Security Requirements
Commercially distributed devices must meet the following minimum security requirements. The Amazon Developer Services Agreement requires that developers must implement all reasonable security measures to prevent unauthorized access to the Alexa Service.
Requirements
1.1. Your device SHALL use a secure software update distribution that uses cryptographic signing so that only authentic and authorized updates are applied to the device.
1.2. Your device SHALL implement industry standard device hardening methods. For example, prohibiting default passwords, removing unnecessary network services and software, validating inputs before processing it in services on the device, and applying all security patches to vulnerable open source software.
1.3. Your device SHALL use TLS 1.2 or greater for all communications outside of initial setup. You SHALL have the Amazon Trust Services root CAs installed in the CA bundle. The device SHALL implement certificate validation for all TLS connections and SHALL validate that connections to the AVS device are signed using the correct Amazon certificate. Initial setup SHALL never include the transmission of credentials over a non-TLS session.
1.4. Your company SHALL have a software maintenance update strategy in place that specifically defines how software updates will be created and distributed within a reasonable period of discovery when vulnerabilities are identified.
1.5. Your company SHALL publish information on publicly available websites on how security researchers can notify your company of security vulnerabilities in your devices.
1.6. Your company SHALL implement and, upon request, share with Amazon a security response plan that describes how your company will proceed if a security incident arises, when your company will communicate with Amazon on an incident, and the estimated timelines for remediation of an incident.
1.7. Your company SHALL obtain a report from an independent security expert or a certified security specialist who has conducted an in-depth security review of the device, and provide it to Amazon upon request.
1.8. Your company SHALL submit reports of known exploitable security vulnerabilities that exist on the device along with a plan to fix the vulnerabilities.
For more information about these security requirements, reach out to avs-security@amazon.com.
