ODB's Journey to Amazon Partnership: Enabling Secure and Scalable E-commerce Operations

OneDayBundle, or ODB, is an e-commerce fulfillment company that provides inventory management software and physical warehousing services. To obtain access to the Amazon Selling Partner API, ODB needed to pass a rigorous security review from Amazon.

This would allow them to connect warehouse systems to Amazon’s data, so the company doesn’t have to request it each time. Access to the API would also let ODB gain more trust from their customers. However, they faced challenges in passing the questionnaire multiple times.

That’s when ODB approached IT Outposts for help. Together, we enabled our client to gain official access to Amazon’s API.

Jump straight to a key chapter

Project Description
Provided Services
Work Agenda
Challenges

What The Clients Says
Results
DevOps Tech Stack

Project Description

ODB’s infrastructure wasn’t prepared for Amazon’s approval process. The absence of modern DevOps practices made it challenging to validate their systems as secure, reliable, and compliant with Amazon’s stringent requirements for third-party sellers.

Throughout our engagement, we took a comprehensive approach that went beyond checking boxes to comply with Amazon. While our team could have avoided certain steps and done the bare minimum to pass the questionnaire, the goal was to ensure every task was completed with the highest quality standards.

Provided Services

DevOps Services

Cloud adoption services

SRE services

Log management and monitoring
Incident management
Release management
Performance management

DevSecOps services

Security assessment
Access control and identity management
Automated security testing

Kubernetes managed services

Work Agenda

Client

OneDayBundle
onedaybundle.com

Location

Fort Lauderdale, United States

Technical team

Tech lead
2 DevOps engineers

Project timeframe

September 2023 - April 2024

Budget

35,000

Project goals

Provide guidance to help ODB successfully complete Amazon's security questionnaire and audit

Define and document ODB's infrastructure setup as code for easier management and disaster recovery

Migrate ODB's infrastructure to AWS to align with Amazon's environment and demonstrate commitment to their standards

Implement automated testing to catch code issues and security vulnerabilities before deployments

Set up separate environments for development, testing, and production so changes can be safely tested before going live

Secure the infrastructure with controlled access points, role-based access controls, and centralized secret management

Establish a modern CI/CD pipeline to automate code deployments across environments

Set up monitoring, logging, and alerting systems

Set up a Kubernetes cluster for robust orchestration and rapid provisioning of isolated environments on demand

Deploy ODB’s new frontend

Challenges

Hosting outside of Amazon’s environment

Originally, ODB was hosted on DigitalOcean's cloud platform. However, Amazon would naturally have more confidence in ODB's security and compliance if their systems were running on Amazon Web Services (AWS). Being hosted outside of the Amazon environment created an additional hurdle to overcome during the certification process.

Lack of proper environment setup

There was no separation between the different stages of development, testing, and deployment. ODB’s developers made changes and pushed code updates straight to the one and only branch that ran their live, customer-facing application.

However, with only a production instance, our client didn’t have a safe space to experiment with new features or test changes. Additionally, the absence of separate environments made it nearly impossible to catch bugs before deploying code to production. Every release essentially became a blind deployment, increasing the likelihood of downtime.

Manual deployment process and lack of automated testing

With multiple microservices powering booking workflows, our client lacked full visibility into the health of their services. After migrating to Kubernetes, strong monitoring and alerting were critical. Otherwise, C-Teleport would face performance problems, causing revenue impacts.

No rapid environment provisioning capabilities

All the ODB’s services were running on separate servers. If they wanted to spin up a fresh environment, whether for a new service or just for testing purposes, they would have to manually configure and set up each individual server from scratch. This could easily take days or even weeks to get a fully functional environment up and running.

Absence of infrastructure documentation

Another major issue was that the company had no documentation around their infrastructure setup. If someone accidentally made undocumented manual changes, there was no way to identify the root cause if any issues arose or restore systems to their proper working state.

Insecure secret management

Secrets, such as credentials and sensitive information, were initially managed locally, with access restricted only to developers. DevOps teams didn’t have direct access to the secrets and had to request them from developers when needed. Furthermore, developers had to manually update secrets across various systems whenever changes were made, which was a time-consuming and error-prone process.

Invisible system performance

ODB also ran its entire application with no visibility into performance metrics and error logs.

Key metrics like server load, database health, or application response times went completely untracked. Without monitoring, logging, and alerting, it was difficult to detect performance bottlenecks before they escalated into major incidents.

Amazon’s questionnaire roadblocks

Given the multiple issues listed, such as the lack of automation and inadequate infrastructure setup, ODB kept running into roadblocks when attempting to pass the questionnaire. Amazon places a heavy emphasis on security, from documented policies and personal data handling procedures to hardened access controls, firewalls, and end-to-end security testing during development and deployment cycles.

Another problem was, Amazon didn’t provide feedback on what needed improvement, so our client struggled to identify the areas of concern and where to start to finally gain approval. Without guidance, it was challenging to align their practices accordingly.

Facing Amazon's rigorous third-party audit process

After successfully passing the initial questionnaire, a couple of months later, ODB was scheduled for an Amazon audit. Amazon doesn't necessarily require it for all vendors, but they can request it to validate compliance with their security standards and policies for third-party sellers like ODB.

For example, Amazon strictly prohibits vendors from selling or sharing customer data. There are certain aspects of business operations that must remain confidential. If a third-party seller has any organizational changes or updates to who has access to customer data, they’re required to notify Amazon about these changes promptly.

Overall, it was a standard audit process, but our client still had to prepare and ensure their product was fully secure and compliant.

Outdated frontend and difficulties in deploying the new frontend

Although the new frontend application was ready for deployment, the ODB’s existing setup didn’t allow them to reliably deliver updated UX to customers. While the front-end upgrade wasn’t directly mandated by Amazon’s certification requirements, we took on this task as part of our partnership.

Contacts

Has your business encountered security challenges or do you need assistance with infrastructure migration? Our experience is your key to success in the world of big data and cloud technologies. Allow us to architecturally transform your system, just as we did for ODB, ensuring the highest standards of security and continuous service operation.

Discuss your project

CEO at
OneDayBundle

Egor Prihodko

IT Outposts did more than just the technical work to meet Amazon’s requirements. They also actively participated in filling out the questionnaire and joined meetings with auditors, even though those tasks weren’t normally part of their services. Their extra involvement made sure everything went smoothly during our certification.

*translated and voiced from Ukrainian to English using the service vidby.com

Solutions

1. Migrating to AWS

First, our engineers migrated ODB’s systems to Amazon Web Services (AWS). Running on AWS aligned their technical infrastructure directly with Amazon's environment and best practices. This migration would help demonstrate ODB’s commitment to meeting Amazon’s rigorous standards

Plus, we had to keep in mind that DigitalOcean is a more budget-friendly hosting option compared to AWS. So, during migration, we needed to be careful that the overall cloud costs didn't balloon too much beyond what the client was already paying.

2. Environment branching

We set up three separate environments, or branches — a dev environment where our client can experiment and make code changes; a staging environment that closely mirrors the production environment for testing and verification; and finally, the production branch where the live application runs.

3. Implementing CI/CD and automated testing

For CI/CD, our team configured Flux, a modern GitOps tool. With Flux in place, ODB no longer has to worry about the deployment process, as it’s fully automated. All they need to do is push code changes to the designated Git repository, while Flux will take care of the rest. It picks up the latest committed code and deploys it to the appropriate environments, following the defined pipeline.

We also implemented secret detection and code vulnerability scanning tools. These help identify any sensitive information accidentally exposed in the codebase, as well as catch security vulnerabilities early in the development process.

4. Setting up Kubernetes and Aurora Serverless

We implemented a Kubernetes cluster, taking advantage of its robust orchestration and automation capabilities. This allowed our client to streamline the process of provisioning new environments on demand. Now, ODB can rapidly deploy a fresh, isolated environment within just a couple of hours whenever needed.

Additionally, we set up an Amazon Aurora Serverless database. It automatically scales up or down based on the load, ensuring our client only pays for the resources they actually use. Furthermore, with Amazon Aurora, the company always has an operational database available, and their customers consistently receive a lag-free experience when accessing information from the website.

5. Codifying ODB's infrastructure with Terraform IaC

Our engineers documented and defined ODB’s infrastructure through Terraform, an infrastructure as code (IaC) tool.

The IaC approach allows our client to maintain a comprehensive record of the system’s current state, making it easier to understand the configuration and make controlled changes when needed.

Moreover, by codifying their infrastructure setup, our client benefits from enhanced disaster recovery capabilities. If they ever experience any major outages, ODB’s infrastructure can be quickly reprovisioned and deployed on any other platform or cloud provider using the Terraform configuration.

6. Secure infrastructure with bastion host, Kubernetes RBAC, and automated secret management

Our engineers utilized private networks with no external access except through a bastion host as a controlled entry point into our client’ networks, so security has become the default state.

Furthermore, we configured Kubernetes role-based access control (RBAC), ensuring that even if someone gained access to the network, it would be challenging to interact with the Kubernetes cluster without proper authentication.

To streamline and enhance secret management, our team leveraged AWS Secrets Manager. The service provides a secure and centralized location to store and retrieve secrets. Access to the Secrets Manager requires proper authentication to the AWS account, so only authorized personnel can access or modify secrets.

Additionally, developers no longer need to manually redeploy their applications when modifying secrets. Instead, the system detects when a new secret is added or updated in the Secrets Manager, triggering an automated redeployment process.

7. Integrated app monitoring with alerting and ChatOps

Our team set up monitoring with customized dashboards and alert configurations. Now, if any errors occur, notifications are sent directly to ODB’s team chat. We integrated this monitoring setup right into their CI/CD pipeline, so it's not just a separate service — it's baked into their development workflows from code commit to deployment.

Additionally, we created a custom integration to pipe monitoring alerts from GitLab directly into their chat.

8. A guided approach to Amazon’s questionnaire

Our engineers actively participated in filling out the questionnaire to ensure the best possible results for our client.

Here, our team's experience and logical thinking played a crucial role, as Amazon didn’t provide any specific guidelines. We constructed all the responses based on the infrastructure and processes we had implemented. After the first round of the questionnaire, Amazon followed up with additional questions, which we diligently responded to. This back-and-forth continued for a third and fourth round, with Amazon posing further inquiries, which we addressed comprehensively.

Eventually, we successfully passed the questionnaire, and our client gained access to Amazon Selling Partner API.

9. Acing the Amazon security and compliance audit interview

After clearing the initial questionnaire, Amazon’s partners scheduled an audit interview with ODB. The audit had two main focus areas — security and policy compliance.

When we finished setting up the infrastructure, we ran Amazon's vulnerability testing service. This is a tool that checks for potential security issues and highlights problems that need to be fixed, like open ports that shouldn't be exposed, databases residing on public networks, and other vulnerabilities. Having Amazon's vulnerability testing done prior to the audit was extremely helpful. It allowed us to proactively identify and fix many of the security concerns that auditors would likely flag.

Following the interview calls, auditors provided follow-up questions and clarification requests. Our engineers promptly addressed them, providing detailed responses and updates where needed. A specific area that required further work was enhancing certain aspects of our client's policy documentation to meet Amazon's expectations.

10. Frontend revamp

Thanks to the modern, automated infrastructure IT Outposts had implemented utilizing Kubernetes, CI/CD pipelines, and IaC practices, deploying ODB's new decoupled frontend architecture was straightforward.

Results

With direct API access, ODB no longer has to manually request data from Amazon each time, which makes operations much faster.

The diversity of environments and automated pipelines allow ODB to develop, test, and release new features and products much faster than before, staying ahead of competitors

While migrating from the budget-friendly DigitalOcean to AWS did imply additional costs, the client now has rigorous AWS cloud cost optimization strategies.

With the Kubernetes setup and new serverless database, our client can quickly ramp up or scale back their operations based on customer demand without overpaying for unused resources.

ODB can now provide a smoother, more integrated experience for their customers, building greater trust and keeping them satisfied.

The monitoring and security controls put in place help ODB prevent issues before they happen and respond faster to any incidents, reducing unplanned downtime.

The agile foundation built by IT Outposts gives ODB a robust and flexible platform to support their ambitious growth and innovation plans down the road.