AWS Level 1 Managed Security Service Provider Competency

To interact with AWS APIs in a customer’s AWS account or access the customer’s management console the AWS Partner uses temporary credentials. These credentials can be provided via cross account roles or through federation.

No IAM User access keys are collected to facilitate interaction with a customer’s environment.

Evidence: User documentation such as a manual, whitepaper, or blog showing the steps to grant partner access to a customer-run account using an External ID generated by the Partner or how to grant customer temporary credentials on a Partner-run account.

The AWS Partner is providing guidance to customers on IAM policies that should be created in the customer’s AWS account so that the Partner can properly access and interact with the customer’s AWS account(s). These policies should be properly scoped to least privilege and only cover the access that the Partner needs.

Evidence: Documentation of partner guidance in the form of training presentations, whitepapers, blogs, or similar customer-facing guidance.

The AWS Partner does not have any hard limits in their platform that limit the number of AWS accounts or AWS resources (EC2 instances, S3 buckets, RDS databases, etc.) within an AWS account that can be consumed and reported on for any one customer.

Evidence: A screen shot or other documentation showing the ability to report on multiple accounts and resources.

Security findings related to a customer's environment are regularly delivered to the customer. This delivery must include a summary report of findings or a dashboard for reviewing findings for a customer's environment and can also include APIs a customer can use to programmatically get information about their security findings.

Evidence: Sample screen shots or other example of a report and describe the frequency that customers get access to that report, such as “on demand”, “event trigger”, or similar.

The AWS Partner provides a vulnerability scanning solution that supports the ability for a customer to perform both un-authenticated and authenticated vulnerability scans of their Amazon Elastic Compute Cloud (Amazon EC2) infrastructure.

Evidence: Details on the technical solution that is used to solve this requirement.

The AWS Partner’s vulnerability scanning solution supports collection and display of AWS metadata that is related to the Amazon EC2 instances that have findings as a result of a vulnerability scan. This information must include: Amazon EC2 tags, Amazon EC2 instance ID, Amazon EC2 AMI ID, Amazon EC2 public and private IP address, Amazon EC2 public and private DNS address, VPC ID, Subnet ID, region, AWS account ID.

Evidence: Screen shots showing the display of the necessary metadata information in the dashboard or report that is accessible to the customer.

The AWS Partner solution supports the ability to automatically detect when new Amazon EC2 instances or Amazon Virtual Private Clouds (Amazon VPCs) are created within the customer’s AWS environment. Alternatively, the solution provides the ability to programmatically provide updates when there are new Amazon EC2 instances or Amazon VPCs that should be scanned. This requirement ensures that customers are not required to do manual configuration within the AWS Partner vulnerability scanning solution to ensure that new Amazon EC2 instances or Amazon VPCs are included in future vulnerability scans.

This requirement ensures that customers are not required to do manual configuration within the AWS Partner vulnerability scanning solution to ensure that new Amazon EC2 instances or Amazon VPCs are included in future vulnerability scans.

Evidence: Written description of how the vulnerability scanning solution meets this requirement.

The AWS Partner provides a vulnerability scanning solution that supports the ability for a customer to perform both un-authenticated and authenticated vulnerability scans of their container instances.

Evidence: Details on the technical solution that is used to solve this requirement.

The AWS Partner solution supports displaying AWS resource inventory information in a consolidated user interface (UI). This UI supports displaying inventory information by resource type, region, and account. The UI also allows customers to see key configuration attributes of each resource, including tags applied to that resource.

Evidence: Screen shots showing examples of AWS resource inventory in dashboards or reports that would be available to customers.

The AWS Partner solution supports the ability to collect resource information from a customer’s AWS account in an event driven fashion.

Initial discovery of AWS resources in a customer’s environment via the relevant AWS describe APIs is allowed for building an initial inventory of AWS resources. After initial resource discovery, additional information on new, updated, or terminated resources is identified through an event driven framework. Examples include consuming data via AWS CloudTrail logs or AWS Config. It is acceptable to make API calls for individual resources to retrieve additional metadata about new or changed assets or to confirm current inventory information.

Evidence: Written description on how the solution is collecting initial and steady state resource information from a customer’s AWS account.

The Partner solution has the ability to report on security best practice violations in a customer’s AWS account. These best practices must cover at least the following AWS services: Amazon EC2, Amazon S3, Amazon Relational Database Service (Amazon RDS), AWS Identity and Access Management (IAM), Amazon VPC, Amazon Elastic Block Store (Amazon EBS), Amazon Elastic File System (Amazon EFS), AWS Key Management Service (AWS KMS).

Common reference points for best practices with AWS services can be found in the security documentation for a service: https://docs.aws.amazon.com/security/

Evidence: Screen shots showing examples of best practices detection available within dashboards or reports provided to customers.

The AWS Partner solution provides continuous compliance monitoring against the configuration a customer’s AWS accounts and the AWS resources that are in a customer’s AWS accounts.

Continuous compliance monitoring is provided for at least two of the following compliance organizations:

• CIS AWS Foundations Benchmark v1.2 or 1.3
• HITRUST v9.3
• HIPAA
• ISO 27001:2013
• MITRE ATT@CK
• PCI DSS v3.2
• SOC2

Evidence: Screen shots showing examples of AWS compliance monitoring for each of the supported compliance organizations.

AWS Partners can assess and enrich security findings in a customer’s AWS Environment, providing additional context and actionable information to help customers reduce false positives and effectively respond to incidents.

Evidence: Written description of the Partner’s approach to triaging security findings from a customer’s AWS environment.

For a security finding the AWS Partner has the ability to deliver remediation guidance to the customer so that the customer can resolve the finding in their environment.

Alternatively, the AWS Partner has the ability and permissions to perform the remediation steps themselves or provides automation that can remediate the finding for the customer.

Evidence: Screen shots showing examples of reported security findings from an AWS account and the suggested remediation for the finding.

The AWS Partner has the ability to detect, triage, and alert customers of high priority security findings on a continuous uninterrupted basis, 24 hours a day and 7 days a week. Alerts provided to customers included remediation guidance for the finding.

Evidence: Written description of the Partner’s support model for being able to respond to high priority findings in their customer’s AWS accounts on a continuous uninterrupted basis, 24 hours a day and 7 days a week.

The AWS Partner provides the ability for their customers to engage the MSSP support staff on a continuous uninterrupted basis, 24 hours a day and 7 days a week, for assistance with high severity security items.

Evidence: Written description of how the AWS Partner is enabling their customer to engage their support staff for assistance on a continuous uninterrupted basis, 24 hours a day and 7 days a week.

The AWS Partner has the resources and skill sets to assist the customer with choosing and configuring a solution that provides DDoS protection for the applications running in a customer’s AWS accounts.

DDoS solutions that the Partner recommends must provide protection from layer 3,4, and 7 attacks.

Evidence: Written description of the solutions that the AWS Partner recommends or supports for DDoS protection of applications running in a customer’s AWS account. Written description of the Partner’s engagement model to help customers with configuration of their chosen or recommended DDoS protection solution.

Agent based solutions that are used to provide intrusion detection and prevention services are able to run on Amazon EC2 instances with the following operating systems:

• Amazon Linux2
• RedHat
• CentOS
• Ubuntu
• Windows

This item is not necessary if the AWS Partner utilizes a network-based solution as outlined in IDP-002.

Evidence: Written description of the technical solution that the AWS Partner is using to meet this requirement.

Network-based intrusion detection and prevention solutions that are deployed into a customer’s AWS account must support the ability to deploy highly available architectures. This includes:

• Integration with AWS Auto Scaling
• Integration with Elastic Load Balancing
• Ability to run in a multi-Availability Zone (AZ) configuration
• Support for automated bootstrapping of instances (e.g. via user data scripts)
• Worker/support nodes must use AWS Lambda/Step Functions instead of long-lived Amazon EC2 instances

This item is not necessary if the AWS Partner utilizes an agent-based solution as outlined in IDP-001.

Evidence: Written description of the technical solution that the AWS Partner is using to meet this requirement.

Intrusion detection and prevention solutions that the AWS Partner deploys into a customer’s AWS accounts support running on Nitro-based Amazon EC2 instances.

Solutions support drivers for Elastic Network Adapter (ENA) and NVMe block devices.

Evidence: Written description of the technical solution that the AWS Partner is using to meet this requirement.

The Partner has the ability to detect threats at the network or host level of a customer’s AWS account.

Evidence: Screen shots showing examples of the technical solution detecting threats at the network or host level for an AWS account.

The Partner has the ability to detect threats at the AWS API layer of a customer’s AWS account.

AWS APIs refers to APIs, provided by AWS, for interacting with the AWS resources in a customer’s AWS account. This does not cover APIs that a customer has created and deployed for their own applications. An example of a threat detection at the AWS API layer is: detecting the use of IAM access keys from an IP address space that is not normally used by the customer.

Evidence: Screen shots showing examples of AWS API layer detections that are being detected by the AWS Partner’s solution.

The AWS Partner’s threat detection tools and reporting are AWS aware and contain AWS metadata on the affected AWS resources from a customer’s AWS account. While the metadata information about each AWS resource will vary, minimal metadata for any AWS resource should include: resource tags, region, account, resource identifiers that can be used in the AWS console and APIs to find the specific resource. Beyond the minimum metadata additional metadata provided about an AWS resource should contribute to helping the customer make an informed decision about the resource that is experiencing a reported threat.

Evidence: Screen shots showing the use of a AWS metadata from a customer’s AWS account as part of the reporting of threats that are delivered in a dashboard or report for customers.

The Partner has the ability to detect threats at the network or host level of a customer’s AWS account.

Evidence: Screen shots showing examples of the technical solution detecting threats at the network or host level for an AWS account.

Endpoint solutions provided by the AWS Partner have the ability to run on the following Amazon EC2 operating systems:

• Amazon Linux2
• RedHat
• CentOS
• Ubuntu
• Windows

Evidence: Written description of the technical solution that the Partner is using to meet this requirement.

The solution that the AWS Partner provides for a customer’s AWS based endpoints supports the ability to ingest and display AWS metadata about the EC2 instance that a deployed agent is running on.

Metadata collected and displayed should include at least: Amazon EC2 tags, Amazon EC2 instance ID, Amazon EC2 AMI ID, Amazon EC2 public and private IP address, Amazon EC2 public and private DNS address, Amazon VPC ID, Subnet ID, region, account ID.

Evidence: Screen shot showing the use of AWS metadata in the dashboard or report that supports data from the endpoint solution.

The solution that the partner supports for running on a customer’s AWS-based endpoint provides the ability to identify Amazon EC2 instances without a working agent.

Evidence: Screen shot showing the ability to detect instances without a working agent for a customer’s AWS account.

The AWS Partner supports a solution that protects containers and integrates with at least one of the following AWS container services:

• Amazon Elastic Container Service (Amazon ECS)
• Amazon Elastic Kubernetes Service (Amazon EKS)
• AWS Fargate

Evidence: Written description of the technical solution that is used to support this requirement.

The solution that the AWS Partner supports offers four key capabilities for Endpoint Detection and Response (EDR) as defined by Gartner: detect security incidents, contain the incident at the endpoint, investigate security incidents, and provide remediation guidance.

Evidence: Written description of the technical solution that is used to support this requirement.

WAF solutions that the AWS Partner supports have the ability to address the OWASP top 10 web application security risks.

Evidence: Written description of the technical solutions that the Partner recommends or supports to meet this requirement.

The AWS Partner has the ability to guide a customer on how to author WAF rules for the WAF solutions that the Partner recommends and supports.

Evidence: Written description on how the AWS Partner meets the needs of their customers for this requirement.

The AWS Partner has the ability to consume log data from a customer’s WAF environments on AWS and provide threat analytics and insights on additional rules that should be authored to address observed threats.

Evidence: Written description of the technical solution that the AWS Partner is using to solve this requirement.

The AWS Partner provides a vulnerability scanning solution that supports the ability scan container images for both operating system and programming language vulnerabilities. Scanning solution must be capable of both continuous and on-push scanning and support at minimum 3 of the Operating Systems (Alpine Linux, Amazon Linux, CenOS Linux, Debian Server) and 3 of the Programing Languages (C#, Golang, Java, Javascript, PHP, Python, Ruby, Rust).

Evidence: Details on the technical solution that is used to meet this requirement.

Partner has policies and procedures for continuously monitoring cluster activity to identify malicious or suspicious behavior that represents potential threats to container workloads. Threats detected must include the following:

• Clusters accessed by known malicious actors or Tor nodes
• API operations performed by anonymous users
• Privilege-escalation techniques such as launch of a container with root-level access to the underlying Amazon Elastic Compute Cloud (Amazon EC2) host.

The solution protects containers on at least one of the following AWS container services:

• Amazon Elastic Container Service (Amazon ECS)
• Amazon Elastic Kubernetes Service (Amazon EKS)
• AWS Fargate

Evidence: Written description of the technical solution that is used to support this requirement.

The AWS Partner provides a mechanism for upgrading instances with the latest operating system and application versions.

Evidence: Provide an example of a policy used for maintaining appropriate security patch levels in container instances.

AWS Partner provides code-level security expertise and guidance. The Partner either directly develops application code that implements security best practices or provides code review services for customers to proactively identify security issues and address them in custom code bases. These services leverage a combination of automated static analysis, dynamic analysis, and expert reviews.

Evidence: One of the following - customer testimonial, Git/bug tracker history, or publications.

AWS Partner must provide RASP solution and monitor events in their managed services.

Evidence: Details of RASP security that can detect and block security attacks and anomalies from inside a running application.

AWS Partner has an understanding of AWS penetration testing policies and works with customers to conduct tests, implement processes around regular penetration testing/vulnerability scanning of their applications and infrastructure, while still complying with AWS policies. AWS Partner works with customers to resolve any identified vulnerabilities to ensure that their applications meet a target security bar and their AWS environment meets the standards of AWS Well-Architected Framework.

Evidence: A sample of a customer penetration test results report that was supplied to a customer. IP Addresses or other sensitive data may be redacted.

Managed service automates vulnerability scanning of the CI/CD pipeline and reports events for analysis/response. Service provides scans of code, least privilege access, patch management, and network ports and protocols.

Evidence: Written description of the technical solution that the AWS Partner is using to solve this requirement.

Partner performs Dynamic Code Analysis for post-production apps, collect/triage the events, and either provide remediation guidance or resolve the events.

Evidence: Written description of the technical solution that the AWS Partner is using to solve this requirement.

AWS Partner performs Static Code Analysis for pre-production apps, collect/triage the events, and either provide remediation guidance or resolve the events.

Evidence: Written description of the technical solution that the AWS Partner is using to solve this requirement.

Partner must provide details on how they manage cryptographic keys, including rotation and recovery strategies.

Evidence: Written description of the technical solution that the AWS Partner is using to solve this requirement.

Partner must monitor SSL/TLS certs for expiration, ensure that keys are stored securely, and implement HSTS (HTTP Strict Transport Security) by default.

Evidence: Written description of the technical solution that the AWS Partner is using to solve this requirement.

AWS Partner must provide managed sensitive data discovery services and monitor security events for analysis. Additionally, Partner must alert when sensitive data is not stored in an inappropriate location.

Evidence: Partner must describe the tools and techniques they use to scan for sensitive data and to mark it according to the appropriate classification.

Partner must provide the ability to scan for malware in S3 in an API-based, Event-based, or scheduled fashion. Documentation must be accessible to customers and clearly describe the scanning approach.

Evidence: Written description of the technical solution that the AWS Partner is using to solve this requirement.

AWS Partner must scan data at rest (storage) and data in motion (network) in order to determine when sensitive data is improperly used or exchanged.

Evidence: A screenshot showing how the system marks data with the appropriate classification.

Partner solution must provide visibility of identity access rights to assets such as how identities map to assets.

Evidence: Written description of the technical solution that the AWS Partner is using to solve this requirement.

Partner service must detect and alert when a user accesses resources in an anomalous way (e.g. outside of work hours or from a new location).

Evidence: Written description of the technical solution that the AWS Partner is using to solve this requirement.

AWS Partner can manage MFA tokens for the customer, ensuring at minimum, root, administrator, auditor, and back-up accounts are secured with MFA.

Evidence: Written description of the technical solution that the AWS Partner is using to solve this requirement.

Partner must provide a solution for managing passwords, keys, and other secrets that does not store them in plain text anywhere.

Evidence: Written description of the technical solution that the AWS Partner is using to solve this requirement.

Partner solution uses historic logs to recommend policy updates in-line with least privilege.

Evidence: Provide an example of a recommended policy update that was automatically generated.

Partner is capable of providing integrations with major authentication vendors so customers can have a combined view of all of their AWS accounts and non-AWS accounts.

Evidence: Written description of the technical solution that the AWS Partner is using to solve this requirement.

Partner can manage identity provider events from AWS Supported Identity Provider (requires integration with AWS SSO via SCIM).

Evidence: Show that the external identity provider has been tested with AWS SSO SCIM implementation.

Partner has the ability to provide access to key resources through PAM integration on supported operating systems and monitor events.

Evidence: Written description of the technical solution that the AWS Partner is using to solve this requirement.

Partner solutions can federate customer employees, contractors, and partners (workforce) to AWS accounts and business applications, and add federation support to public-facing web/mobile applications.

Evidence: Must provide support for at least three commonly used open identity standards: Security Assertion Markup Language 2.0 (SAML 2.0), Open ID Connect (OIDC), and OAuth 2.0.

Partner solution provides and monitors events for least privilege and separation of duties across the lifecycle of joiners, movers, and leavers.

Evidence: Written description of the technical solution that the AWS Partner is using to solve this requirement.

AWS Partner provides customers with a written business continuity plan including the following:

• Backup and Restore strategy
• Risk Management strategy (accounting for customers’ priorities, constraints, risk tolerances, assumptions)
• Business Environment (customers’ mission, objectives, stakeholders are documented and details information is included to describe cybersecurity roles, responsibilities, and risk management decisions)
• Assets (data, personnel, devices, systems, and facilities that enable the customer to achieve business purposes are documented)
• Supply Chain Risk Management

Evidence: A sample of a customer Business Continuity Plan that includes a Recovery Point Objectives (RPO) and Recovery Time Objective (RTO).

Partner’s solution isolates backups from the production network with separate access roles and separate MFA access, similar to audit accounts. Recommend making back-ups immutable.

Evidence: Written description of the technical solution that the AWS Partner is using to solve this requirement.

Partner solution keeps critical customer operations up and running in the event of a major system failure.

Evidence: Written process for recovering back-ups, written frequency of testing Continuity of Operations (COOP) plan, or written plan for on-prem or multi-cloud recovery into AWS.

Partner must perform a disaster recovery test at least twice per year to demonstrate customer environments can be recovered to operational state from the backups. Customers need to be included in the process so they are also prepared for a real event.

Evidence: Written description of the technical solution that the AWS Partner is using to solve this requirement.

Partner solution includes a Ransomware response plan template that addresses each of the requirements in the NIST National Cybersecurity Center of Excellence (NCCoE) Practice Guides (NIST 1800-11, 1800-25, and 1800-26).

Evidence: Provide an example of a recommended policy update that was automatically generated.

Partner must have experience in providing customers with anti-Ransomware solutions and monitoring for events.

Evidence: Architecture image of the anti-ransomware solution with AWS Services, 3rd party products, and areas of customization.

Partner must be experienced in providing customers with 24/7 managed services for anti-Ransomware Software products.

Evidence: Customer-facing sales documentation and internal procedural documentation such as Standard Operating Procedures (SOPs), runbooks, and playbook in their application.

Partner must be experienced in providing customers with anti-Ransomware deployment services.

Evidence: anti-Ransomware software deployment documentation and/or automation that is used by individuals in their company or equivalent assets in their application.

Partner must provide Ransomware protection solution that includes mitigation of host and network attack vectors as well as policy enforcement such as patch management.

Evidence: Architecture image.

Partner can provide an Anti-Ransomware solution that includes inventory of digital assets, logging, reporting, vulnerability management, and event detection.

Evidence: Architecture image.

Partner can provide an Anti-Ransomware solution that includes secure backup, immutable storage, investigation, and analytics capabilities.

Evidence: Architecture image.

Partner can provide a solution that scans email for malicious messages and common phishing tactics. The solution must include detection, remediation actions, and training.

Evidence: Written description of the technical solution that the AWS Partner is using to solve this requirement.

Partner must have the ability and a documented process for conducting an investigation into an incident and collecting evidence in the appropriate legal format for government investigations in the event that law enforcement or other legal proceedings occur as a result of the investigation.

Evidence: Written description of the technical solution that the AWS Partner is using to solve this requirement.

Partner solution must include a separate AWS account for forensics investigations with access policies following least privilege access. Amazon VPC subnets in the Forensics account should have no internet gateways and Security Groups should be highly restrictive, and deny all ports that aren’t related to the requirements of the forensics tools. The account activity must be auditable at minimum logging all connection activity (SSH, RDP).

Evidence: Written description of the technical solution that the AWS Partner is using to solve this requirement.

Partner solution must be capable of collecting at least 5 of the below data sources:

• All EC2 instance metadata
• Amazon EBS disk snapshots
• EBS disks streamed to S3
• Memory dumps
• Memory captured through hibernation on the root EBS volume
• CloudTrail logs
• AWS Config rule findings
• Amazon Route 53 DNS resolver query logs
• VPC Flow Logs
• AWS Security Hub findings
• Elastic Load Balancing access logs
• AWS WAF logs
• Custom application logs
• System logs
• Security logs
• Any third-party logs

Evidence: Written description of the technical solution that the AWS Partner is using to solve this requirement.