AWS Cloud Operations Competency

Applies to: SaaS | Customer Deployed

The AWS Partner solution meets the definition of at least one category specified in the application. Each of the four customer examples (see prerequisite section 2.0) must discuss at least one chosen category. All chosen categories must be represented by at least one customer example.

For example, if applying for Cloud Governance category, all four customer examples must be about your Cloud Governance capabilities. If applying for both Cloud Governance and Compliance/Auditing, ideally all four customer examples would discuss Governance and Compliance, but any mix such as one Governance, three Compliance or two Governance, two Compliance related would be acceptable.

Applies to: Customer Deployed | SaaS

The AWS Partner solution must support delivery of its services in at least two (2) AWS Regions to support scenarios such as a customer workload failing over from one AWS Region to another as part of a disaster recovery process or simply having workloads that span multiple regions.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation describing how solution supports a customer's disaster recovery requirements.
2. If there are specific regions the solution is not supported in due to a dependance on an AWS service not currently available in that region, include the name of the dependent service with the region.
3. If there are specific countries or languages the solution is not supported in, provide a list of the countries/languages.

References:

[1] Implementing Multi-Region Disaster Recovery Using Event-Driven Architecture

Applies to: SaaS | Customer Deployed

The AWS Partner solution supports centralized management of customer environments that may consist of multiple AWS Accounts, AWS Regions, and/or VPCs, without requiring the customer to install multiple times within the same AWS partition.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation describing how the solution supports this requirement.

Applies to: Customer Deployed

The AWS Partner solution provides an Infrastructure-as-Code (IaC)-based mechanism and accompanying documentation on how to easily deploy the solution including when the deployment is required across multiple AWS Regions and/or AWS Accounts. The solution documentation must also support the customer with guidance on how to size the solution deployment if applicable.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation describing product deployment steps including description of Infrastructure-as-Code (IaC) assets provided for deployment.
2. Copy/Link to customer-facing documentation describing how the customer should size the solution deployment for their intended use. If sizing is not applicable, state what mechanisms the solution uses to scale with different/changing customer environments.

Applies to: SaaS

For situations such as on-boarding a customer’s AWS environment into the AWS Partner SaaS solution where the customer is instructed to create or manage AWS resources, such as creation of an IAM Cross-Account role, the AWS Partner solution must provide an Infrastructure-as-Code (IaC)-based mechanism (e.g., template) and/or accompanying documentation on how to easily facilitate the required steps using the IaC mechanism.

If the actions must be repeated over multiple AWS Regions and/or AWS Accounts, the Infrastructure-as-Code (IaC)-based mechanism must be capable of automated deployment such as through the use of AWS CloudFormation StackSets

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation describing each on-boarding topic that requires the creation or manipulation of assets in the customer's environment, what IaC mechanism(s) is provided to facilitate automated execution of the topic and how the customer should employ them.
2. For on-boarding topics that entail repeated execution over multiple AWS Regions and/or AWS Accounts, provide same sort of evidence as preceding (1).

Applies to: SaaS | Customer Deployed

The AWS Partner solution must support logging of all activities initiated within the solution against the customer's managed environments to support auditing activities. Collected activity logs should be accessible from the GUI at minimum, with optional ability to query through APIs.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation explaining logs generated by the solution and how to access/manage the logged data using both GUI and API (if applicable).
2. Copy/Link to customer-facing documentation explaining the log retention duration and how/if it is managed by the customer.
3. Provide some sample queries and screenshots of the logged data.

Applies to: SaaS | Customer Deployed

The AWS Partner solution supports multi-account management activities such as account creation, baselining, deletion, etc., at scale by leveraging multi-account management services available in AWS Organizations and/or as facilitated by AWS Control Tower lifecycle-events. For example, when a new account is provisioned via AWS Control Tower Account Factory, the AWS Partner solution is able to react, to automatically initiate on-boarding management of the new account.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation explaining how the AWS Partner solution supports this requirement.

References:

[1] Customizations for AWS Control Tower

[2] AWS services that you can use with AWS Organizations

[3] Lifecycle Events in AWS Control Tower

Applies to: Customer Deployed

The AWS Partner solution can be deployed into the AWS Public (standard) partition and at least one other AWS partition: AWS China, AWS GovCloud, Secret, or Top Secret. Automation assets provided to the customer such as AWS CloudFormation templates containing AWS resource ARNs must avoid use of hardcoded AWS Region and AWS Partition codes where use of a pseudo parameter is supported.

Please provide the following as evidence:

1. Copy/Link to customer facing documentation listing supported partitions like aws, aws-us-gov, or aws-cn.
2. Provide list of known limitations, exceptions if any, for each partition.

References:

[1] AWS GovCloud (US) or standard? Selecting the right AWS partition

[2] Amazon Resource Names (ARNs)

[3] AWS CloudFormation User Guide: Pseudo parameters reference

Applies to: SaaS

The AWS Partner solution can manage customer workloads in the AWS Public (standard) partition and at least one other AWS partition: AWS China, AWS GovCloud, Secret, or Top Secret. Automation assets provided to the customer such as AWS CloudFormation templates containing AWS resource ARNs must avoid use of hardcoded AWS Region and AWS Partition codes where use of a pseudo parameter is supported.

Please provide the following as evidence:

1. Copy/Link to customer facing documentation listing all supported partitions like aws, aws-us-gov, or aws-cn.
2. Provide list of known limitations, exceptions if any, for each partition.

References:

[1] AWS GovCloud (US) or standard? Selecting the right AWS partition

[2] Amazon Resource Names (ARNs)

[3] AWS CloudFormation User Guide: Pseudo parameters reference

Applies to: SaaS | Customer Deployed

Managed Services Providers (MSP) will typically offer AWS services and/or management of AWS environments for their customers, who they treat as isolated tenants. If your solution provides any capabilities specifically targeted at MSPs, please indicate those capabilities here. For example, the ability of the AWS Partner solution to allow the MSP to add fees/discounts/credits to their customers (tenant) AWS bill to support line-item charges for the MSPs provided services.

Please provide the following as evidence:

1. Copy/Link to documentation describing MSP specific features or list of features with short description.

Applies to: SaaS | Customer Deployed

The AWS Partner solution supports on-boarding, provisioning and management logical groupings of cloud resources as defined by the customer and their business needs. Examples include the ability to represent, provision, and manage:

• Resources in accounts organized into an organization unit where aspects such as guard rails can be cascaded down from the OU.
• Various workload projects with development lifecycle phases such as dev, test, stage, prod where each can have guardrails, controls, limits inherited, at the groups level etc.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation describing support of on-boarding and creating logical resource grouping constructs and how the customer can affect provisioning and management across and within the resource hierarchies.

Applies to: SaaS | Customer Deployed

This requirement focuses on making it easier for customers to implement their Governance, Risk Management and Compliance (GRC) Controls as a foundation of their AWS Cloud environments. A control is a means of mitigating or detecting an issue that is a consequence of risk being realized, while guardrails are a technical implementation to meet those controls[1].

The AWS Partner solution:

• Enables the customer to implement and manage preventive, and detective guardrails across their cloud environments that are focused on operational best practices, compliance and security needs.
• Supports preventive controls and implements guardrails to stop known non-compliances, and detective controls and implements guardrails to identify and remediate non-compliances.
• Provides both out of the box controls as well as enables the customer to define their own controls, guardrails per their internal and/or external compliance and governance needs.
• Provides self-servicing capabilities for compliant configurations for the entire organization.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation describing the list of controls available out of box, default behavior and customization options and how these are supported across a customer's hierarchy of cloud environments.

References:

[1] Management and Governance Cloud Environment Guide

Applies to: SaaS | Customer Deployed

Solutions implementing preventive controls that block provisioning of resources must not abstract or limit the AWS APIs available to customers by default. Solutions that deploy an agent or other means of collector must demonstrate the need and why direct integration with AWS does not meet that need.

Please provide the following as evidence:

1. Public documentation explaining how the limits are handled.
2. If the solution deploys its own agent or collector, indicate why direct integration with AWS is not supported.

Applies to: SaaS | Customer Deployed

AWS Partner solution allows to centrally manage and provision access to AWS resources through federated Identity integration with external authentication providers by the use of SAML 2.0 or OpenID Connect (OIDC) protocols. The solution should also allow to audit and rotate credentials periodically, allows for creation and management of user groups and attributes to be used for managing access control.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation explaining how the above capabilities are delivered.
2. List of Identity and Access Management open standards and list of 3rd-party identify provider offerings the solution works with.

Applies to: SaaS | Customer Deployed

This requirement focuses on making it easier for customers to design, implement and manage infrastructure capabilities around network security and highly available connectivity as a foundation of their AWS Cloud environments.

The AWS Partner solution enables designing and automating the provisioning and management of:

• Secure and highly available network cloud infrastructure. For example, easing the design-in and deployment of a complex networking construct such as a transit gateway from the solution or providing IaC to deploy etc.
• Security policies and controls across different levels of the networking stack to protect resources from external and internal threats.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation explaining how the AWS Partner solution supports this capability. Please provide a link to a demonstration video if available.
2. Explain how the capabilities like prevention, detection, and blocking of anomalous network traffic based on monitoring of ingress/egress and lateral data movement are achieved.

Applies to: SaaS | Customer Deployed

The AWS Partner solution must be able to identify, protect, detect, respond, recover and track any security issues and events across the customer environment towards the overall customer goal of designing cloud architectures with security in mind. The solution must provide dashboard visualization for all the mentioned capabilities and support the customer in implementing the security best practices described in Well-Architected Security Pillar (ref. [1]) whitepaper.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation explaining how the AWS Partner solution supports this capability. Please provide a link to a demonstration video if available.
2. Sample reports generated for auditing purposes.

References:

[1] Security Pillar - AWS Well-Architected Framework

Applies to: SaaS | Customer Deployed

This requirement focuses on making it easier for customers to implement unified log management under Governance, Risk Management and Compliance (GRC), as a foundation of their AWS Cloud environments. Log Management encompasses Log Storage, securely collecting and storing environment logs centrally with tamper resistant storage, and management tasks such as viewing, searching, archiving etc.

The AWS Partner solution enables:

• Secure collection of logs generated across the customers Cloud environments into a central location, with adjustable data life-cycle settings such as storage duration, location, etc., as per the business needs.
• Management tasks such as viewing, archiving etc.
• Searching and analyzing logs at scale using own or other partner tools.
• A unified view to disparate logs across the customer's AWS Cloud environments including such as AWS Cloud Trail, Amazon CloudWatch Logs, and other sources such as security, network, DNS, etc.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation explaining how the AWS Partner solution supports this capability to alleviate customer need for disparate log management tools.
2. List of third-party tools (if any) required to support log search and analysis with examples.
3. Please provide a link to a demonstration video if available.

References:

[1] Centralized Logging on AWS

Applies to: SaaS | Customer Deployed

This requirement focuses on making it easier for customers to build and manage secure and highly available cloud infrastructure, and as AWS Accounts are added, ensuring they are imparted with governance best practices per the customers Governance, Risk Management, and Compliance requirements.

The AWS Partner solution supports:

• Creation of new AWS accounts with best governance practices in place at the time of account creation such as:
  • Automatic deployment of a complete landing zone account structure for a new customer environment
  • Deployment of preventive/detective controls when a new account it created.
• A set of preventive, detective, and remediation controls to avoid drift of the AWS Account creation controls.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation explaining how the AWS Partner solution supports this capability.
2. If the solution enables the customer to create AWS Accounts, please provide copy/link to customer-facing documentation explaining this capability.

If the solution does not enable account creation, indicate how the solution facilitates on-boarding and presence of governance best practices, preferably in an automated and as soon after creation as possible, e.g., but reacting to AWS Control Tower account lifecycle events. 3. Copy/Link to customer-facing documentation showing list of default/optional best practices implemented, and list of controls implemented to avoid drift.

References:

[1] Establishing Your Cloud Foundation on AWS Whitepaper: Governance, Risk Management, and Compliance

[2] Lifecycle Events in AWS Control Tower

Applies to: SaaS | Customer Deployed

This requirement focuses on making it easier for customers to implement tagging under Governance, Risk Management and Compliance (GRC), as a foundation of their AWS Cloud environments. Tagging enables customers to group sets of resources by assigning metadata to cloud resources for a variety of purposes such as access control (such as ABAC), cost reporting, and automation (such as patching for select tagged instances) or to create new resource constructs for visibility or control. Tagging is fundamental to providing enterprise-level visibility and control.

The AWS Partner solution enables:

• Implementation of a tagging schema based on customer business requirements, supporting cloud provider and customer-defined tag naming conventions.
• Preventative, detective guardrails supporting governance of required tag usage.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation explaining how the AWS Partner solution supports AWS tagging best practices[1].
2. If the AWS Partner solution supports customer hybrid or multi-cloud usage, describe how the solution supports use of a unified tagging schema across for AWS and the customers cloud resources outside of AWS.

Reference:

[1] AWS Tagging Best Practices

Applies to: SaaS | Customer Deployed

The AWS Partner solution enables the customer in establishing and implementing overall best practices for data security and governance such as:

• Automating data discovery, identification, classification and data lifecycle management such as effective use of storage tiering or support of regulation such as GDPR, CCPA, and COPPA right to forget aspects.
• Controls to monitor/govern use of data protections controls in-transit, at-rest.
• Data governance aspects such as data ownership and accountability.
• Creation, management of a data catalog with capabilities such as:
  • Associating metadata identified data stores.
  • Supporting lifecycle policies from data generation or capture to its eventual archival or deletion, data access rules and policies, and data integrity.
• Data Governance controls should be supported with a continuous compliance monitoring mechanism.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation explaining how the AWS Partner solution supports AWS best practices for data protection [1][2].
2. Explain how the solution supports a customer's overall continuous compliance monitoring effort.

Reference:

[1] AWS Well-Architected Framework-Security Pillar-Data protection

[2] Best Practices for Building a Data Lake on AWS for Games-Data security and governance

[3] Enterprise Data Governance Catalog Whitepaper

Applies to: SaaS | Customer Deployed

Cloud Financial Management (CFM) allows organizations to manage, optimize, and plan costs as they grow their usage and scale of the AWS Cloud. A primary goal of CFM is to allow customers to achieve their business outcomes in the most cost efficient manner, and accelerate economic and business value creation while finding the right balance between agility and control.

AWS Partners in this category help customers plan for optimized cost management from day one with services, tooling, and resources to organize and track cost and usage, enhance control through consolidated billing, enable better planning through budgeting and forecasts, and further raise cost efficiency with resource and pricing optimizations.

The AWS Partner solution enables customers in the following high-level CFM goals:

• Providing real time access to AWS billing data, and ability to dive deep into the details.
• Curating customer data, as it relates to specific business stakeholders, to enable real time decision making.
• Use of historical data to inform on pricing aspects of AWS cloud services.
• Obtaining summary reporting on top actionable areas within the customer's AWS environment as it relates to Cloud Financial Management.
• Obtaining training and/or guidance on Cloud Financial Management principles and best practices.

Please provide the following as evidence:

1. Provide a high-level overview of how the AWS Partner solution supports the overall cloud financial management category expectations.
2. Support with copy/link to customer-facing documentation, and/or reference architecture depicting the AWS Partner solution if helpful.

References:

[1] AWS Cloud Financial Management Best Practices

Applies to: SaaS | Customer Deployed

This requirement focuses on capabilities that allow a customer to establish cost visibility, and accountability for spend.

The AWS Partner solution enables the customer with the following capabilities:

• Support Cost and Usage Report (CUR) integration for granular cost and usage reporting.
• Filtering and grouping of all AWS costs; including allocations by organization, account, resource type, tag, cost category, and AWS Region.
• Mechanisms to measure, monitor and create accountability for those across the organization responsible for cloud spend.
• Support for customer cost allocation models with mechanisms such as:
  • Alignment to account structures.
  • Establish, report on, automated governance of use of business-relevant cost allocation tagging schema for showback/chargeback.
• Creation of unit economics for the customer's AWS bill.
• Support for cost allocation of shared service costs.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation explaining how the AWS Partner solution supports these capabilities.

References:

[1] Laying the Foundation: Setting Up Your Environment for Cost Optimization

[2] AWS Well-Architected Framework: Cost Optimization Pillar: COST01-BP04 Implement cost awareness in your organizational process

[3] What is a Unit Metric

[4] Unit metrics in practice

[5] Cost Allocation Blog Series

[6] How to charge back shared services

Applies to: SaaS | Customer Deployed

The AWS Partner solution enables the customer with the following capabilities resulting in at least semi-autonomous cost optimizations:

• Identify EC2/RDS right-sizing optimizations, based on:
  • At minimum: instance utilization: CPU, Network I/O, Disk I/O, and Memory utilization.
  • Recommending: across all available AWS instance families, to newer generation instance types, and higher performance chipsets (example: graviton).
• Use of Elasticity and Scheduling based on historical usage.
• Identify Storage optimizations based on (at minimum): relevant storage metrics, e.g., time of last access, current storage tier, object size etc.) such as:
  • Newer generation EBS volume types, e.g., GP2 to GP3.
  • User configurable EBS Snapshot optimization and cleanup.
  • Object storage lifecycle management.
  • Appropriate automated storage tiering based on business needs or access patterns.
  • Incomplete Amazon S3 multi-part upload cleanup.
• Identify (at minimum) and mitigate unattached/idle/orphaned resources including Elastic IPs, EBS volumes, Amazon RDS databases, Amazon Redshift clusters, Unused VPCs and Load Balancers (idle/without attached targets).
• Identify networking and data transfer costs optimizations through data transfer cost modeling to recommend:
  • Components for optimized data transfer costs, e.g., wide-area-network (WAN), Multi-Availability Zone (AZ) configurations.
  • Use of services to reduce data transfer costs, e.g., CDN, caching, AWS Direct Connect.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation explaining how the AWS Partner solution supports these capabilities.
2. Explain the source of metrics used to identify the supported optimizations.
3. If the solution relies on AWS Compute Optimizer or other AWS Cost Management Products, please explain:
   • Source of utilization metrics.
   • Any resource types not supported and why.
   • How the resulting recommendations are presented to the customer.
   • How the resulting recommendations (remediations) are implemented.

References:

[1] AWS Well-Architected Framework: Cost Optimization Pillar: Cost effective resources

Applies to: SaaS | Customer Deployed

The AWS Partner solution enables the customer with the following capabilities in accordance with customer business needs, resulting in at least semi-autonomous purchase recommendations:

• Compare, Contrast and Recommend optimum EC2 Savings Plans/Reserved Instances purchase plans:
  • Based on historical usage patterns, usage across multiple AWS Regions and/or AWS Accounts and considering all SP/RI types (compute SP, EC2 Instance SP, standard RI, convertible RI, regional RI, zonal RI).
• Recommend optimum Reservation Models for other AWS services including at least Amazon RDS and Amazon DynamoDB.
  • Based on historical usage patterns and other parameters relevant to the specific service reservation model.
• Able to execute all recommended purchase recommendations in at least a semi-autonomous manner.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation explaining how the AWS Partner solution supports these capabilities.
2. Copy/Link to list of all supported/excluded Reservation Models for other AWS services.

References:

[1] Amazon EC2 Reserved Instances and Other AWS Reservation Models Whitepaper

Applies to: SaaS | Customer Deployed

A forecast is a prediction of how much a customer will use AWS services over a defined forecast time period with the forecast having a wider range the longer the forecast time period. Forecasts are in part based on the customers IT inventory, their historical usage and spend and analysis of their business needs.

The AWS Partner solution enables the customer with the following capabilities:

• Includes both Bottoms-up forecasting for net new workloads and Demand driver-based forecasts based on unit economics.
• Provides predictive cost estimates for month/quarter/year via linear regression or other modeling techniques.
• Provides historical cost trend analysis of most recent trailing 12 months (TTM) or more.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation explaining how the AWS Partner solution supports these capabilities.
2. Copy/Link to methodology/processes for establishing customer forecasting/TCO analysis.

References:

[1] How to improve your cloud cost forecasting

[2] Understand and build driver-based forecasting

[3] AWS Well-Architected Framework: Cost Optimization Pillar: COST01-BP03 Establish cloud budgets and forecasts

Applies to: SaaS | Customer Deployed

Cloud Financial Operations is the practice of bringing together engineering, finance, business, and technology stakeholders to achieve higher levels of savings and business value in the cloud. Customers need centralized mechanism for planning, roadmap development/prioritization, milestone/goal setting, budgeting, operational planning, managing change, execution, metric setting, reporting, risk management, and consistent stakeholder communication.

The AWS Partner solution enables the customer with the following capabilities in accordance with customer business needs:

• Aggregate scorecard of cost savings opportunities and recommendations.
• Proactive cost monitoring and alerting of forecasted spend to actual spend.
• A monthly variance analysis for spend that is not matching forecast.
• Guardrails and enforcement of cost allocation tags, identification of any untagged resources, and cleanup of tag syntax.
• Cost anomaly detection and mitigation recommendations, automated if possible.
• Alerts based on budget overruns, sent via email and at least one additional 3rd party tool (e.g., ITSM solution, monitoring platform, or chat application).
• Consolidated performance reporting across cost, utilization, and SP/RI management.
• Reporting on historical SP/RI purchases and utilization.
• Partner provides adequate training to all stakeholders at the customer on the specific solution, but also on Cloud Financial Management best practices in general.
• Customer management of third-party licenses on AWS, including operating systems, databases, networking.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation explaining how the AWS Partner solution supports these capabilities.
2. Copy/Link to list of all supported/excluded Reservation Models for other AWS services.

Applies to: SaaS | Customer Deployed

This use case is about helping customers ensure the Cost Optimization Pillar of the AWS Well-Architected Framework is realized as part of implementing containerized workloads on AWS.

The AWS Partner solution supports the user in the optimum use of spot instances with the following capabilities:

• Identify/Recommend cost savings via optimized Kubernetes on EC2 and/or Amazon EKS clusters configuration such as:
  • Auto/Down Scaling: aligning number of cluster nodes and demand.
  • Right-Sizing: allocating appropriate CPU, memory resources to pods.
  • Purchase options, e.g., use of Spot instances (also applicable to use of Amazon ECS).

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation explaining how the AWS Partner solution supports these capabilities.

References:

[1] Cost optimization for Kubernetes on AWS

Applies to: SaaS | Customer Deployed

The AWS Partner solution supports the user in the optimum use of spot instances with the following capabilities:

• Based on historical usage patterns and customer's workload applicability guidance, solution:
  • Identifies workloads suitable for Spot usage.
  • Recommends instances to move from on-demand to spot instance pricing with resulting cost savings.
• Provides recommendations for appropriate instance types, availability zones and spot instance pools to leverage spot instance diversification.
• Provides mechanisms to mitigate Spot Instance interruptions such as proactive capacity rebalancing, on-demand fallback, etc.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation explaining how the AWS Partner solution supports these capabilities.

References:

[1] Diving Deep into EC2 Spot Instance Cost and Operational Practices

Applies to: SaaS | Customer Deployed

Customers running infrastructure in multiple clouds, or workloads with components in multiple clouds benefit from having a consolidated view of all cloud costs providing a single dashboard from which to monitor and control cloud costs from one central location. Having unified cost visibility simplifies showback/chargeback with consolidated reporting, facilitates use of a common tagging schema across all clouds and a common set of policies to identify and turn off idle resources which helps reduce costs. Customers with workloads that can run or scale across multiple clouds can make placement decisions better informed by price. Solutions that support multi-cloud price comparisons help customers considering migrating workload from one cloud to another as they would when comparing each clouds costs when migrating from on-premises.

The AWS Partner solution enables the customer with the following capabilities in accordance with customer business needs:

• Integrate with and import granular cost and usage reporting from at least AWS, and Azure with import for other clouds (GCP, OpenShift, RedHat, Oracle, VMWare etc).
• Consolidated dashboards, reporting, with filtering, grouping, drilldown of all customer's imported cloud costs.
• In addition to typical cost allocation groupings, support allocation groups for workload components that can reside in different clouds, e.g., projects, products, services etc.
• Support a consistent tagging strategy that can be used across cloud providers.
• Creation of unit economics for the customer's consolidated spend across clouds.
• Support for cost allocation of shared service costs across clouds.
• For resource decisions, recommendations involving cloud cost, extend to include costs from customers' multiple clouds.
• Cloud-to-Cloud pre-migration modeling.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation explaining how the AWS Partner solution supports these capabilities.

Applies to: SaaS | Customer Deployed

AWS Partners with solutions supporting monitoring and observability help customers understand what is happening across their technology stack at any time. Solutions leverage AWS-native, Application Performance Monitoring (APM), open-source solutions and proprietary IP to collect, correlate, aggregate, and analyze telemetry in the customers AWS-based cloud networks, infrastructure, and applications. Some partner solutions may further support customers' hybrid workloads ideally providing end-to-end visibility beyond AWS. These solutions provide customers with insights into the behavior, performance, and health of their systems enabling customers to detect, investigate, and remediate problems faster, and increasingly coupled with artificial intelligence and machine learning, to proactively predict, react, and prevent issues before they impact users.

Please provide the following as evidence:

1. Provide a high-level overview of how the AWS Partner solution supports the overall monitoring and observability category expectations and prevalent open standards like OpenTelemetry. Supplement with copy/link to customer-facing documentation, and/or reference architecture depicting the AWS Partner solution if possible.

References:

[1] What is observability and Why does it matter? – Part 1

Applies to: SaaS | Customer Deployed

As customers build out applications in the cloud, modernizing their existing environments, migrating or building net-new workloads, observability is vital to their success. Monitoring and observability provide operational visibility and insight into their workloads and are crucial to operational excellence. This requirement focuses on overall monitoring and observability capabilities consistent with best practices for monitoring AWS infrastructure and traditional N-tier architectures utilizing virtual machines. See additional use-cases covering monitoring and observability of container-based (COAMO-003) and serverless (COAMO-004) architectures.

The AWS Partner solutions must provide the following capabilities in support of monitoring and observability of multi-tier workloads:

• AWS Infrastructure and Service monitoring:
  Solution consumes AWS service metrics through Amazon CloudWatch metrics through CloudWatch Metric Streams due to near-real-time delivery and low latency. If using polling mechanism retrieval (CloudWatch GetMetric API) please provide information on the trade-off analysis used for this choice.
• Node and Application-level Instrumentation:
  Solution provides an agent for node observability and an SDK for application-level observability.
• Distributed tracing:
  Solution provides tracing capability to observe service requests as they flow through distributed systems.
• Logging:
  Solution integrates with Amazon CloudWatch Logs for both sending and receiving logs.
• Auditing:
  Solution provides auditing capabilities for users to check audit events on "What, When, Who" actions as it relates to its own solution.
• Dashboard and Visualization:
  Solution provides dashboard and visualization capabilities.
• Analytics:
  Solution provides analytics capabilities that allows querying on telemetry data and correlation of the different observability signals.
• Alarm & Remediate:
  Solution provides capabilities for creating alarms based on thresholds on the telemetry data and trigger remediation automation runbooks.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation describing how the solution provides these capabilities.
2. Copy/Link to a reference architecture diagram for a 3-Tier “web” application hosted on EC2 instances which shows how the AWS Partner solution integrates in, to deliver the above-mentioned N-tier monitoring and observability capabilities.

References:

[1] AWS Well-Architected Framework: Reliability Pillar: Monitor Workload Resources

[2] AWS Builder's Library: Instrumenting distributed systems for operational visibility

[3] Designing and implementing logging and monitoring with Amazon CloudWatch

[4] Example 3-tier Web Application Architecture

Applies to: SaaS | Customer Deployed

In addition to traditional N-tier workload architectures, customers are deploying modern application workloads based on container technologies including self-hosted Kubernetes on EC2 instances, and use of AWS managed Container services including Amazon Elastic Kubernetes Service (Amazon EKS), Amazon Elastic Container Service (Amazon ECS) and AWS Fargate.

AWS Partner Monitoring and Observability solutions that support container-based modern application architectures must provide the same eight capabilities presented in COAMO-002 - N-tier Workload Observability, except targeting container architected workloads:

• AWS Infrastructure and Service monitoring
• Node and Application-level Instrumentation
• Distributed tracing
• Logging
• Auditing
• Dashboard and Visualization
• Analytics
• Alarm & Remediate
• Containers: Solution provides an agent for container observability on Amazon EKS/ECS with EC2 or Fargate compute deployment types and self-managed container environments on Amazon EC2 and allows collection of metrics from a Prometheus deployment.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation describing how the solution provides these capabilities.
2. Copy/Link to a reference architecture diagram for a Kubernetes cluster hosted on EC2 instances which shows how the AWS Partner solution integrates in to deliver the above-mentioned container-based architecture monitoring and observability capabilities.

References:

[1] Container Monitoring Why, how, and what to look out for

[2] AWS Builder's Library: Instrumenting distributed systems for operational visibility

[3] Designing and implementing logging and monitoring with Amazon CloudWatch

[4] Example Kubernetes Container Application Architecture

[5] AWS re:Invent 2022 - Observability: Best practices for modern applications (COP344)

Applies to: SaaS | Customer Deployed

In addition to traditional N-tier workload architectures, customers are deploying modern application workloads with serverless architectures for example leveraging AWS Lambda, Amazon API Gateway, and Amazon DynamoDB.

AWS Partner Monitoring and Observability solutions that support serverless-based modern application architectures must provide the same eight capabilities presented in COAMO-002 - N-tier Workload Observability, except targeting use of serverless-architected workloads:

• AWS Infrastructure and Service monitoring
• Node and Application-level Instrumentation
• Distributed tracing
• Logging
• Auditing
• Dashboard and Visualization
• Analytics
• Alarm & Remediate
• Serverless function Instrumentation:
  Solution integrates with AWS Lambda for serverless function observability.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation describing how the solution provides these capabilities.
2. Copy/Link to a reference architecture diagram for a serverless web application utilizing AWS Lambda, Amazon API Gateway, Amazon CloudFront as origin for static web content and Amazon DynamoDB. The diagram should clearly show how the AWS Partner solution integrates with the workload to deliver the above-mentioned serverless-based architecture monitoring and observability capabilities.

References:

[1] AWS Lambda Operator Guide: Monitoring and observability

[2] AWS re:Invent 2022 - Observability: Best practices for modern applications (COP344)

[3] AWS Builder's Library: Instrumenting distributed systems for operational visibility

[4] Designing and implementing logging and monitoring with Amazon CloudWatch

[5] Example Serverless Web Application Architecture

Applies to: SaaS | Customer Deployed

As a best practice, customers should implement a security observability strategy to provide visibility into their cloud-native infrastructures, such as microservices, containers, and serverless computing. Similar to application observability leveraging cloud-native logs, metrics, and traces, security observability is concerned with getting insights related to potential security compromises quickly to aid in troubleshooting and remediating faster than traditional monitoring.

AWS Partner Monitoring and Observability solutions that support Security Observability must provide following functionalities:

• Application-level code security observability
  Solution provides observability into application-level attacks that aim to exploit code-level vulnerabilities, such as Server-Side-Request-Forgery (SSRF), SQL injection, and Reflected Cross-Site-Scripting (XSS)

• Workload-level Security observability
  Monitors file and process activity across your environment to detect threats to the AWS infrastructure, such as AWS EC2 instances, and workloads, like 3-tier applications, containers and serverless, in real time.

• Cloud SIEM & Security Posture
  Solution detects real-time threats to the application and AWS infrastructure, like a targeted attack, IP detection from threat-lists, or an insecure configuration and tracks the security hygiene and compliance posture of the AWS environment, automates audit evidence collection, and catches misconfigurations that leaves the AWS environment vulnerable to attacks.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation describing how the solution provides these capabilities.

References:

[1] AWS Prescriptive Guidance: Implementing security controls on AWS

[2] How to build a security observability strategy in AWS Webinar

[3] AWS Well-Architected: SEC 3: ** How do you implement application Security in your workload?

Applies to: SaaS | Customer Deployed

Customers use Application Performance and Digital UX Monitoring to observe and analyze with context of what’s happening throughout the entire application stack—including networks, databases, systems, and more—and how issues are impacting the end users’ experience as they engage with the application.

AWS Partner Monitoring and Observability solutions that support Application Performance and Digital UX Monitoring must provide following functionalities:

• Real-user monitoring
  Provide real-user monitoring capability to help identify and debug issues in the client-side on web applications and enhance end user’s digital experience.

• Synthetic Monitoring (Canary)
  Synthetic monitoring (canary) capability to continually verify end-customers’ experience by following the same routes and actions as the end-customers even when there's no customer traffic on the applications.

• Feature Flags and A/B Test monitoring
  Monitor the performance of a new feature or A/B experiments in an application stack to help decide when to ramp up traffic to end-users in order to reduce risks, eventual bugs and identify unintended consequences before a new application feature is launched.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation describing how the solution provides these capabilities.

References:

[1] How to Monitor your Applications Effectively

[2] Enhancing DevOps Practices with Amazon CloudWatch Application Performance Monitoring

Applies to: SaaS | Customer Deployed

Customers are increasingly integrating AIOps to reduce operational incidents and increase service quality; into the DevOps pipelines to automate change risk analysis, into their observability platforms to detect events, assess their potential impact, determine appropriate control actions. towards a goal of predicting and addressing potential incidents before they happen.

AWS Partner Monitoring and Observability solutions that support AIOps Observability must provide following functionalities:

• Anomaly Detection: implements machine learning anomaly detection models that can identify unusual changes or outliers in monitoring metrics and alert or trigger actions before a monitoring threshold breach is detected.
• Correlated Alerts and Events: allows for a centralized view on correlation of different metrics and events based on a common context like time or alert data.
• Root Cause Analysis: automated root cause analysis which identify causal relationships between symptoms on the application and infrastructure layers to pinpoint root cause.
• Incident Management Integration: integrated incident management ITSM tools to create and update incidents based on alerts generated.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation describing how the solution provides these capabilities.

References:

[1] AWS Cloud Adoption Framework: Operations PerspectiveL Event management (AIOps)

Applies to: SaaS | Customer Deployed

As enterprises deploy workloads in their AWS environments, those workloads increasingly have external aspects outside of AWS that factor into their ability to reliably deliver value for users. These AWS workloads can have aspects on-premises, other clouds, IoT/at-the-edge or off-load processing to 3rd-party SaaS partners such as credit card processing. Customers deploying hybrid workloads need to observability end-end, not just for the parts hosted in AWS.

AWS Partner Monitoring and Observability solutions that support Hybrid environment Observability must provide following functionalities:

1. Copy/Link to customer-facing documentation describing how the solution provides enables end-to-end Observability across Cloud and On-premises/Edge.
2. Provide an architecture diagram depicting your solution delivering end-end observability for a workload hosted in AWS.

References:

[1] How to monitor hybrid environments with AWS services

[2] Hybrid Cloud with AWS Whitepaper

Applies to: SaaS | Customer Deployed

AWS Partners with solutions supporting monitoring and observability help customers operate in compliance landscapes that are complex, dynamic, and evolve rapidly with both internal requirements as well as external industry, national, and international regulations such as HIPAA, SOC, and PCI-DSS. Partners enable customers to implement compliance processes faster, and easier by leveraging automation, ready-to-use templates, and best practices including use of compliance guardrails to help customers detect and flag suspicious activity and take action quicker.

Please provide the following as evidence:

1. Provide a high-level overview of how the AWS Partner solution supports the overall compliance and auditing category expectations.
2. Supplement with copy/link to customer-facing documentation that:
   • Highlights how your solution defines controls based on the AWS Shared Responsibility Model.
   • Calls out where AWS responsibility is assumed versus the partner, vs the customers' responsibility.
3. [Customer-deployed solutions only] Call out who is responsible for ongoing management of the infrastructure hosted in customers AWS environment.

References:

[1] AWS Cloud Operations: Compliance and Auditing

[2] Security & Compliance Quick Reference Guide 2021

[3] Establishing Your Cloud Foundation on AWS: Governance, Risk Management, and Compliance

Applies to: SaaS | Customer Deployed

Exempted for partners who are also applying for Operations Management category and satisfy COCOM-003 - Use Case: Automate controls deployment and manage them using code.

The AWS Partner solution must have mechanisms to deal with infrastructure misconfigurations programmatically. This includes proactive controls to perform compliance checks before resource provisioning, preventive controls to stop known non-compliances, and detective controls to identify and remediate non-compliances. In addition, the solution provides self-servicing capabilities for compliant configurations for the entire organization.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation describing how the controls are implemented and centrally managed through code.
2. List all proactive, preventive and detective controls supported along.
3. List of compliant configurations made available through self-service.

Applies to: SaaS | Customer Deployed

The AWS Partner solution must enable the customer with the following capabilities:

• Implementation of at least two major compliance standards such as FedRAMP, FIPS 140-2, FISMA, GDPR, HIPAA/HITECH, ISO27001, ITAR, NIST 800-171, PCI-DSS, and SOC1/2 for their cloud-based workloads.
• Generation of audit assessment reports.
• Logging of all findings.
• Ability to push any/all findings to external integrations of the customer's choice such as SIEM tools, AWS S3 Buckets, or AWS Security Hub.

Please provide following as evidence:

1. Copy/Link to customer-facing documentation describing how the solutions supports the customer implementing least two of the above-mentioned compliance standards.
2. Copy/Link to customer-facing documentation listing the compliance standards supported out of the box. Note any standards that cannot be supported by the solution.
3. Copy/Link to a sample or anonymized audit assessment report generated by the solution.
4. If applicable, provide link to certification/attestments to any standards to partner solutions currently hold.

Applies to: SaaS | Customer Deployed

The AWS Partner solution must enable the customer with the following capabilities:

• Collection of data across multiple AWS accounts.
• identify and quantify operational risks relating to infrastructure availability, reliability, security and performance.
• Classify based on business risk relating to reputation with ability to respond to changing marketing conditions.
• Support mitigating these risks with appropriate recommendations such as runbooks. Indicate if the solution has the ability to automate execution of the recommended remediation.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation describing the default metrics used to quantify risks, business metrics used for risk calculation, and all configurable parameters.
2. Live or link to recorded demonstration of this solution capability.
3. Copy/Link to screenshot examples of the solutions compliance dashboard.

Applies to: SaaS | Customer Deployed

The AWS Partner solution must enable creation of a standard, pristine, preconfigured, and repeatable forensic clean-room environments. These environments should be deployed programmatically and allow isolation from the larger customer organization, network, internet etc., to remain free from contamination. The environments should be preconfigured with appropriate tooling to hasten evidence gathering and root-cause determination and maintain forensic data integrity.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation describing how the AWS Partner solution supports this requirement.
2. Live or link to recorded demonstration of this solution capability.
3. Customer references.

References:

[1] Forensic investigation environment strategies in the AWS Cloud

[2] AWS Prescriptive Guidance: Automate incident response and forensics

Applies to: SaaS | Customer Deployed

The data stored by AWS Partner solution must anonymize sensitive data like national ID numbers, trade data, healthcare information and tokenize data such as credit card numbers, health care record numbers when required. This should be performed with no application code modification, or updating underlying data format.

Please provide the following as evidence:

1. Verbal description of the data types anonymized, or tokenized.
2. Verbal description and architecture diagram of procedure to integrate this with existing infrastructure tools.

Applies to: SaaS | Customer Deployed

AWS Partners with solutions supporting operations management help customers plan, build and execute centralized operations management, leveraging automation for their infrastructure and workloads on AWS. These solutions:

• Apply and extend AWS best practices for centralized automated operations.
• Provide integrations with the customers existing IT Service Management (ITSM) and 3rd-party tools, and processes.
• Support deployments of repeatable well-architected infrastructure components with capabilities to enforce operational best practices and compliance policies.
• Provide recommendations and runbooks for cloud resource optimization, security and compliance enforcement.

Please provide the following as evidence:

1. Provide a high-level overview of how the AWS Partner solution supports the overall operations management category expectations.
2. Supplement with copy/link to customer-facing documentation, and/or reference architecture depicting the AWS Partner solution if helpful.

References:

[1] AWS Well-Architected Framework: Operational Excellence Pillar

Applies to: SaaS | Customer Deployed

The AWS Partner solution must be able to automatically discover and visualize new and existing resources in the customer's cloud environment. The solution must track configuration changes of known resources. Identified changes must be logged locally with the ability to integrate with external CMDB tools like ServiceNow and ticketing tools like Jira Service Desk.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation describing how the solution provides these capabilities.
2. A link to or list of 3rd-party CMDB tools the solution integrates with. For each integration, indicate of the AWS Partner solution feeds information into, pulls from or both.
3. A link to or list of 3rd-party ITSM or ticketing tools the AWS Partner solution integrates with. For each integration, indicate the trigger and short description of data exchanged.
4. A public video demonstrating these capabilities.

Applies to: SaaS | Customer Deployed

With security and compliance standards of paramount importance for organizations in many industries, there is a growing need to seamlessly integrate these standards in an application release cycle.

The AWS Partner solution must:

• Enable the customer to setup and manage preventive, and detective controls across their cloud environments that are focused on operational best practices, compliance and security needs.
• Include preventive controls to stop known non-compliances, and detective controls to identify and remediate non-compliances.
• Provide both out of the box controls as well as enable the customer to define their own policies per their internal and/or external compliance and governance needs.
• Provide self-servicing capabilities for compliant configurations for the entire organization.
• Enable the customer to setup and manage proactive controls to perform compliance checks before resource provisioning.
• Provide an API, CLI or other suitable interfaces to enable customers to programmatically setup, manage and apply proactive security and compliance controls against infrastructure-as-Code (IaC) resources to support shift-left approaches.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation describing how the controls are implemented and centrally managed through code.
2. Copy/Link to customer-facing documentation describing the list of controls available out of box, default behavior and customization options and how these are supported across a customers hierarchy of cloud environments.
3. Copy/Link to customer-facing documentation describing how the solutions supports IaC proactive testing.

References:

[1] AWS Control Tower User Guide: Controls reference guide

[2] Continuous Compliance Workflow for Infrastructure as Code: Part 1

Applies to: SaaS | Customer Deployed

Building off of COCOM-004 "Resource Discovery, and Track and Log Changes to Resource Configurations", this use-case focuses on the AWS Partner solution's explicit use of AWS Config for tracking Configuration Items.

The AWS Partner solution collects Configuration Items from AWS Config to track changes relevant to the customers business requirements. The solution has the provision to integrate with ITSM/ticketing tools to close the loop on ticket/service catalog initiated requests in the ITSM/Ticketing solution and/or sync changes to Configuration Items tracked by AWS Config to the customers ITSM-hosted CMDB.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation explaining:
   • How the solution collects Configuration Items (CIs) from AWS Config.
   • Whether event-based or if polling, the default frequency and configurability.
   • How the solution supports AWS Config Multi-Account Multi-Region Data Aggregation.
   • How the solution supports the customer defining inclusion/exclusion of resources to track.

References:

[1] AWS Config Developer Guide: Multi-Account Multi-Region Data Aggregation

[2] Set up an organization-wide aggregator in AWS Config using a delegated administrator account

Applies to: SaaS | Customer Deployed

The AWS Partner solution enables frequent scanning and patching for vulnerabilities in customers code, dependencies and infrastructure with the following capabilities:

Vulnerability management with:

• Frequent scanning of discovered, known cloud resources for vulnerabilities in code, dependencies, and infrastructure configuration.
• Identities, enables opportunities to utilize infrastructure-as-Code (IaC), e.g., AWS CloudFormation, Terraform, etc. tp automate creating and updating resources and use of shift-left best practices.
• Provide risk scoring, altering, and reporting means for the vulnerabilities to efficiently prioritize remediations.
• Reduce mean time to remediate (MTTR) vulnerabilities through streamlined workflows using event-based triggers and auto remediation techniques.

Patch management with:

• Enables patching:
  • Of AWS resources and other compute resources including operating systems, applications, and dependencies for both security related and other types of updates.
  • With user-defined maintenance windows across AWS accounts, regions, patch groups, tags, etc.
• Detailed patch compliance reporting, alerting on non-compliance, missing patches etc.

Please provide the following as evidence:

1. Copy/Link-to customer-facing documentation describing how the solution supports vulnerability management.
2. Copy/Link-to customer-facing documentation describing how the solution supports hybrid cloud patch management.
3. Copy/Link to a reference architecture that depicts the solution's vulnerability and patch management capabilities integrated in a traditional 3-tier web application or similar.
4. While use is not required, indicate if/how the solution leverages Amazon Inspector, AWS Systems Manager Patch Manager and if not, why.
5. Copy/Link to samples of the solutions' vulnerability management reports, patching compliance reports.
6. Copy/Link-to list of AWS specific, hybrid cloud patching endpoints supported like workstations, laptops, mobile phones with any known exceptions.

References:

[1] AWS Well-Architected Framework: SEC06-BP01 Perform vulnerability management

[2] AWS Well-Architected Framework: OPS05-BP05 Perform patch management

[3] AWS Systems Manager Patch Manager

[4] Software patching with AWS Systems Manager

[5] AWS Prescriptive GuidanceAutomated patching for mutable instances in the hybrid cloud using AWS Systems Manager

Applies to: SaaS | Customer Deployed

The AWS Partner solution is able to:

• Establish a secure sessions to compute in the customers hybrid cloud environments including edge devices and virtual machines running on-perm.
• Securely log all session traffic and make available for audits.

Please provide the following as evidence:

1. Copy/Link-to customer-facing documentation explaining how the session management mechanism is implemented for customers.
2. List of specific communication and/or session protocols supported, calling out exceptions.
3. List of specific hybrid cloud environment compute endpoints the solution does not support establishing session to.
4. While use is not required, indicate if/how the solution leverages AWS Systems Manager Session Manager and if not, why.

Note: For the purposes of this VCL version, Hybrid Cloud Environment refers to customer workloads anchored in AWS with external aspects such as on-premises, IoT, Edge, other clouds or use of 3rd-party SaaS services as a component of the workload.

Applies to: SaaS | Customer Deployed

The AWS Partner solution integrates with the customers' AWS environments along with other IT infrastructure to provide ITSM capabilities to streamline cloud operations use-cases such as:

• End-user self-service and ITSM workflow-based provisioning, management and decommissioning of AWS resources.
• Federated visibility, tracking and control of AWS resources, either providing a CMDB capability or able to integrate with a customer's existing CMDB solution.
• Detect and resolve cloud operational issues with incident and change management ITSM workflows.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation explaining the solution fulfills these capabilities.
2. Copy/Link to list of ITSM capabilities supported with respect to managing the customers AWS environments, e.g., resource provisioning, resource (CI) tracking, monitoring/observability, etc. For each capability, indicate what AWS services the solution integrates with to fulfill the capability, e.g, "ITSM Self-Service Provisioning integrates with AWS Service Catalog to present portfolio products and initiate provisioning of an end-user ordered product."
3. Explain mechanism/tool(s) used to integrate with cloud environment such as 3rd party connectors, AWS Service Management connectors, or custom-built integrations with ITSM tools.

References:

[1] AWS Well-Architected Framework: Management and Governance Cloud Environment Guide

[2] AWS Service Management Connector

Applies to: SaaS | Customer Deployed

The AWS Partner has an automated mechanism to track resources for usage limits, anomalies, and non-compliances. When an incident is detected, the solution triggers auto-remediation using standard and/or customer-defined run books.

Please provide the following as evidence:

1. Copy/Link to an architecture diagram that depicts the AWS Partner solution and explains the event-based trigger workflow leading to remediation of a usage limit exception, detected anomaly or other non-compliance.
2. Copy/Link to an customer-facing documentation explaining supported configurability of escalation paths, ownership and other operational parameters.

Applies to: SaaS | Customer Deployed

At a high-level this use-case is about using machine learning to predict incidents, auto-classify events through event correlation, and auto-remediate issues.

The AWS Partner solution is able to implement an AIOps lifecycle including:

• 1st: Monitoring: ingestion of Events, Metrics, Traces leading to Event Correlation, Anomaly Detections, Proactive and Root Cause Analysis.
• 2nd: AITSM: leveraging incidents, dependencies and changes in the customers environment leading to Context, Advice and Recommended Action.
• 3rd: Action: Task/Scripts/Runbook execution, automated self-healing.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation explaining how the solutions delivers on the AIOps lifecycle phases described above.
2. List and provide a brief explanation of the use cases covered using ML models and how they help lower Mean time to resolution.
3. List of tools and ML models the solution uses to implement this for a customer.

Applies to: SaaS | Customer Deployed

The purpose of change management is to control the lifecycles of all changes, allowing changes to be made with minimal interruption to IT services. Changes to an environment introduces risk. Authorized changes should be prioritized, planned, tested, implemented, documented, and reviewed to mitigate any risks before deployment.

The AWS Partner solution supports centralized change management with the following capabilities:

• Support baseline monitoring and alerting on configuration changes. to resources
• Support a “request for change” process to initiate a change in one or more cloud resources
• Support a review and approval process for change requests
• Support a fulfillment process for approved changes that seeks to mitigate risk such as:
  • Use of runbooks to execute standardized or coded series of steps that include a way to validation completion of the change and potentially rollback if not successful.
  • Define maintenance windows for changes to systems.
  • Controlling specific actions during change events to avoid disruptions.

Please provide the following as evidence:

1. Copy/Link to customer-facing documentation explaining explaining how the solution delivers the above capabilities.

References:

[1] AWS Well-Architected Framework: Reliability Pillar: Change Management

[2] Guidance for Change Management on AWS

[3] AWS Systems Manager Change Manager

Applies to: SaaS | Customer Deployed

AWS Support provides a mix of tools and technology, people, and programs designed to proactively help you optimize performance, lower costs, and innovate faster. AWS Business Support provides additional benefits including access to AWS Trusted Advisor and AWS Personal Health Dashboard and faster response times.

For SaaS solutions, subscribing to AWS Business Support or greater for all production accounts is a requirement to successfully complete the validation for Competency Program. For customer deployed solutions, the Partner must subscribe to premium support for the AWS accounts which produce the solution.

Applies to: SaaS | Customer Deployed

AWS Partner offers product support via web chat, phone, or email support to customers.

Evidence must be in the form of description of support offered to customers for their product or solution.

Applies to: SaaS | Customer Deployed

AWS Partner must submit architectural diagrams depicting the overall design and deployment of the solution on AWS as well as any other relevant details of the solution.

The provided diagrams are intended to provide context to the AWS Solutions Architect conducting the technical validation. These diagrams will be referenced during the validation call. It is critical to provide clear diagrams with an appropriate level of detail in order to enable an efficient conversation about the product architecture with respect to the other technical requirements described in this document.

Each architecture diagram must show:

• The major elements of the architecture, and how they combine to provide the AWS Partner Solution to customers
• All of the AWS services used, using the appropriate AWS service icons.
• How the AWS services are deployed, including, VPCs, Availability Zones (AZs), subnets, and connections to systems outside of AWS.
• Includes elements deployed outside of AWS, e.g. on-premises components, or hardware devices.

Applies to: Customer Deployed

The deployment guide must provide best practices for deploying the AWS Partner Solution on AWS, and include all of the sections outlined in the AWS Foundational Technical Review Guide

Applies to: SaaS | Customer Deployed

All customer facing documentation and artifacts to deploy, operate and maintain the solution must meet the following standards:

• All references to AWS services must use the correct product names. (Please reference the official AWS product landing pages for the correct spelling and styling of product names)
• Documentation must be generally free of typos and grammatical errors.

Evidence: Provide a link to, or attach a copy of, your customer facing documentation.

Applies to: SaaS | Customer Deployed

AWS Partner has field-ready documentation and a seller toolkit that enable their field sellers to articulate a clear product value proposition to AWS customers.

Evidence must be in the form of sales collateral including a customer presentation, one-pager, and customer success stories.

Applies to: SaaS | Customer Deployed

If the solution is available via AWS Marketplace, AWS Partner must provide a link to the AWS Marketplace listing in their application.

An AWS Marketplace listing is not mandatory to achieve the AWS Competency.

Applies to: SaaS | Customer Deployed

Static AWS Access Keys are not used, except in the following cases:

1. Used by humans to access AWS services, and stored securely on a device controlled by that human.
2. Used by a service to access AWS services, but only in cases where all of the following are true:
   • It is not feasible to use an Amazon EC2 instance role, ECS Task role or similar mechanism
   • The AWS Access Keys are rotated at least weekly
   • Associated IAM Policies are tightly scoped such that it only allows access to specific actions and resources.
   • An IAM policy is in place that denies access to all actions except when requests originate from an IP address owned by the AWS Partner (see Example IAM Identity-Based Policies).

This requirement is applicable to internal processes running in the AWS Partner's AWS accounts as well as any components of the solution running in the customer's account. Customers must never be required to create IAM users in order to use any feature or capability of the solution. Partner-hosted or SaaS solutions must use cross-account IAM roles with external IDs to gain access to the customer's account. Customer deployed solutions must natively support using IAM roles associated with AWS compute resources.

Applies to: SaaS

All events from AWS Health with the service type "RISK" are handled within defined SLAs. APN Partner must implement all of the following:

• Define an SLA for security operations staff to evaluate and mitigate AWS Health RISK events.
• Implement automated integration with the primary internal issue tracking system such that a new issue is created for all events published by the AWS Health service with detail type "AWS Health Event" and service equal to "RISK". These events include "AWS_RISK_CREDENTIALS_COMPROMISED" and "AWS_RISK_CREDENTIALS_EXPOSED".
• Implement alerting and notification to security operations staff for both new issues created and SLA breeches.

Applies to: SaaS

All SaaS solutions must authenticate paid API or UI requests. The solution has specific technologies and mechanisms in place to mitigate the attacks described in the OWASP Top 10 Web Application Security Attacks

Applies to: SaaS

A hardened configuration based on CIS or equivalent benchmark has been defined for operating systems and containers used to host the solution. There are automated mechanisms in place to ensure this hardened configuration is applied to all compute resources (e.g., persisting the configuration to an immutable Amazon Machine Image [AMI]).

Applies to: SaaS

Protect your compute resources (e.g., instances, containers, functions, etc.) from unauthorized activity. This may include detecting any changes to the OS or application files and storing these changes in a durable location to allow for future forensic investigation. The mechanism employed for this purpose must at least:

• Detect any changes to the OS or application files in the compute resources used in the solution.
• Store data recording these changes in a durable location, external to the compute resources.

Applies to: SaaS | Customer Deployed

All cryptographic keys are encrypted at rest and in transit, and access to use the keys is controlled using an AWS solution such as AWS Key Management Service (AWS KMS) or an AWS Partner solution such as HashiCorp Vault.

Applies to: SaaS | Customer Deployed

A purpose-built ticketing system or similar tool is used by the security team to manage and track the ownership and resolution of any reported or detected security issues with the solution. This system should at a minimum track externally or internally reported security concerns about the solution. Additionally, for partner hosted/SaaS solutions, this system should track security operations tasks such as host patching as well as the analysis and remediation of any alerts raised by other detective measures.

This can be the same system used to fulfill OPE-005.

Applies to: SaaS

AWS CloudTrail logs are actively monitored using automated tools (e.g. Amazon GuardDuty) to detect suspicious or anomalous behavior, and alerting is configured to notify security operations staff in the event such behaviors are detected. Alerting must be integrated with the security ticketing system referenced in SECOPS-006.

Applies to: SaaS

Network activity for production VPCs is actively monitored using automated tools (e.g. Amazon GuardDuty) to detect suspicious or anomalous behavior, and alerting is configured to notify security operations staff in the event such behaviors are detected. Alerting must be integrated with the security ticketing system referenced in SECOPS-006.

Applies to: SaaS

The AWS Partner has defined a set of configuration policies for their AWS infrastructure (e.g. all Amazon Elastic Block Store (EBS) volumes must be encrypted), and these policies are enforced or monitored using automated tooling such as AWS Config or other comparable tools. This does not require automated remediation of policy violations, but detected violations must be automatically logged in a centralized ticketing system to ensure they are properly resolved by human operators.

Applies to: SaaS

Automated mechanisms are in place to prevent certificates from expiring unexpectedly.

Applies to: SaaS

Any components that are deployed to infrastructure shared across multiple tenants must model tenant identity in the software layer. The code for the component implements controls to ensure that tenants are isolated from one another and data is not leaked across tenant boundaries.

Applies to: SaaS

Any components which are not explicitly designed to isolate multiple tenants at the software layer are deployed to tenant-specific compute resources in tenant-specific VPCs. (In this context "tenant" refers to tenants of the AWS Partner solution.)

Supporting existing, legacy customers who may already be deployed to shared VPCs is acceptable as long as this model is completely deprecated and all new customers are deployed using a VPC-per-tenant model. There must be multiple active customers in production using the VPC-per-tenant model.

Applies to: SaaS

All single-tenant components must use dedicated IAM roles per tenant. These roles must limit access to only that tenant's resources using Resource and Condition statements within the attached policies.

Evidence must be provided in the form of a description of the roles used per tenant and an example of the IAM policies attached to those roles which provide explicit resource isolation.

Applies to: SaaS | Customer Deployed

The solution uses an official AWS SDK for all calls made to AWS API endpoints, or alternatively the solution implements retries with exponential backoff and jitter for all AWS API calls.

Applies to: SaaS | Customer Deployed

Measures are in place to rate limit calls to AWS APIs in the customer's account in order to prevent API throttling.

Applies to: SaaS | Customer Deployed

The solution uses methods such as ingesting AWS CloudTrail logs, consuming Amazon EventBridge events, or integrating with AWS Config to avoid polling AWS APIs wherever possible.

AWS Partner must describe what AWS resources state the solution tracks (if any), and how that resource state is discovered. In cases where there is no alternative to polling, AWS Partner must provide a detailed description of how they avoid causing API throttling issues.

Applies to: Customer Deployed

All components of the solution that are hosted in the customer's account support the ability for the customer to disable Instance Metadata Service Version 1 (IMDSv1). The solution must support the use of IAM roles associated with Amazon EC2 instances in conjunction with IMDSv2 for getting credentials to make calls to AWS APIs. Legacy support for static IAM access keys must be clearly deprecated.

AWS Partner must provide the specific version of the official AWS SDK used by the latest generally available version of the solution. The version of the AWS SDK in use must have been released after November 20th 2019.

If the solution accesses AWS APIs without using an official AWS SDK, AWS Partner must describe the steps taken to ensure IMDSv2 is supported.

Applies to: SaaS

Network connectivity to the solution must be highly available. If using VPN or Direct Connect to connect to customer networks, the solution must support redundant connections, even if the customers do not always implement this.

Applies to: SaaS

Logs and metrics for each component of the system are actively monitored. Critical metrics and thresholds are defined for each components and alarms are configured to notify operators in the event those thresholds are breached.

Evidence must be provided in the form of a list of the metrics and thresholds defined for each system component and a description of the tools used to surface alarms to operators.

Applies to: SaaS

All log information from the application, and from the AWS infrastructure, must be consolidated into a single system.

Applies to: SaaS

The application and the AWS infrastructure must be monitored centrally, with alarms generated and sent to the appropriate operations staff.

Applies to: SaaS

The solution must use an automated tool such as AWS CloudFormation or Terraform to provision and manage the AWS infrastructure. The AWS Management Console must not be used to make routine changes to the production AWS infrastructure.

Applies to: SaaS | Customer Deployed

Key Performance Indicators (KPIs) that indicate whether the product is performing as expected from the perspective of the customer have been defined. The definition of these KPIs must include how to measure the indicator as well as the acceptable threshold.

For example, p99 roundtrip response latency for API methods X, Y, and Z must be less than 200ms as measured by the TargetResponseTime AWS CloudWatch metric.

Partner must provide a list of KPIs and the defined acceptable thresholds as evidence.

Applies to: SaaS | Customer Deployed

Performance test suites (either automated or manual) are run before major releases or production deployments in order to ensure new versions meet defined performance targets.

Applies to: SaaS

The solution must use an automated method of deploying code and configuration to the AWS infrastructure. Interactive SSH or RDP sessions must not be used to deploy updates in the AWS infrastructure.

Applies to: SaaS

Runbooks must be developed to define the standard procedures used in response to different application and AWS events. An escalation process must be defined to deal with alerts and alarms generated by the system, and to respond to customer-reported incidents. The escalation process must also include escalating to AWS Support where appropriate.

Applies to: SaaS | Customer Deployed

Code is peer reviewed before being released or deployed to production.

Applies to: SaaS | Customer Deployed

Automated functional test suites exist and are automatically run before software is released or deployed to production.

Applies to: SaaS | Customer Deployed

A purpose-built issue tracking tool or set of tools is used to manage product backlogs, feature requests, defects and identified operational issues.

Applies to: SaaS | Customer Deployed

A process is established to track and remediate all customer reported product bugs as well as operational incidents that cause customer impact.