vulnerabilities in your products that have the potential to affect the Alexa Service.