FAQ-000844 - External Platform Security / External Platform Hosting and AWS

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
How does hosting application code on external platforms like AWS impact the AppExchange security review process?
Answer
Hosting application code on external platforms like AWS impacts the AppExchange security review process in the following ways: - **Secure Configuration**: All external endpoints must be securely configured and meet Salesforce's security standards. - **Testing External Components**: The review team will test these external components to verify secure data transfer and compliance with security guidelines. - **Access and Scope**: Partners must provide access to these external environments and include them in the review scope. - **Control Over Endpoints**: If the partner does not control the external endpoint or cannot meet the requirements, the review may be delayed or canceled.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
ApexInsecureEndpointApexSuggestUsingNamedCredAvoidHardcodedCredentialsInFieldDeclsAvoidHardcodedCredentialsInVarDeclsAvoidHardcodedCredentialsInVarAssignAvoidHardcodedCredentialsInHttpHeaderAvoidInsecureHttpRemoteSiteSettingAvoidDisableProtocolSecurityRemoteSiteSetting
Question
How does hosting application code on external platforms like AWS impact the AppExchange security review process?
Recommended Answer Update
Hosting application code on external platforms like AWS impacts the AppExchange security review process in the following ways: - **Secure Configuration**: All external endpoints must use HTTPS and be securely configured to meet Salesforce's security standards. - **Testing External Components**: The review team will test these external components to verify secure data transfer and compliance with security guidelines. - **Access and Scope**: Partners must provide access to these external environments and include them in the review scope. - **Control Over Endpoints**: If the partner doesn't control the external endpoint or can't meet the security requirements, the review may be delayed or canceled.
Reasoning
The original answer was well-structured but needed minor improvements for clarity and security emphasis. I made the following changes: 1) Added explicit mention of HTTPS requirement for external endpoints to emphasize secure communication protocols, 2) Simplified the language in the Control Over Endpoints section by changing 'does not control' to 'doesn't control' and 'cannot meet' to 'can't meet' for better conversational tone, and 3) Changed 'requirements' to 'security requirements' to be more specific about what requirements are referenced. These changes align with the brand guidelines for conversational, direct language while maintaining security focus. For security rules selected: ApexInsecureEndpoint relates to the FAQ's discussion of secure external endpoints and HTTPS requirements. ApexSuggestUsingNamedCred applies to the secure configuration of external connections mentioned in the FAQ. The hardcoded credentials rules (AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInVarDecls, AvoidHardcodedCredentialsInVarAssign, AvoidHardcodedCredentialsInHttpHeader) are relevant to the secure configuration requirements for external platforms that the FAQ discusses. AvoidInsecureHttpRemoteSiteSetting and AvoidDisableProtocolSecurityRemoteSiteSetting directly relate to the FAQ's emphasis on secure configuration and HTTPS requirements for external endpoints.
Reasoning References