AWS Level 1 Managed Security Service Provider Competency

To interact with AWS APIs within customer's AWS account or access the customer's management console, the AWS Partner uses temporary credentials. These credentials can be provided via cross-account roles or federation.

No IAM User access keys are gathered or stored to facilitate interaction with a customer's environment.

Evidence: User documentation such as a manual, white paper, or blog demonstrating the process of granting partner access to a customer's account using an External ID generated by the Partner, or guidelines on how to provide temporary credentials to the customer within a Partner-run account.

The AWS Partner offers guidance to customers regarding the creation of IAM policies within the customer's AWS account. These policies are intended to facilitate the Partner's appropriate access and interaction with the customer's AWS account(s). The guidance emphasizes scoping policies to least privilege, ensuring they cover only the necessary access required by the Partner.

Evidence: Documentation showcasing partner guidance, presented in the form of training presentations, white papers, blogs, or other customer-facing guidance materials.

The AWS Partner's platform does not impose any hard limits on the number of AWS accounts or AWS resources, such as EC2 instances, S3 buckets, RDS databases, etc., that can be utilized and reported on for a single customer.

Evidence: A screenshot or other documentation demonstrating the platform's capability to report on and manage multiple accounts and resources.

Security findings related to a customer's environment are regularly delivered to the customer. This delivery must include a summary report of findings or a dashboard for reviewing findings for a customer's environment and can also include APIs a customer can use to programmatically get information about their security findings.

Evidence: Sample screenshots or similar examples demonstrating the format and content of a report. Describe the frequency at which customers access this report, such as 'on demand,' 'event-triggered,' or a similar frequency.

The AWS Partner offers a vulnerability scanning solution that facilitates customers to conduct both unauthenticated and authenticated vulnerability scans on their Amazon Elastic Compute Cloud (Amazon EC2) infrastructure.

Evidence: Elaborate on the technical solution utilized to fulfill this requirement.

The AWS Partner's vulnerability scanning solution supports collection and display of the AWS metadata that is related to the Amazon EC2 instances that have findings as a result of a vulnerability scan. This information must include: Amazon EC2 tags, Amazon EC2 instance ID, Amazon EC2 AMI ID, Amazon EC2 public and private IP address, Amazon EC2 public and private DNS address, VPC ID, Subnet ID, region, AWS account ID.

Evidence: Screenshots displaying the visibility of essential metadata in the dashboard or report accessible to the customer.

The AWS Partner's solution includes automated detection capabilities for newly created Amazon EC2 instances or Amazon Virtual Private Clouds (VPCs) within the customer's AWS environment. Alternatively, the solution offers programmatic updates to notify about new Amazon EC2 instances or Amazon VPCs that necessitate scanning. This functionality eliminates the necessity for customers to manually configure the AWS Partner's vulnerability scanning solution to include new instances or VPCs in subsequent vulnerability scans.

Evidence: A written explanation detailing how the vulnerability scanning solution fulfills this requirement.

The AWS Partner's vulnerability scanning solution enables customers to conduct both unauthenticated and authenticated vulnerability scans on their container instances.

Evidence: Detailed information about the technical solution employed to meet this requirement.

The AWS Partner solution facilitates the display of AWS resource inventory information through a unified user interface (UI). This UI offers comprehensive inventory details categorized by resource type, region, and account. Additionally, customers can access key configuration attributes of each resource, including their associated tags.

Evidence: Screenshots demonstrating the representation of AWS resource inventory in dashboards or reports accessible to customers.

The AWS Partner solution supports the ability to collect resource information from customer's AWS account in an event-driven fashion.

Initial discovery of AWS resources in the customer's environment via the relevant AWS describe APIs is allowed for building an initial inventory of AWS resources. After initial resource discovery, additional information on new, updated, or terminated resources is identified through an event-driven approach. Examples include consuming data via AWS CloudTrail logs or AWS Config. It is acceptable to make API calls for individual resources to retrieve additional metadata about new or changed assets or to confirm current inventory information.

Evidence: A written explanation outlining the approach used by the solution to gather both initial and ongoing resource information from the customer's AWS account.

The Partner solution has the ability to report on security best practice violations within customer's AWS account. These best practices must cover at least the following AWS services: Amazon EC2, Amazon S3, Amazon Relational Database Service (RDS), AWS Identity and Access Management (IAM), Amazon Virtual Private Cloud (VPC), Amazon Elastic Block Store (Amazon EBS), Amazon Elastic File System (Amazon EFS), AWS Key Management Service (AWS KMS).

Common reference points for best practices with AWS services can be found in the security documentation for a service: https://docs.aws.amazon.com/security/

Evidence: Screenshots demonstrating examples of best practices detection available within dashboards or reports provided to customers.

The AWS Partner solution delivers ongoing compliance monitoring across the configurations of the customer's AWS accounts and their associated AWS resources.

Continuous compliance monitoring is provided for at least two of the following compliance standards/frameworks/regulations:

• CIS AWS Foundations Benchmark
• HITRUST
• HIPAA
• ISO 27001
• MITRE ATTACK
• PCI DSS
• SOC 2

Evidence: Screenshots demonstrating examples of AWS compliance monitoring for each of the supported compliance standards/frameworks/regulations.

AWS Partners can assess and enrich security findings in customer's AWS environment, providing additional context and actionable information to help customers reduce false positives and effectively respond to incidents.

Evidence: A written description of the Partner's approach to triaging security findings from customer's AWS environment.

The AWS Partner can provide guidance for remediating identified security findings within a customer's environment. Additionally, they possess permissions and capabilities to execute remediation actions directly or offer automated processes to resolve identified security findings on behalf of the customer.

Evidence: Screenshots or examples demonstrating reported security findings within an AWS account alongside the corresponding recommended remediation steps or guidance provided by the AWS Partner.

The AWS Partner is equipped to continuously detect, prioritize, and promptly alert customers regarding high-priority security findings round the clock, 24/7. These alerts include guidance for remediation of the identified findings in their AWS accounts.

Evidence: A written description of the Partner's support model for being able to respond to high-priority findings in their customer's AWS accounts on a continuous uninterrupted basis, 24 hours a day and 7 days a week.

The AWS Partner provides the ability for their customers to engage the MSSP support staff on a continuous uninterrupted basis, 24 hours a day and 7 days a week, for assistance with high-severity security items.

Evidence: A written description of how the AWS Partner is enabling their customer to engage their support staff for assistance on a continuous uninterrupted basis, 24 hours a day and 7 days a week.

The AWS Partner possesses the necessary resources and expertise to guide customers in selecting and setting up a DDoS protection solution for applications operating within their AWS accounts.

The DDoS protection solutions recommended or supported by the Partner are required to offer safeguards against layer 3, 4, and 7 attacks.

Evidence: A comprehensive written description detailing the specific DDoS protection solutions endorsed or supported by the AWS Partner for securing applications within customer's AWS account. Additionally, an articulated engagement model outlining how the Partner assists customers in configuring their selected or recommended DDoS protection solution.

Agent-based solutions that are used to provide intrusion detection and prevention services are able to run on Amazon EC2 instances with the following operating systems:

• Amazon Linux2
• RedHat
• CentOS
• Ubuntu
• Windows

This item is not necessary if the AWS Partner utilizes a network-based solution as outlined in IDP-002.

Evidence: A written description of the technical solution that the AWS Partner utilizes to meet this requirement.

Network-based intrusion detection and prevention solutions deployed within customers' AWS accounts are required to support highly available architectures, including the following components:

• Integration with AWS Auto Scaling
• Integration with Elastic Load Balancing (ELB)
• Ability to run in a multi-Availability Zone (AZ) configuration
• Support for automated bootstrapping of instances (e.g., via user data scripts)
• Worker/support nodes must use AWS Lambda/Step Functions rather than relying on long-lived Amazon EC2 instances

This item is not necessary if the AWS Partner utilizes an agent-based solution as outlined in IDP-001.

Evidence: A written description of the technical solution that the AWS Partner utilizes to meet this requirement.

Intrusion detection and prevention solutions that the AWS Partner deploys into customer's AWS accounts support running on Nitro-based Amazon EC2 instances.

Solutions support drivers for Elastic Network Adapter (ENA) and NVMe block devices.

Evidence: A written description of the technical solution that the AWS Partner utilizes to meet this requirement.

The Partner has the ability to detect threats at the network or host level of customer's AWS account.

Evidence: Screenshots demonstrating examples of the technical solution detecting threats at the network or host level for an AWS account.

The Partner has the ability to detect threats at the AWS API layer of customer's AWS account.

AWS APIs refers to APIs, provided by AWS, for interacting with the AWS resources in customer's AWS account. This does not cover APIs that a customer has created and deployed for their own applications. An example of a threat detection at the AWS API layer is: detecting the use of IAM access keys from an IP address space that is not normally used by the customer.

Evidence: Screenshots demonstrating examples of AWS API layer detections that are being detected by the AWS Partner's solution.

The threat detection tools utilized by the AWS Partner incorporate AWS-awareness and contain the detailed AWS metadata related to affected resources within a customer's AWS account. While the specific metadata information for each AWS resource may vary, essential metadata should encompass resource tags, region, account, and resource identifiers that facilitate locating the particular resource through AWS console or APIs. Additionally, supplementary metadata provided about an AWS resource should contribute to the customer's informed decision-making regarding the reported threat.

Evidence: Screenshots demonstrating the use of the AWS metadata from customer's AWS account as part of the reporting of threats that are delivered in a dashboard or report for customers.

Endpoint solutions provided by the AWS Partner have the ability to run on the following Amazon EC2 operating systems:

• Amazon Linux2
• RedHat
• CentOS
• Ubuntu
• Windows

Evidence: A written description of the technical solution that the Partner utilizes to meet this requirement.

The solution provided by the AWS Partner for endpoints within the customer's AWS environment supports the ability to ingest and display the AWS metadata about the EC2 instance on which a deployed agent is running.

Metadata collected and displayed should include at least: Amazon EC2 tags, Amazon EC2 instance ID, Amazon EC2 AMI ID, Amazon EC2 public and private IP addresses, Amazon EC2 public and private DNS addresses, Amazon VPC ID, Subnet ID, region, and account ID.

Evidence: Screenshots showing the use of the AWS metadata in the dashboard or report that supports data from the endpoint solution.

The solution supported by the partner for deployment on the customer's AWS-based endpoints includes the capability to identify Amazon EC2 instances lacking a functional agent.

Evidence: Screenshots demonstrating the detection of instances without a working agent within the customer's AWS account.

The AWS Partner supports a solution that protects containers and integrates with at least one of the following AWS container services:

• Amazon Elastic Container Service (Amazon ECS)
• Amazon Elastic Kubernetes Service (Amazon EKS)
• AWS Fargate

Evidence: A written description of the technical solution that is used to support this requirement.

The solution supported by the AWS Partner encompasses four fundamental Endpoint Detection and Response (EDR) capabilities defined by Gartner: detection of security incidents, containment of incidents at the endpoint, investigation of security incidents, and provision of remediation guidance.

Evidence: A written description of the technical solution that is used to support this requirement.

Application protection solutions, potentially including but not limited to Web Application Firewall (WAF) solutions, bot management solutions, API Security solutions, AI Firewalls, that the AWS Partner supports have the ability to address a variety of critical security risks that may include areas such as OWASP Top 10 web application security risks, OWASP API Security Top 10 risks, OWASP Machine Learning Security Top 10 risks, and OWASP Top 10 for Large Language Model Applications security risks, among others.

Evidence: A written description of the technical solutions that the Partner recommends or supports to meet this requirement.

The AWS Partner has the ability to guide a customer on how to author rules for the application protection solutions, potentially including but not limited to Web Application Firewall (WAF) solutions, bot management solutions, API Security solutions, AI Firewalls, that the Partner recommends and supports.

Evidence: A written description on how the AWS Partner meets the needs of their customers for this requirement.

The AWS Partner has the ability to consume log data from customer's application protection solutions, potentially including but not limited to Web Application Firewall (WAF) solutions, bot management solutions, API Security solutions, AI Firewalls, on AWS and provide threat analytics and insights on additional rules that should be authored to address observed threats.

Evidence: A written description of the technical solution that the AWS Partner utilizes to solve this requirement.

The AWS Partner offers a vulnerability scanning solution that facilitates the scanning of container images for vulnerabilities in both operating systems and programming languages. The scanning solution should support continuous scanning and on-push scanning, covering a minimum of three Operating Systems (Alpine Linux, Amazon Linux, CentOS Linux, Debian Server) and three Programming Languages (C#, Go, Java, JavaScript, PHP, Python, Ruby, Rust).

Evidence: Details on the technical solution that is used to meet this requirement.

The Partner has established policies and procedures for the continuous monitoring of cluster activities to detect potentially threatening or suspicious behavior within container workloads. Identified threats should encompass the following:

• Access to clusters by known malicious actors or through Tor nodes
• API operations performed by anonymous users
• Instances of privilege escalation, such as launching a container with root-level access to the underlying Amazon Elastic Compute Cloud (EC2) host.

The solution protects containers on at least one of the following AWS container services:

• Amazon Elastic Container Service (ECS)
• Amazon Elastic Kubernetes Service (EKS)
• AWS Fargate

Evidence: A written description of the technical solution that is used to support this requirement.

The AWS Partner provides a mechanism for upgrading instances with the latest operating system and application versions.

Evidence: An example of a policy utilized to ensure the maintenance of adequate security patch levels in container instances.

AWS Partner provides code-level security expertise and guidance. The Partner either directly develops application code that implements security best practices or provides code review services for customers to proactively identify security issues and address them in custom code bases. These services leverage a combination of automated static analysis, dynamic analysis, and expert reviews.

Evidence: Any of the following: a customer testimonial, a history within Git/bug tracker systems, or published materials.

The AWS Partner is required to offer a Runtime Application Self-Protection (RASP) solution and continuously monitor events within their managed services.

Evidence: Detailed information demonstrating the RASP security solution's capability to detect and block security attacks and anomalies originating from inside a running application.

The AWS Partner demonstrates comprehension of AWS penetration testing policies and collaborates with customers to conduct tests, establish protocols for routine penetration testing and vulnerability scanning of their applications and infrastructure while adhering to AWS policies. The Partner assists customers in addressing identified vulnerabilities to align their applications with a target security standard and ensure their AWS environment aligns with the AWS Well-Architected Framework.

Evidence: A sample report of customer penetration test results that was provided to a customer. Sensitive data such as IP addresses may be redacted for confidentiality.

The managed service automates vulnerability scanning within the CI/CD pipeline and generates reports for analysis and response. The service conducts scans encompassing code, least privilege access, patch management, and network ports and protocols.

Evidence: A detailed written explanation of the technical solution implemented by the AWS Partner to address this requirement.

The partner conducts Dynamic Code Analysis for deployed applications, collects and triages the events, and either offers remediation guidance or resolves the identified events.

Evidence: A written description of the technical solution that the AWS Partner utilizes to solve this requirement.

AWS Partner performs Static Code Analysis for pre-production apps, collects and triages the events, and either offers remediation guidance or resolves the identified events.

Evidence: A written description of the technical solution that the AWS Partner utilizes to solve this requirement.

Partner must provide details on how they manage cryptographic keys, including rotation and recovery strategies.

Evidence: A written description of the technical solution that the AWS Partner utilizes to solve this requirement.

Partner must monitor SSL/TLS certs for expiration, ensure that keys are stored securely, and implement HSTS (HTTP Strict Transport Security) by default.

Evidence: A written description of the technical solution that the AWS Partner utilizes to solve this requirement.

The AWS Partner is required to offer managed sensitive data discovery services and continuously monitor security events for analysis. Moreover, the Partner must issue alerts when sensitive data is identified in an inappropriate location.

Evidence: The Partner needs to provide a detailed description outlining the tools and methodologies employed for scanning sensitive data and appropriately categorizing it based on classification.

Partner must provide the ability to scan for malware in S3 in an API-based, Event-based, or scheduled fashion. Documentation must be accessible to customers and clearly describe the scanning approach.

Evidence: A written description of the technical solution that the AWS Partner utilizes to solve this requirement.

The AWS Partner is mandated to conduct scans for sensitive data at rest (storage) and in motion (network) to identify instances of improper usage or exchange of sensitive data.

Evidence: Screenshots demonstrating the system's methods of labeling data with the relevant classification.

The AWS Partner must provide a solution that monitors and alerts on data manipulation events, ensuring the integrity of data.

Evidence: A written description of the technical solution that the AWS Partner utilizes to solve this requirement.

The AWS Partner must provide a solution that monitors and alerts on data erasure events, ensuring the availability of data.

Evidence: A written description of the technical solution that the AWS Partner utilizes to solve this requirement.

The Partner's solution should offer visibility into identity access rights concerning assets, detailing how identities are mapped to these assets.

Evidence: A written description of the technical solution that the AWS Partner utilizes to solve this requirement.

The Partner service should possess the capability to detect and generate alerts when a user accesses resources in an anomalous manner, such as accessing resources outside of work hours or from an unusual location.

Evidence: A written description of the technical solution that the AWS Partner utilizes to solve this requirement.

The AWS Partner has the capability to manage Multi-Factor Authentication (MFA) tokens for customers, guaranteeing that, at a minimum, root, administrator, auditor, and back-up accounts are safeguarded with MFA.

Evidence: A written description of the technical solution that the AWS Partner utilizes to solve this requirement.

The Partner must offer a solution for managing passwords, keys, and other secrets that securely stores them without using plain text storage.

Evidence: A written description of the technical solution that the AWS Partner utilizes to solve this requirement.

The Partner solution leverages historical logs to generate recommended policy updates aligned with the principle of least privilege.

Evidence: An example illustrating a recommended policy update automatically generated based on historical logs.

The Partner demonstrates the capability to integrate with major authentication vendors, enabling customers to consolidate and have a unified view of all their AWS and non-AWS accounts.

Evidence: A written description of the technical solution that the AWS Partner utilizes to solve this requirement.

The Partner is proficient in managing identity provider events from AWS Supported Identity Provider through integration with AWS IAM Identity Center via the System for Cross-domain Identity Management (SCIM) standard.

Evidence: Show that the external identity provider has been tested with AWS IAM Identity Center SCIM implementation.

The Partner must be capable of granting access to critical resources through Privileged Access Management (PAM) integration on supported operating systems while also monitoring relevant events.

Evidence: A written description of the technical solution that the AWS Partner utilizes to solve this requirement.

The Partner's solutions should enable the federation of customer employees, contractors, and partners (workforce) to AWS accounts and business applications. Additionally, the Partner should incorporate federation support into public-facing web/mobile applications.

Evidence: Demonstrated support for a minimum of three widely used open identity standards, including Security Assertion Markup Language 2.0 (SAML 2.0), OpenID Connect (OIDC), and OAuth 2.0.

The Partner solution should offer and monitor events concerning the principle of least privilege and separation of duties throughout the lifecycle of employees who join, move within, or leave the organization.

Evidence: A written description of the technical solution that the AWS Partner utilizes to solve this requirement.

The AWS Partner provides customers with a written business continuity plan including the following components:

• Backup and restore strategy
• Risk management strategy (accounting for customers' priorities, constraints, risk tolerances, assumptions)
• Business environment (customers' mission, objectives, stakeholders, cybersecurity roles, responsibilities, and risk management decisions are documented)
• Assets (documentation of data, personnel, devices, systems, and facilities that enable the customer to achieve business purposes)
• Supply chain risk management

Evidence: A sample of a customer Business Continuity Plan that includes Recovery Point Objectives (RPO) and Recovery Time Objective (RTO).

The Partner's solution implements an isolated backup strategy, keeping backups separate from the production network. This isolation involves distinct access roles and separate Multi-Factor Authentication (MFA) access, akin to audit accounts. Additionally, the solution recommends and enforces immutability for the backups.

Evidence: A written description of the technical solution that the AWS Partner utilizes to solve this requirement.

Partner solution keeps critical customer operations up and running in the event of a major system failure.

Evidence:

• A detailed written process outlining the steps for recovering from backups in the event of a major system failure. This document should include the methodology for accessing, restoring, and verifying the integrity of backups.
• Written documentation that specifies the frequency and methodology used for testing the Continuity of Operations (COOP) plan. This may include details on how often the plan is tested, the scope of the tests, and how the tests are performed.
• A written plan detailing how the Partner facilitates recovery operations in AWS from on-premises systems or other cloud environments in the event of a major system failure. This plan should outline the migration strategy, tools, and steps involved in the recovery process.

The AWS Partner undertakes disaster recovery tests biannually to validate the recovery of customer environments to an operational state from backups. Customer involvement is a key aspect to ensure they are prepared for a real disaster event.

Evidence:

• A documented plan that outlines the specifics of the disaster recovery testing process. It should detail the scope, objectives, methodology, and schedule of the tests.
• Documentation describing how customers are involved in the disaster recovery testing process. This should encompass communication plans, customer roles and responsibilities during the testing, and measures taken to ensure customer readiness for a real disaster scenario.
• Records of the actual tests conducted, including outcomes, findings, successes, and areas for improvement. Additionally, any plans or actions initiated based on these findings to enhance the recovery process should be documented.
• Feedback or attestation from customers participating in the disaster recovery tests, confirming their involvement, experience, and readiness as a result of these exercises.

The AWS Partner solution includes a comprehensive approach to ransomware protection and response. This should address each of the requirements in the NIST National Cybersecurity Center of Excellence (NCCoE) Practice Guides (NIST 1800-11, 1800-25, and 1800-26), and include host and network attack vector mitigation, alongside policy enforcement measures like patch management, digital asset inventory, logging, reporting, vulnerability management, event detection, secure backup, immutable storage, investigation, and analytics capabilities.

Evidence: Architecture diagram illustrating the components and functionality of the comprehensive anti-ransomware solution.

The AWS Partner can provide a solution that scans email for malicious messages and common phishing tactics. The solution must include detection, remediation actions, and training.

Evidence: A written description of the technical solution that the AWS Partner utilizes to solve this requirement.

The Partner should possess the capability and a documented procedure for conducting incident investigations and gathering evidence in a legally compliant format suitable for government investigations, should law enforcement or other legal proceedings arise from the investigation's findings.

Evidence: A written description of the technical solution that the AWS Partner utilizes to solve this requirement.

Partner solution must include a separate AWS account for forensics investigations with access policies following least privilege access. Amazon VPC subnets in the Forensics account should have no internet gateways and Security Groups should be highly restrictive, and deny all ports that aren't related to the requirements of the forensics tools. The account activity must be auditable at minimum logging all connection activity (SSH, RDP).

Evidence: A written description of the technical solution that the AWS Partner utilizes to solve this requirement.

The Partner's solution should be capable of gathering data from a selection of at least 5 of the following data sources:

• All EC2 instance metadata
• Amazon EBS disk snapshots
• EBS disks streamed to S3
• Memory dumps
• Memory captured through hibernation on the root EBS volume
• CloudTrail logs
• AWS Config rule findings
• Amazon Route 53 DNS resolver query logs
• VPC Flow Logs
• AWS Security Hub findings
• Elastic Load Balancing access logs
• AWS WAF logs
• Custom application logs
• System logs
• Security logs
• Any third-party logs

Evidence: A written description of the technical solution that the AWS Partner utilizes to solve this requirement.