AWS Level 1 Managed Security Service Provider Competency

AWS Partner Validation Checklist

June 2021 - 1.0

Introduction

The goal of the AWS Competency Program is to recognize AWS Partner Network Partners (“AWS Partners”) who demonstrate and maintain technical proficiency and proven customer success in specialized AWS Partner solution areas. The AWS Competency Partner Validation Checklist (“Checklist”) is intended for AWS Partners who are interested in applying for an AWS Competency. This Checklist provides the criteria necessary to achieve the designation under the AWS Competency Program. AWS Partners undergo a technical validation of their capabilities upon applying for the specific AWS Competency. AWS leverages in-house expertise and a third-party firm to facilitate the technical validation. AWS reserves the right to make changes to this document at any time and without notice.

Expectation of Parties

It is expected that AWS Partners will review this document in detail before applying for the AWS Competency Program, even if all of the prerequisites are met. If items in this document are unclear and require further explanation, please contact your AWS Partner Development Representative (“PDR”) or AWS Partner Development Manager “(PDM”) as the first step. Your PDR/PDM will contact the program office if further assistance is required.

AWS Partners should complete the Self-Assessment Spreadsheet linked at the top of this page, prior to submitting a program application. Once completed, AWS Partners must submit an application in APN Partner Central. Visit the AWS Competency Program guide for step-by-step instructions on how to submit an application.

AWS will review and aim to respond back with any questions within five business days to initiate scheduling of your technical validation or to request additional information.

AWS Partners should prepare for the technical validation by reading the Checklist, completing a self-assessment using the Checklist, and gathering and organizing objective evidence to share with the reviewer on the day of the technical validation.

AWS recommends that AWS Partners have individuals who are able to speak in-depth to the requirements and the customer examples during the technical validation. The best practice is for the AWS Partner to make the following personnel available for the technical validation: one or more highly-technical AWS certified engineers/architects in the area of competency specialty, an operations manager who is responsible for the operations and support elements, and a business development executive to conduct the overview presentation.

AWS may revoke an AWS Partner’s Competency designation if, at any time, AWS determines in its sole discretion that such AWS Partner does not meet its AWS Competency Program requirements. If an AWS Partner’s AWS Competency designation is revoked, such AWS Partner will (i) no longer receive benefits associated with its designation, (ii) immediately cease use of all materials provided to it in connection with the applicable AWS Competency designation and (ii) immediately cease to identify itself as a member of the AWS Competency.

AWS Partners should ensure that they have the necessary consents to share with the auditor (whether AWS or a third-party) all information contained within the objective evidence or any demonstrations prior to scheduling the audit.

AWS Level 1 Managed Security Service Provider Competency Definition

AWS Level 1 Managed Security Service Provider (MSSP) Competency Partners have demonstrated their technical proficiency and operations meet the requirements for the baseline standard of quality for managed cloud security: Level 1 Managed Security Services (MSS). The Level 1 MSS baseline covers managed security services that protect, monitor, and respond to security events of essential AWS resources and are delivered to customers as a fully managed service. Level 1 MSS benefit the security posture for AWS environments of any size and address the customer security use cases in the following section. Partners must meet all prerequisites and technical requirements in this checklist and will be assigned to the Competency category: Level 1 MSSP. Partners are required to repeat this validation process annually to maintain their membership in the Competency each year. Partners that fail to successfully meet all perquisites and technical requirements of this checklist annually will be removed from the Competency and need to remove the Level 1 MSSP Competency badge and mention of their membership in the Competency on all marketing and sales materials including but not limited to websites, presentations, videos, white papers, blogs, social media posts. Partners may re-apply once prepared to re-engage the Competency validation process at any time.

AWS Infrastructure Vulnerability Scanning: Routine scanning of AWS infrastructure resources for known software vulnerabilities. Newly added resources are automatically discovered and available for scanning. AWS metadata for scanned AWS infrastructure is available as part of scan results to better enable reporting and decision making.

AWS Resource Inventory Visibility: Continuous scanning and reporting of all AWS resources, and their configuration details, updated automatically with newly added or removed resources.

AWS Security Best Practices Monitoring: Detect when AWS accounts and the configuration of deployed resources do not align to security best practices.

AWS Compliance Monitoring: Scan AWS environments for compliance standards on two or more of the following: CIS AWS Foundations, PCI DSS, HIPAA, HITRUST, ISO 27001, MITRE ATT@CK, AND SOC2.

Monitor, Triage Security Events: Continuously monitor aggregated AWS resource logs across network, host, and API layers to analyze and triage security events. Identified alerts are made available for customers to view, allowing them to incorporate remediation into their operational workflows. Remediation guidance is provided with the findings to better enable customers to resolve issues in their environments.

Distributed Denial of Service (DDoS) Mitigation: A system backed by technology and security experts monitoring 24/7 for Distributed Denial of Service (DDoS) threats.

Managed Intrusion Prevention System (IPS): Protection from known and emerging network threats that seek to exploit known vulnerabilities.

Managed Detection and Response for AWS Endpoints: A combination of technology and cloud security experts working to continuously detect, investigate, and remove threats from within AWS endpoints.

Web Application Firewall (WAF) Management: A firewall managed service designed to protect web-facing applications and APIs against common exploits.

AWS Level 1 Managed Security Service Provider Competency Program Prerequisites

The following items will be validated by the AWS Competency Program Manager; missing or incomplete information must be addressed prior to scheduling of the technical validation.

  1. 1.0APN Program Membership

    1. 1.1Program Guidelines

      The AWS Partner must read the Program Guidelines and Definitions before applying to the Level 1 Managed Security Service Provider Competency Program. Click here for Program details.

    2. 1.2AWS Path membership

      AWS Partner must meet at least one of the following criteria:

      1. AWS Partners must be a member of the Services Path.

      or

      1. AWS Partners must be a member of the Software Path.
    3. 1.3Direct Revenue or Launched Opportunity

      The AWS Partner must have $250,000 in direct revenue, or 10 Launched Opportunities with Total MRR => $10,000.

    4. 1.4Foundational Technical Review (FTR - formerly known as TBR)

      For AWS Partners who qualify for prerequisite 1.2 by being a member of the Software Path, the primary software solution used to deliver the AWS Partners Managed Security Service offering must have completed and passed an AWS Foundational Technical Review within the last 24 months. FTRs completed for other solutions in the AWS Partner’s portfolio do not fulfill this requirement.

  2. 2.0Example AWS Customer Deployments

    1. 2.1Production Level 1 Managed Security Service Provider AWS Customer Examples

      AWS Partner must privately share with AWS details about four (4) unique examples of Level 1 Managed Security Service Provider projects executed for four (4) unique AWS customers.

      For each customer example, AWS Partner must provide the following information to AWS using the self-assessment spreadsheet:

      • Name of the customer
      • Customer challenge
      • Proposed solution
      • Third party applications or solutions used
      • How AWS was used as part of the solution
      • Start date of the engagement
      • End date of the engagement
      • Date the project entered production
      • Outcome(s)/results
      • Architecture diagrams of the specific customer deployment

      In addition to the above, AWS Partner must also provide any information listed in the technical requirements sections of this document.

      The information provided for these customer examples will be used by AWS for validation purposes only. AWS Partner is not required to publish these details publicly.

      AWS will accept one example per customer (customers cannot be affiliated with each other) and will not accept examples for customers who are an internal or affiliate company of the AWS Partner.

      All customer examples must describe solutions that have been built by the AWS Partner and deployed in production within the past 18 months. ‘Pilot’ or proof of concept projects will not be accepted.

      All customer examples provided will be examined in the Documentation Review of the Technical Validation. The AWS Partner solution will be removed from consideration for inclusion in the AWS Competency if the AWS Partner cannot provide the documentation necessary to assess all customer examples against each relevant checklist item, or if any of the checklist items are not met.

    2. 2.2Publicly Available Customer Examples

      AWS Partner may select either 2.2.1 (Named Customers) or 2.2.2 (Anonymized Customers) to satisfy the publicly available customer examples requirement.

      2.2.1 Named Customers

      At least two (2) of the provided customer examples from 2.1 must have publicly available customer examples describing how the AWS Partner helped solve a specific customer challenge related to managed security services for the customers’ AWS environments. These publicly available customer examples may be in the form of formal customer case studies, white papers, videos, or blog posts.

      Publicly available customer examples must be easily discoverable from the AWS Partner’s website, e.g. it must be possible to navigate to the publicly available customer examples from the AWS Partner’s home page, and the AWS Partner must provide links to these publicly available customer examples in their application.

      Publicly available customer examples must include the following:

      • AWS Customer name
      • AWS Partner name
      • AWS Customer challenge
      • Using both high-level and technical details, describe how AWS was leveraged as part of the AWS Partner solution
      • Outcome(s) and/or quantitative results

      Note: For best practices on how to write an accepted Public Case Study see the AWS Competency Public Case Study Guide.

      2.2.2 Anonymized Customers

      In cases where the AWS Partner cannot publicly name customers due to the sensitive nature of security engagements, the AWS Partner may choose to anonymize the customer name on the two (2) publicly available customer examples required. Example anonymized customer names include: “Top Retailer in Europe”, “Fortune 500 Financial Services Company.” Public customer examples must describe how the AWS Partner helped solve a specific customer challenge related to managed security services for the customers’ AWS environments. These publicly available customer examples may be in the form of formal customer case studies, white papers, videos, or blog posts.

      Publicly available customer examples must be easily discoverable from the AWS Partner’s website, e.g. it must be possible to navigate to the publicly available customer examples from the AWS Partner’s home page, and the AWS Partner must provide links to these publicly available customer examples in their application.

      Publicly available customer examples must include the following:

      • Anonymized AWS Customer name
      • AWS Partner name
      • AWS Customer challenge
      • Using both high-level and technical details, describe how AWS was leveraged as part of the AWS Partner solution
      • Outcome(s) and/or quantitative results

      Note: For best practice on how to write an accepted Public Case Study see the AWS Competency Public Case Study Guide.

  3. 3.0AWS Level 1 Managed Security Service Provider Practice and Focus

    1. 3.1AWS Partner Microsite

      An AWS Partner’s internet presence specific to their AWS Level 1 MSSP solutions provides customers with confidence about the AWS Partner’s capabilities and experience.

      AWS Partner must have an AWS microsite that describes their AWS Level 1 MSSP solution, links to their publicly available customer examples, provides any other relevant information supporting the Partner’s expertise related to managed security services for AWS environments, and highlights the relationship with AWS.

      This AWS-specific Level 1 MSSP page must be accessible from the AWS Partner’s home page.

      The Level 1 MSSP page must include the following Level 1 Managed Security Services names in the web copy:

      • AWS Infrastructure Vulnerability Scanning
      • AWS Resource Inventory Visibility
      • AWS Security Best Practices Monitoring
      • AWS Compliance Monitoring
      • Monitor, Triage Security Events
      • 24/7 Incident Alerting and Response
      • Distributed Denial of Service (DDoS) mitigation
      • Managed Intrusion Detection/Prevention System
      • Managed detection and response for AWS based endpoints
      • Managed Web Application Firewall (WAF)

      AWS Partners are encouraged to leverage the AWS MSSP Partner Message Map for additional messaging copy to include in their marketing assets.

    2. 3.2AWS Level 1 Managed Security Service Provider Public Content

      AWS Partner must have public-facing materials (e.g., blog posts, press articles, videos, etc.) showcasing the AWS Partner’s focus on and expertise in Level 1 Managed Security Service Provider. Links must be provided to at least three (3) examples of materials published within the last 12 months. Each example must include a specific example to AWS.

      Note: Customer examples submitted in the application or public facing content showcasing the customer examples submitted in the application are not eligible as public content.

  4. 4.0AWS Partner Self-Assessment

    1. 4.1AWS Partner Self-Assessment

      AWS Partner must conduct a self-assessment of their compliance to the requirements of the AWS Level 1 Managed Security Service Provider Consulting Partner Validation Checklist. A version of this checklist is available in spreadsheet format. Links to the appropriate the Self-Assessment Spreadsheet can be found at the top of this page.

      • AWS Partner must complete all sections of the Self-Assessment Spreadsheet.
      • Completed Self-Assessment Spreadsheet must be uploaded at the time of submitting an application in APN Partner Central. If AWS Partner is unable to upload the Self-Assessment Spreadsheet to the application, completed Self-Assessment Spreadsheet must be emailed to competency-checklist@amazon.com, using the following convention for the email subject line: " AWS Level 1 Managed Security Service Provider Competency Consulting Partner Completed Self-Assessment Spreadsheet".
      • It is recommended that AWS Partner have their AWS Solutions Architect, Partner Development Representative (PDR), or Partner Development Manager (PDM) review the completed Self-Assessment Spreadsheet before submitting to AWS. The purpose of this is to ensure the AWS Partner’s AWS team is engaged and working to provide recommendations prior to the validation and to help ensure a positive validation experience.

Level 1 MSSP Requirements

Throughout this checklist recommendations are provided on AWS Services, AWS Solutions, and third party products from AWS Security Competency (ISV) Partners which can help with meeting certain requirements. This is intended to provide AWS Partners an easier way to self-assess if their current tools have been confirmed by AWS to help satisfy the Competency requirements or to offer Partners guidance on tools that can be leveraged to meet a requirement they currently do not meet. The AWS Partner may choose other AWS services or third party solutions that they believe best suits their offering and their customer requirements. It is the responsibility of the AWS Partner to confirm that the AWS service or third party product that they have chosen meets the Level 1 MSSP Competency requirements and aligns to their customer’s needs. Additionally, it is the responsibility of the AWS Partner to ensure that they are using the AWS service or third party product in the correct manner.

General Requirements

These are requirements that are independent of any particular security capability and are focused on how the AWS Partner is delivering their overall service and how they are interacting with their AWS customers.

  • GEN-001 - Temporary Credentials

    To interact with AWS APIs in a customer’s AWS account or access the customer’s management console the AWS Partner uses temporary credentials. These credentials can be provided via cross account roles or through federation.

    No IAM User access keys are collected to facilitate interaction with a customer’s environment.

    Evidence: Provide an excerpt from the onboarding documentation that instructs the customer on how to create the necessary IAM role(s) for use by the AWS Partner's staff and services.

  • GEN-002 - IAM Policies

    The AWS Partner is providing guidance to customers on IAM policies that should be created in the customer’s AWS account so that the Partner can properly access and interact with the customer’s AWS account(s). These policies should be properly scoped to least privilege and only cover the access that the Partner needs.

    Evidence: Provide a sample IAM policy for each of the access types you support.

  • GEN-003 - Collection and reporting data across multiple customer AWS resources

    The AWS Partner does not have any hard limits in their platform that limit the number of AWS accounts or AWS resources (EC2 instances, S3 buckets, RDS databases, etc.) within an AWS account that can be consumed and reported on for any one customer.

    Evidence: Attestation that the AWS Partner solution doesn't have any hard limits on the number of AWS accounts or resources.

  • GEN-004 - Delivery of security findings

    Security findings related to a customer's environment are regularly delivered to the customer. This delivery must include a summary report of findings or a dashboard for reviewing findings for a customer's environment and can also include APIs a customer can use to programmatically get information about their security findings.

    Evidence: Sample screen shots showing dashboards and reports that align to the additional reporting capabilities that are outlined in the requirements for this competency.

AWS Infrastructure Vulnerability Scanning

The following requirements cover the AWS Partner’s ability to provide vulnerability scanning functionality that allows a customer to evaluate the security and compliance of their AWS infrastructure.

AWS native services, AWS Solutions Implementations, and third party products from AWS Security Competency Partners can help satisfy the requirements in this section. For a list of advised tools, please see Supporting Tools for AWS MSSPs.

  • VULN-001 - Amazon EC2 vulnerability scanning solution

    The AWS Partner provides a vulnerability scanning solution that supports the ability for a customer to perform both un-authenticated and authenticated vulnerability scans of their Amazon Elastic Compute Cloud (Amazon EC2) infrastructure.

    Evidence: Details on the technical solution that is used to solve this requirement.

  • VULN-002 - Resource Metadata

    The AWS Partner’s vulnerability scanning solution supports collection and display of AWS metadata that is related to the Amazon EC2 instances that have findings as a result of a vulnerability scan. This information must include: Amazon EC2 tags, Amazon EC2 instance ID, Amazon EC2 AMI ID, Amazon EC2 public and private IP address, Amazon EC2 public and private DNS address, VPC ID, Subnet ID, region, AWS account ID.

    Evidence: Screen shots showing the display of the necessary metadata information in the dashboard or report that is accessible to the customer.

  • VULN-003 - Detection of new Amazon EC2 instances and Amazon VPC

    The AWS Partner solution supports the ability to automatically detect when new Amazon EC2 instances or Amazon Virtual Private Clouds (Amazon VPCs) are created within the customer’s AWS environment. Alternatively, the solution provides the ability to programmatically provide updates when there are new Amazon EC2 instances or Amazon VPCs that should be scanned.

    This requirement ensures that customers are not required to do manual configuration within the AWS Partner vulnerability scanning solution to ensure that new Amazon EC2 instances or Amazon VPCs are included in future vulnerability scans.

    Evidence: Written description of how the vulnerability scanning solution meets this requirement.

AWS Resource Inventory Visibility

The following requirements cover the Partner’s ability to enable a customer to have visibility into the inventory of the AWS resources in their AWS accounts.

AWS native services, AWS Solutions Implementations, and third party products from AWS Security Competency Partners can help satisfy the requirements in this section. For a list of advised tools, please see Supporting Tools for AWS MSSPs.

  • INV-001 - Display of AWS Resource inventory

    The AWS Partner solution supports displaying AWS resource inventory information in a consolidated user interface (UI). This UI supports displaying inventory information by resource type, region, and account. The UI also allows customers to see key configuration attributes of each resource, including tags applied to that resource.

    Evidence: Screen shots showing examples of AWS resource inventory in dashboards or reports that would be available to customers.

  • INV-002 - AWS resource information collection

    The AWS Partner solution supports the ability to collect resource information from a customer’s AWS account in an event driven fashion.

    Initial discovery of AWS resources in a customer’s environment via the relevant AWS describe APIs is allowed for building an initial inventory of AWS resources. After initial resource discovery, additional information on new, updated, or terminated resources is identified through an event driven framework. Examples include consuming data via AWS CloudTrail logs or AWS Config. It is acceptable to make API calls for individual resources to retrieve additional metadata about new or changed assets or to confirm current inventory information.

    Evidence: Written description on how the solution is collecting initial and steady state resource information from a customer’s AWS account.

AWS Security Best Practices Monitoring

The following requirements cover the AWS Partner’s ability to identify best practices for AWS resources and identify cases where a customer’s resources do not align to best practices.

AWS native services, AWS Solutions Implementations, and third party products from AWS Security Competency Partners can help satisfy the requirements in this section. For a list of advised tools, please see Supporting Tools for AWS MSSPs.

  • BES-001 - Monitoring for AWS Service Configuration Security Best Practices

    The Partner solution has the ability to report on security best practice violations in a customer’s AWS account. These best practices must cover at least the following AWS services: Amazon EC2, Amazon S3, Amazon Relational Database Service (Amazon RDS), AWS Identity and Access Management (IAM), Amazon VPC, Amazon Elastic Block Store (Amazon EBS), Amazon Elastic File System (Amazon EFS), AWS Key Management Service (AWS KMS).

    Common reference points for best practices with AWS services can be found in the security documentation for a service: https://docs.aws.amazon.com/security/

    Evidence: Screen shots showing examples of best practices detection available within dashboards or reports provided to customers.

AWS Compliance Monitoring

The following requirements cover the Partner’s ability to continuously monitor a customer’s AWS accounts for alignment to industry compliance standards.

AWS native services, AWS Solutions Implementations, and third party products from AWS Security Competency Partners can help satisfy the requirements in this section. For a list of advised tools, please see Supporting Tools for AWS MSSPs.

  • COM-001 - Continuous compliance monitoring

    The AWS Partner solution provides continuous compliance monitoring against the configuration a customer’s AWS accounts and the AWS resources that are in a customer’s AWS accounts.

    Continuous compliance monitoring is provided for at least two of the following compliance organizations:

    • CIS AWS Foundations Benchmark v1.2 or 1.3
    • HITRUST v9.3
    • HIPAA
    • ISO 27001:2013
    • MITRE ATT@CK
    • PCI DSS v3.2
    • SOC2

    Evidence: Screen shots showing examples of AWS compliance monitoring for each of the supported compliance organizations.

Monitor, Triage Security Events

The following requirements relate to the AWS Partner’s ability to detect threats in a customer’s AWS environment, triage those findings, and engage a customer for remediation of the findings.

  • EVT-001 - Triage

    AWS Partners can assess and enrich security findings in a customer’s AWS Environment, providing additional context and actionable information to help customers reduce false positives and effectively respond to incidents.

    Evidence: Written description of the Partner’s approach to triaging security findings from a customer’s AWS environment.

  • EVT-002 - Remediation guidance

    For a security finding the AWS Partner has the ability to deliver remediation guidance to the customer so that the customer can resolve the finding in their environment.

    Alternatively, the AWS Partner has the ability and permissions to perform the remediation steps themselves or provides automation that can remediate the finding for the customer.

    Evidence: Screen shots showing examples of reported security findings from an AWS account and the suggested remediation for the finding.

  • EVT-003 - 24/7 response

    The AWS Partner has the ability to detect, triage, and alert customers of high priority security findings on a continuous uninterrupted basis, 24 hours a day and 7 days a week. Alerts provided to customers included remediation guidance for the finding.

    Evidence: Written description of the Partner’s support model for being able to respond to high priority findings in their customer’s AWS accounts on a continuous uninterrupted basis, 24 hours a day and 7 days a week.

  • EVT-004 - Engaging the MSSP for assistance

    The AWS Partner provides the ability for their customers to engage the MSSP support staff on a continuous uninterrupted basis, 24 hours a day and 7 days a week, for assistance with high severity security items.

    Evidence: Written description of how the AWS Partner is enabling their customer to engage their support staff for assistance on a continuous uninterrupted basis, 24 hours a day and 7 days a week.

Distributed Denial of Service (DDoS) Mitigation

The following requirements cover the Partner’s ability to guide and assist a customer with a solution to help with protection against DDoS attacks for the applications they are running on AWS.

AWS native services, AWS Solutions Implementations, and third party products from AWS Security Competency Partners can help satisfy the requirements in this section. For a list of advised tools, please see Supporting Tools for AWS MSSPs.

  • DDOS-001 - Customer configuration assistance

    The AWS Partner has the resources and skill sets to assist the customer with choosing and configuring a solution that provides DDoS protection for the applications running in a customer’s AWS accounts.

    DDoS solutions that the Partner recommends must provide protection from layer 3,4, and 7 attacks.

    Evidence: Written description of the solutions that the AWS Partner recommends or supports for DDoS protection of applications running in a customer’s AWS account. Written description of the Partner’s engagement model to help customers with configuration of their chosen or recommended DDoS protection solution.

Managed Intrusion Prevention System (IPS)

The following requirements cover the ability for the Partner to provide managed intrusion detection and prevention services for a customer’s AWS account and the workloads running in that account.

AWS native services, AWS Solutions Implementations, and third party products from AWS Security Competency Partners can help satisfy the requirements in this section. For a list of advised tools, please see Supporting Tools for AWS MSSPs.

  • IDP-001 - Agent based solutions

    Agent based solutions that are used to provide intrusion detection and prevention services are able to run on Amazon EC2 instances with the following operating systems:

    • Amazon Linux2
    • RedHat
    • CentOS
    • Ubuntu
    • Windows

    This item is not necessary if the AWS Partner utilizes a network-based solution as outlined in IDP-002.

    Evidence: Written description of the technical solution that the AWS Partner is using to meet this requirement.

  • IDP-002 - Network-based solutions

    Network-based intrusion detection and prevention solutions that are deployed into a customer’s AWS account must support the ability to deploy highly available architectures. This includes:

    • Integration with AWS Auto Scaling
    • Integration with Elastic Load Balancing
    • Ability to run in a multi-Availability Zone (AZ) configuration
    • Support for automated bootstrapping of instances (e.g. via user data scripts)
    • Worker/support nodes must use AWS Lambda/Step Functions instead of long-lived Amazon EC2 instances

    This item is not necessary if the AWS Partner utilizes an agent-based solution as outlined in IDP-001.

    Evidence: Written description of the technical solution that the AWS Partner is using to meet this requirement.

  • IDP-003 - Nitro Amazon EC2 instance support

    Intrusion detection and prevention solutions that the AWS Partner deploys into a customer’s AWS accounts support running on Nitro-based Amazon EC2 instances.

    Solutions support drivers for Elastic Network Adapter (ENA) and NVMe block devices.

    Evidence: Written description of the technical solution that the AWS Partner is using to meet this requirement.

  • IDP-004 - AWS Transit Gateway support

    Firewall solutions provided by the AWS Partner for intrusion detection and prevention support Border Gateway Protocol (BGP) and work with AWS Transit Gateway.

    Evidence: Written description of the technical solution that the AWS Partner is using to meet this requirement.

  • IDP-004 - Threat Detection - Network or host level

    The Partner has the ability to detect threats at the network or host level of a customer’s AWS account.

    Evidence: Screen shots showing examples of the technical solution detecting threats at the network or host level for an AWS account.

  • IDP-005 - Threat Detection - AWS API layer

    The Partner has the ability to detect threats at the AWS API layer of a customer’s AWS account.

    AWS APIs refers to APIs, provided by AWS, for interacting with the AWS resources in a customer’s AWS account. This does not cover APIs that a customer has created and deployed for their own applications. An example of a threat detection at the AWS API layer is: detecting the use of IAM access keys from an IP address space that is not normally used by the customer.

    Evidence: Screen shots showing examples of AWS API layer detections that are being detected by the AWS Partner’s solution.

  • IDP-006 - AWS aware tooling

    The AWS Partner’s threat detection tools and reporting are AWS aware and contain AWS metadata on the affected AWS resources from a customer’s AWS account. While the metadata information about each AWS resource will vary, minimal metadata for any AWS resource should include: resource tags, region, account, resource identifiers that can be used in the AWS console and APIs to find the specific resource. Beyond the minimum metadata additional metadata provided about an AWS resource should contribute to helping the customer make an informed decision about the resource that is experiencing a reported threat.

    Evidence: Screen shots showing the use of a AWS metadata from a customer’s AWS account as part of the reporting of threats that are delivered in a dashboard or report for customers.

Managed Detection and Response for AWS Endpoints

The following requirements cover the ability of the Partner to provide and support solutions for managed detection and response for AWS based endpoints.

AWS native services, AWS Solutions Implementations, and third party products from AWS Security Competency Partners can help satisfy the requirements in this section. For a list of advised tools, please see Supporting Tools for AWS MSSPs.

  • MEDR-001 - Operating System support

    Endpoint solutions provided by the AWS Partner have the ability to run on the following Amazon EC2 operating systems:

    • Amazon Linux2
    • RedHat
    • CentOS
    • Ubuntu
    • Windows

    Evidence: Written description of the technical solution that the Partner is using to meet this requirement.

  • MEDR-002 - Endpoint metadata support

    The solution that the AWS Partner provides for a customer’s AWS based endpoints supports the ability to ingest and display AWS metadata about the EC2 instance that a deployed agent is running on.

    Metadata collected and displayed should include at least: Amazon EC2 tags, Amazon EC2 instance ID, Amazon EC2 AMI ID, Amazon EC2 public and private IP address, Amazon EC2 public and private DNS address, Amazon VPC ID, Subnet ID, region, account ID.

    Evidence: Screen shot showing the use of AWS metadata in the dashboard or report that supports data from the endpoint solution.

  • MEDR-003 - Working agent identification

    The solution that the partner supports for running on a customer’s AWS-based endpoint provides the ability to identify Amazon EC2 instances without a working agent.

    Evidence: Screen shot showing the ability to detect instances without a working agent for a customer’s AWS account.

  • MEDR-004 - Container support

    The AWS Partner supports a solution that protects containers and integrates with at least one of the following AWS container services:

    • Amazon Elastic Container Service (Amazon ECS)
    • Amazon Elastic Kubernetes Service (Amazon EKS)
    • AWS Fargate

    Evidence: Written description of the technical solution that is used to support this requirement.

  • MEDR-005 - Base Endpoint Detection and Response capabilities

    The solution that the AWS Partner supports offers four key capabilities for Endpoint Detection and Response (EDR) as defined by Gartner: detect security incidents, contain the incident at the endpoint, investigate security incidents, and provide remediation guidance.

    Evidence: Written description of the technical solution that is used to support this requirement.

Managed Web Application Firewall (WAF)

The following requirements cover the ability of the Partner to provide solutions and support related to customers deploying Web Application Firewall (WAF) technology to protect their applications running in AWS.

AWS native services, AWS Solutions Implementations, and third party products from AWS Security Competency Partners can help satisfy the requirements in this section. For a list of advised tools, please see Supporting Tools for AWS MSSPs.

  • WAF-001 - OWASP top 10 support

    WAF solutions that the AWS Partner supports have the ability to address the OWASP top 10 web application security risks.

    Evidence: Written description of the technical solutions that the Partner recommends or supports to meet this requirement.

  • WAF-002 - Guidance on rule authoring

    The AWS Partner has the ability to guide a customer on how to author WAF rules for the WAF solutions that the Partner recommends and supports.

    Evidence: Written description on how the AWS Partner meets the needs of their customers for this requirement.

  • WAF-003 - WAF log consumption

    The AWS Partner has the ability to consume log data from a customer’s WAF environments on AWS and provide threat analytics and insights on additional rules that should be authored to address observed threats.

    Evidence: Written description of the technical solution that the AWS Partner is using to solve this requirement.

Resources