Customer Deployed Technical Baseline Review

Customer-Deployed Validation Checklist

October 2020 - 2.0

Introduction

The Technical Baseline Review ('baseline') assesses an AWS Partner Network (APN) Partner's solution against a specific set of AWS best practices around security, performance, and operational processes that are most critical for customer success. Passing the baseline is required to qualify APN Technology Partners for APN Advanced Tier, but any AWS Partner who offers a technology solution is eligible to request a baseline review through Partner Central.

Expectations of Parties

It is expected that AWS Partners will review this document in detail before submitting an AWS Technical Baseline Review request, even if AWS Partners believe that all pre-requisites are met. If items in this document are unclear AWS Partners should contact their Partner Development Representative (PDR) or Partner Development Manager (PDM). AWS reserves the right to make changes to this document at any time.

When ready to submit a program application, AWS Partners must complete the self-assessment spreadsheet available for download at the top of this page. Upon completion of the self-assessment spreadsheet, AWS Partners must submit an application in APN Partner Central. For more information on how to submit an application or contact your PDR or PDM. Please differentiate what type of workload your solution is as it will change what checklists your solution will be validated against.

If the AWS Partner's solution is a SaaS workload, an AWS Partner Solutions Architect will reach out to schedule an hour long Technical Validation meeting. The AWS Partner will be expected to provide an architecture diagram of the solution as well as inviting all relevant team members to this meeting to answer the requirements.

If the AWS Partner's solution is a customer-deployed workload, an AWS Partner Solutions Architect will reach out with a self-assessment spreadsheet for the Partner to fill out. The Technical Validation will be completed offline. AWS Partners should prepare for the Technical Validation by reading the Checklist, completing and submitting a self-assessment for solution, and submitting all relevant objective evidence with the application, including architecture diagrams. AWS will review for completeness and for compliance with the requirements. AWS aim to respond back within 7 business days of the request.

Upon completion of the Technical Validation, AWS Partners's Baseline request will either be approved if all requirements are fulfilled or rejected if any requirements are not met. There is a 6 month period to remediate all incomplete requirements. Past this 6 month remediation time window, the AWS Partner must re-submit a request for a Technical Baseline Review.

AWS Technical Baseline Review Prerequisites

AWS Partner must include the solution's architecture diagram in order to pass the baseline requirements.

  1. 1.0Technical Baseline Review Requirements

    1. 1.1Architecture Diagram

      Submitted Technical Baseline Review Request must include architecture diagrams.

      • Architecture diagrams must detail how the solution interacts with the AWS Cloud; specifically, what AWS tools and services are used in the solution

      Note: Click here for best practices on how to build an acceptable Architecture Diagram.

    2. 1.2AWS Support

      The baseline requires AWS Business Support or greater on all production AWS accounts. 'Production AWS accounts' include accounts operated as part of a managed service, accounts essential to the proper functioning of a SaaS or other 'as a service' offerings, accounts from which customer-facing collateral are distributed (e.g. sharing AMIs), and accounts containing customer data.

Customer Deployed Technical Baseline Requirements

The following requirements apply to AWS Partners' Customer-Deployed Practice

Introduction

  • INT-001 - Introductory material must contain use cases for the software.

    Please provide the link to deployment guide and specify (page number, section, paragraph etc.) where it describes use cases for the software.

  • INT-002 - Introductory material contains an overview of a typical customer deployment, including lists of all resources that will be set up when the deployment is complete.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it describes the intended use of the software.

  • INT-003 - Introductory material contains a description of all deployment options discussed in the user guide (e.g. single-AZ, multi-AZ or multi-region), if applicable.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it describes all deployment options.

  • INT-004 - Introductory material contains the expected amount of time to complete the deployment.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it describes the expected amount of time it takes to complete deployment.

Prerequisites and Requirements

  • PRQ-001 - All technical prerequisites and requirements to complete the deployment process are listed (e.g. required OS, database type and storage requirements).

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it lists all technical prerequisites and requirements needed to complete the deployment process.

  • PRQ-002 - The deployment guide lists all skills or specialized knowledge needed by the user (e.g. familiarity with AWS, specific AWS services, a scripting or programming language).

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it lists all skills or specialized knowledge that users need.

  • PRQ-003 - The deployment guide lists the environment configuration that is needed for the deployment (e.g. an AWS account, a specific operating system, licensing, DNS).

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it lists what environment configuration is needed for deployments.

Architecture Diagrams

  • ARCH-001 - Architecture diagram(s) must illustrate all AWS services running and the relationships between them in a typical customer deployment.

    Architecture diagram(s) illustrate standard deployment(s) on AWS.

  • ARCH-002 - Architecture diagram(s) illustrates all AWS services running and the relationships between them in a typical customer deployment.

    Architecture diagram(s) illustrates all AWS services running and the relationships between them in a typical customer deployment.

  • ARCH-003 - Architecture diagram(s) label where customer data is stored.

    Architecture diagram(s) label where customer data is stored.

  • ARCH-004 - Architecture diagram(s) use AWS Simple Icons.

    Architecture diagram(s) use AWS Simple Icons.

  • ARCH-005 - Network diagram(s) demonstrate VPCs, subnets, security groups, NACLs, and ingress/egress mappings.

    Network diagram(s) demonstrate VPCs, subnets, security groups, NACLs, and ingress/egress mappings.

  • ARCH-006 - Architecture diagram(s) show integration points, including third party assets/APIs and on-premises/hybrid assets.

    Architecture diagram(s) show integration points, including third party assets/APIs and on-premises/hybrid assets.

Security

  • DSEC-001 - The deployment guide must provide links to IAM and IAM best practices documentation.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides links to IAM and IAM best practices documentation.

  • DSEC-002 - The application does not require the use of root privileges for deployment or operation.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it warns customers to not use the root user for any deployment or operations.

  • DSEC-003 - The deployment guide provides prescriptive guidance on following the policy of least privilege for all access granted as part of the deployment.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides prescriptive guidance on following the principle of least privilege for all access granted as part of the deployment.

  • DSEC-004 - The deployment guide clearly documents any public resources (e.g. Amazon S3 buckets with bucket policies allowing public access).

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it documents any public resources.

  • DSEC-005 - The deployment guide describes the purpose of each IAM role and IAM policy the user is instructed to create.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it describes the purpose of IAM roles/policies the user is instructed to create.

  • DSEC-006 - The deployment guide describes the purpose and location of each key the user is instructed to create.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it describes the purpose and location of each key the user is instructed to create.

  • DSEC-007 - The deployment guide provides clear instruction on maintaining any stored secrets such as database credentials stored in AWS Secrets Manager.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides clear instruction on maintaining any stored secrets when deploying the solution.

  • DSEC-008 - The deployment guide includes details on where customer sensitive data are stored.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it describes where sensitive customer data are stored.

  • DSEC-009 - The deployment guide must explain all data encryption configuration (e.g. Amazon S3 server-side encryption, Amazon Elastic Block Store (Amazon EBS) encryption, Linux Unified Key Setup (LUKS), etc.)

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it explains all data encryption configuration for relevant in-scope services.

  • DSEC-010 - Deployments involving more than a single element (e.g. launching an EC2 node with a partner AMI) include c (e.g. VPCs, subnets, security groups, NACLs, and route tables) in the deployment guide.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it contains details on network configurations.

Costs

  • CST-001 - The deployment guide includes a list of billable services and guidance on whether each service is mandatory/optional.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it lists billable services and guidance on whether each service is mandatory/optional.

  • CST-002 - The deployment guide includes the cost model and licensing costs.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it includes the cost model and licensing costs.

Sizing

  • SIZ-001 - Guidance for EC2 instance type and size selection is included.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides guidance for EC2 instance type and size selection.

  • SIZ-002 - Guidance for EBS volume type and size selection is included.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides guidance for EBS volume type and selection.

  • SIZ-003 - Guidance on instance size selection for managed AWS services (e.g. Amazon Relational Database Service (Amazon RDS), Amazon RedShift) is included.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides guidance on instance size selection for managed AWS services.

  • SIZ-004 - Guidance on Amazon DynamoDB read and write capacity unit estimates are included.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides guidance on Amazon DynamoDB read and write capacity unit estimates.

Deployment Assets

  • DAS-001 - The deployment guide provides step-by-step instructions for deploying the workload on AWS as per typical deployment architecture.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides step-by-step instructions for deploying the workload on AWS as per typical deployment architecture.

  • DAS-002 - The deployment guide provides step-by-step instructions for maximizing uptime and availability (e.g. autoscaling groups, multi-AZ, disaster recovery).

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides step-by-step instructions for maximizing uptime and availability.

  • DAS-003 - The deployment guide describes the different deployment configurations (e.g. for a solution that can be deployed single-AZ, multi-AZ, and/or multi-region, an explanation of the different deployment configurations as well as the pros and cons of each is included).

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it describes the different deployment configurations.

  • DAS-004 - The deployment guide contains prescriptive guidance for testing/troubleshooting.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it contains prescriptive guidance for testing/troubleshooting.

Health Check

  • HLCH-001 - The deployment guide provides step-by-step instructions for how to assess and monitor the health and proper function of the application.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides step-by-step instructions for how to assess and monitor the health and proper function of the application.

Backup and Recovery

  • BAR-001 - The deployment guide provides step-by-step instructions for setting up automated backup of necessary components.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides step-by-step instructions for setting up automated backup of necessary components.

  • BAR-002 - The deployment guide provides step-by-step instructions for restoring data from a backup.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides step-by-step instructions for restoring data from a backup.

  • BAR-003 - The deployment guide provides step-by-step instructions for recovery in case of instance or service failure.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides step-by-step instructions for recovery in case of instance or service failure.

  • BAR-004 - The deployment guide provides step-by-step instructions for recovery in case of AZ failure.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides step-by-step instructions for recovery in case of AZ failure.

  • BAR-005 - The deployment guide provides documentation on managing service limits to allow for proper disaster recovery (DR).

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides documentation on managing service limits to allow for proper disaster recovery (DR).

  • BAR-006 - The deployment guide documents Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for every deployment offered.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it documents Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for every deployment offered.

Routine Maintenance

  • RM-001 - The deployment guide provides step-by-step instructions for rotating programmatic system credentials and cryptographic keys.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides step-by-step instructions for rotating programmatic system credentials and cryptographic keys.

  • RM-002 - The deployment guide provides prescriptive guidance for software patches and upgrades.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides prescriptive guidance for software patches and upgrades.

  • RM-003 - The deployment guide provides prescriptive guidance on managing licenses.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides prescriptive guidance on managing licenses.

  • RM-004 - The deployment guide provides prescriptive guidance on managing AWS service limits.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides prescriptive guidance on managing AWS service limits.

Emergency Maintenance

  • EMER-001 - The deployment guide provides step-by-step instructions on handling fault conditions.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides step-by-step instructions on handling fault conditions.

  • EMER-002 - The deployment guide provides step-by-step instructions on how to recover the software.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides step-by-step instructions on how to recover the software.

Support

  • SUP-001 - The deployment guide provides details on how to receive support.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides details on how to receive support.

  • SUP-002 - The deployment guide provides details on technical support tiers.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides details on technical support tiers.

  • SUP-003 - The deployment guide provides details on different support tiers and SLAs.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides details on different support tiers and SLAs.