AWS Security Competency

Applies to: SaaS | Customer Deployed

The AWS Partner solution meets the definition of the category/categories specified in the application and all four customer case studies (see prerequisite section 2.0) also align to this specific category/categories. See the AWS Security Definition and Competency Categories for category definitions.

Applies to: SaaS | Customer Deployed

Applies to: SaaS | Customer Deployed

For complex, multi-part solutions (e.g. auto-scaling) there must be an AWS CloudFormation template and accompanying documentation on how to easily deploy the solution. This also applies to SaaS solutions that require customers to deploy significant components in their own accounts.

Applies to: SaaS | Customer Deployed

Any credentials or other secrets (e.g. database usernames and passwords) required by application processes are managed using AWS Secrets Manager, AWS Systems Manager Parameter Store, or another system with the following characteristics:

• Credentials are encrypted at rest and in transit
• Key material for encrypting the credentials at rest is stored in a purpose-built key management system (see SECOPS-004)
• Access to credentials is logged and auditable
• Authentication to access credentials by processes running in AWS is rooted in either an IAM role associated with the AWS compute resource or an Amazon EC2 instance identity document

For customer deployed components, the solution must support the option for customers to store credentials used by the software using a system that meets the above requirements.

Applies to: SaaS | Customer Deployed

Solution supports automated mechanisms for multi-account deployment via AWS Organizations and/or AWS Control Tower.
Mechanisms can include using AWS CloudFormation StackSets with AWS Organizations or AWS Control Tower Lifecycle Events.

Evidence must be backed by public documentation on how the product supports multi-account deployment or baselining.

Applies to: Customer Deployed

Applies to: SaaS | Customer Deployed

Briefly describe how the solution addresses the sections of this category (IDAM-002 to IDAM-005). Highlight all sections where the product can meet the requirements. Only one section needs to be addressed to fulfill this requirement.

Please provide the following as evidence:

• Provide one or more reference architecture diagrams based on the AWS Security Reference Architecture that show how the product applies to the selected section(s) in this category.

Applies to: SaaS | Customer Deployed

Cloud Infrastructure Entitlements Management solutions must provide the following functionalities:

• Entitlement Enforcement: Enforces policies for entitlements using guardrails across multiple environments, with AWS included as a supported environment.

  Evidence: Provide a list of supported environments for entitlement enforcement, explicitly mentioning AWS as one of the supported environments.

• Entitlement Visibility and Inventory: Provides comprehensive visibility into entitlements across multiple environments, including AWS and on-premises environments. The visibility should encompass humans and machines, offering end-to-end traceability and support for role chaining. Additionally, the solution should incorporate visualizations, such as dashboards and analytics, to present the entitlement information in a clear and actionable manner.

  Evidence: Customer-facing partner documentation that demonstrates the solution's capability to provide entitlement visibility in both AWS and on-premises environments. The documentation should highlight how the solution caters to both human and machine entities, supporting role chaining for effective entitlement management. Additionally, provide examples and screenshots showcasing the visualizations and analytics used to present entitlement information, enabling improved insights and decision-making for users.

• Access Monitoring and Auditing: Effectively monitors access activities and generates audit logs for real-time visibility into user actions. Auditing helps identify potential security issues, policy violations, and unauthorized access.

  Evidence: Customer-facing partner documentation that includes comprehensive information on the solution's access monitoring and auditing capabilities. The documentation should outline the process of access monitoring, the types of activities logged, and how the solution generates real-time audit logs. Additionally, provide sample audit logs and screenshots that showcase the solution's ability to detect and respond to potential security threats and policy violations promptly. These examples should illustrate how the audit logs offer valuable insights for security analysis, compliance auditing, and incident response, ensuring a robust access monitoring and auditing mechanism.

• Least Privilege Policy Refinement: Uses historic logs to recommend policy updates aligned with the principle of least privilege.

  Evidence: Customer-facing partner documentation that explains the least privilege policy refinement feature in detail. The documentation should include a clear description of how the solution analyzes historic logs and access data to identify areas where policy adjustments are needed. Additionally, provide an example of a recommended policy update that was automatically generated based on historic logs. The evidence should showcase how the solution utilizes past access data to suggest specific adjustments to entitlement policies, ensuring that users are granted the least privilege required for their roles or tasks. The example should highlight the benefits of the policy refinement feature in maintaining a secure and efficient access control framework.

• Anomalous Access Behavior Detection: Detects and alerts customers about anomalous access patterns, such as activities outside of work hours or access from new locations.

  Evidence: Provide screenshots or examples of alerts generated by the solution for anomalous access behavior detection. The evidence should showcase how the solution identifies unusual access attempts and notifies users or administrators about these events. The examples should illustrate different types of anomalies, such as access from unfamiliar locations or activities occurring outside of typical work hours. The evidence should highlight the solution's capability to promptly detect and alert users about potential security risks, enabling timely response and mitigation measures to protect the system and data from unauthorized access.

The evidence for each functionality should be included in the customer-facing partner documentation, demonstrating the support and successful implementation of the specified requirements. The documentation should be comprehensive, enabling customers to understand and utilize the Cloud Infrastructure Entitlements Management solution effectively in their environments.

Applies to: SaaS | Customer Deployed

Workforce identity management solutions must provide the following functionalities:

• Integration with AWS IAM Identity Center: AWS supported identity provider integrates with AWS IAM Identity Center using the SCIM (System for Cross-domain Identity Management) standard.

  Evidence: Show that the external identity provider has been tested with the AWS IAM Identity Center SCIM implementation here.

• External IdPs Support: Provides integrations with major authentication vendors.

  Evidence: Provide documentation that shows at least three integrations with 3rd party SSO technologies. The documentation should outline the steps to configure and enable SSO with these authentication vendors, ensuring seamless access to all relevant accounts through a single sign-on experience.

The evidence for each functionality should be included in the customer-facing partner documentation, demonstrating the support and successful implementation of the specified requirements. This documentation should be comprehensive, enabling customers to understand and utilize the workforce identity management solution effectively in their environments.

Applies to: SaaS | Customer Deployed

Control access to key resources through PAM (Privileged Access Management) integration on supported operating systems.

Evidence: Provide comprehensive documentation describing the implementation of the following PASM functionalities:

• Delegation of Privileged Accounts: The documentation should outline the process of delegating privileged accounts to authorized users or roles, defining their scope of access and responsibilities. It should include details on how delegation is managed securely and efficiently.

• Credential Management: The documentation must describe how the partner solution manages and safeguards privileged credentials. This should cover aspects such as encryption of stored credentials, secure rotation of credentials, and access controls to prevent unauthorized access.

• Session Recording (e.g., SSH): The documentation should cover the recording of privileged sessions, such as SSH sessions, capturing the actions performed during the sessions for auditing and compliance purposes. It should explain how session recording is implemented and how the recorded data is securely stored and accessible for audit purposes.

• Credential Discovery: The documentation must explain how the partner solution identifies and discovers privileged credentials across machines, services, and applications within the environment. This should include details on the discovery mechanism and how the solution maintains an up-to-date inventory of privileged credentials.

• Credential Usage Tracking: The documentation should provide details on how the partner solution tracks the usage of privileged credentials, including who accesses them and when. This should include information on logging and monitoring mechanisms used to track credential usage.

The evidence should include in-depth technical information and configuration guides for each aspect of the PASM solution. It should be readily available to partners and customers, ensuring transparency and compliance with the defined requirements. The documentation should be comprehensive, enabling users to understand and effectively implement the PASM functionalities in their environments.

In addition to the comprehensive documentation describing the PASM functionalities, explicitly specify the following AWS-specific integrations:

• AWS Services Supported: Clearly state which AWS services the PASM solution supports for access management. For example, mention if the solution supports EC2 instances only or if it extends its capabilities to other services like RDS, S3, etc.

• Integration with ACM (AWS Certificate Manager): Describe any integration with AWS Certificate Manager, showcasing how the solution leverages this service to manage SSL/TLS certificates used for secure communication within AWS resources.

• Integration with Secrets Manager: Highlight any integration with AWS Secrets Manager and explain how the PASM solution utilizes this service to securely store and manage sensitive information, such as credentials and other privileged access details.

• IAM (Identity and Access Management) Integration: Clearly explain how the PASM solution integrates with AWS IAM, enabling it to manage and enforce access controls for privileged accounts and permissions within the AWS environment.

• CloudTrail Integration: Indicate if the PASM solution integrates with AWS CloudTrail and provide details on how this integration enhances visibility and auditability of privileged actions through detailed API call logs.

• Compliance with AWS Security Best Practices: Provide evidence or documentation demonstrating how the PASM solution aligns with AWS security best practices to ensure that privileged access management follows AWS-recommended standards.

Applies to: SaaS | Customer Deployed

Temporary elevated access management solutions must provide the following functionalities:

• Temporary, Just in Time Access to IAM Identity Center: Allows users to request temporary elevated access to IAM identity center permissions sets. Users must provide essential information such as AWS account, permission set, time period, and reason for the request.

  Evidence: Customer-facing partner documentation demonstrating the inclusion of the AWS IAM Identity Center as a supported environment for granting temporary access to permission sets. The documentation should highlight the steps and procedures for users to submit access requests and the process of approval or denial.

• Request Approval Status Notification: Provides users with timely notifications regarding the approval status of their requests.

  Evidence: Screenshots demonstrating the approval status notifications received by users for both denied and approved requests. The screenshots should showcase the content and format of the notifications, ensuring that users are informed of the outcome of their requests.

• Scope-Based Session Invocation with Approved Request Constraint: Restricts users from invoking a session with a specific scope unless an approved request with the same scope exists, and the session is initiated during the approved time period.

  Evidence: Documentation describing the mechanism for enforcing the session invocation constraints based on approved requests with matching scopes and the associated time period. The evidence should be comprehensive, describing the technical implementation and logic behind the restriction mechanism. It should be made available to partners and customers to ensure transparency and compliance with the defined requirements.

• Approver Request Management: Enables administrators to define request approvers, granting them the authority to approve or reject pending requests. The solution should provide a user-friendly interface for administrators to configure and manage request approvers, designating individuals or roles with the appropriate privileges. Additionally, the system should empower approvers with the ability to view and take action on pending requests, allowing them to approve or reject requests based on defined criteria.

  Evidence: Customer-facing partner documentation providing comprehensive instructions and guidelines on how administrators can configure and manage request approvers. The documentation should include details on how to designate individuals or roles as request approvers and specify their responsibilities in the approval process. Moreover, it should illustrate the approval and rejection process for pending requests, providing step-by-step instructions and guidelines for approvers to perform these actions within the system.

• Self-Approval Prevention Mechanism: Prevents request approvers from approving their own requests.

  Evidence: Screenshots demonstrating the prevention mechanism in action, showing an approver attempting to approve their own request and receiving an error or denial message indicating that self-approval is not allowed.

• Approver Request Log with Export Functionality: Provides approvers with an immutable log containing records of pending, approved, and rejected requests. The system also offers an export mechanism to generate logs for auditing purposes.

  Evidence: Screenshots showcasing the approver's view of the request log, displaying separate sections for pending, approved, and rejected requests. The evidence should also include screenshots of the export mechanism, demonstrating how approvers can generate logs in a format suitable for auditors' review.

• Approver Decision Notes: Allows approvers to add notes explaining their decisions when approving or rejecting requests.

  Evidence: Customer-facing partner documentation detailing the feature that enables approvers to provide explanatory notes when making decisions on requests. The documentation should outline the steps for approvers to add notes and specify any guidelines or restrictions related to the content of the notes.

• Approved Request Revocation: Empowers approvers to revoke previously approved requests, preventing any future use of the elevated access granted through the request.

  Evidence: Customer-facing partner documentation describing the revocation process for approved requests. The documentation should provide clear instructions on how approvers can initiate the revocation and explain the implications of revoking an approved request.

• User Activity Audit Trail: Records and retains a detailed audit trail of session activities, ensuring that all activities are available for auditing purposes.

  Evidence: Screenshots showcasing the session activity log of an approved user. The screenshots should demonstrate the recorded activities, timestamp, the unique identifier of the approved request, and any relevant information that is logged during the user's session for audit trail purposes.

Each functionality's evidence should be included in the customer-facing partner documentation to demonstrate compliance and support of the specified requirements.

Applies to: SaaS | Customer Deployed

Briefly describe how the solution addresses the sections of this category (TDRP-004 to TDRP-009). Highlight all sections where the product can meet the requirements, only one section is required.

Please provide the following as evidence:

• Provide one or more reference architecture diagrams based on the AWS Security Reference Architecture that show how the product applies to each of the sections in this category.

Applies to: SaaS | Customer Deployed

The AWS Partner's threat detection tools and reporting are AWS aware and contain the AWS metadata on the affected AWS resources from customer's AWS account. While the metadata information about each AWS resource will vary, minimal metadata for any AWS resource should include: resource tags, region, account, resource identifiers that can be used in the AWS console and APIs to find the specific resource. Beyond the minimum metadata additional metadata provided about an AWS resource should contribute to helping the customer make an informed decision about the resource that is experiencing a reported threat.

Please provide the following as evidence:

• Documentation that outlines the process of ingesting and analyzing data from multiple sources, including AWS CloudTrail, Amazon VPC Flow Logs, Amazon GuardDuty findings, and other relevant sources.
• Documentation that describes how the solution leverages AWS native security services, such as Amazon GuardDuty, AWS Security Hub, and Amazon Detective, to enhance threat detection and response capabilities.
• Screenshots showing the use of the AWS metadata from customer's AWS account as part of the reporting of threats that are delivered in a dashboard or report for customers.

This requirement is optional for Endpoint Detection and Response (EDR) solutions.

Applies to: SaaS | Customer Deployed

The partner has the ability and a documented process for conducting an investigation into an incident and collecting evidence on their solution in AWS.

Evidence: Provide documentation.

Applies to: SaaS | Customer Deployed

Endpoint Detection and Response solutions must provide the following functionalities:

• Support Four Key Capabilities for EDR as Defined by Gartner: detect security incidents, contain the incident at the endpoint, investigate security incidents, and provide remediation guidance.

  Evidence: Written description of the technical solution that is used to support this requirement. Identify where each of the four key capabilities are addressed.

• Container Endpoint Agent: The solution protects containers with an installed agent and integrates with at least one of the following AWS container services: Amazon Elastic Container Service (Amazon ECS), Amazon Elastic Kubernetes Service (Amazon EKS), AWS Fargate.

  Evidence: Written description of the technical solution that is used to support this requirement.

• Missing Agent Discovery: The solution that the partner supports for running on customer's AWS-based endpoint provides the ability to identify Amazon EC2 instances without a working agent.

  Evidence: Screenshots showing the ability to detect instances without a working agent for customer's AWS account.

• Endpoint Metadata Support: The solution provides the ability to ingest and display the AWS metadata about the EC2 instance where the agent is running.

  Evidence: Evidence with screenshots showing metadata collection and visualization with filtering capabilities, including all of the following: Amazon EC2 tags, Amazon EC2 instance ID, Amazon EC2 AMI ID, Amazon EC2 public and private IP address, Amazon EC2 public and private DNS address, Amazon VPC ID, Subnet ID, region, account ID.

• Operating System Support: Endpoint solutions that can detect, alert, and stop malicious actions have the ability to run on the following Amazon EC2 operating systems:Amazon Linux2, RedHat, CentOS, Ubuntu, Windows.

  Evidence: Written description of the technical solution that the Partner is using to meet this requirement.

• Automated Response and Remediation for Endpoints: Provide predefined response and remediation actions based on industry compliance standards and best practices for security threats. Help customers to resolve common security findings and to improve their security posture in AWS.

  Evidence: Automated scripts/tools that respond to incidents with mitigation or remediation as well as accompanying runbooks that detail alerts, notifications, and escalations.

• AWS Systems Manager Integration: The agent can be deployed via AWS Systems Manager distributor.

  Evidence: Provide deployment documentation.

• Endpoint Logs: The solution generates logs regarding endpoint system level activity that include Amazon EC2 instance metadata (instance ID, account, VPC ID, etc.).

  Evidence: Provide documentation.

Applies to: SaaS | Customer Deployed

Network Detection and Response solutions must provide the following functionalities:

• Network Detect and Alert: The Partner solution has the ability to directly observe, detect, and alert on malicious network actions. Alerts should be delivered securely using end-to-end encryption.

  Evidence: Describe how your system discovers a new machine on the network and notifies the AWS customer without requiring an agent to be installed on hosts.

• Network Flow Protection: The Solution observes network flows and protect against threats based on the following analysis: anomalous behavior, unauthorized ports and protocols, signatures, and network volume.

  Evidence: Provide documentation.

Applies to: SaaS | Customer Deployed

Extended Detection and Response solutions must provide the following functionalities:

• Centralized Security Visibility:

  • The solution must integrate security data from a wide range of sources, including network, endpoint, cloud, and other relevant security tools.
  • The solution must provide a unified, centralized dashboard to view and analyze security events across the customer's environment.
  • The solution must offer customizable dashboards and reporting to meet the customer's specific needs.

• Automated Threat Analysis and Correlation:

  • The solution must have the ability to analyze security data from multiple sources, correlate events, and identify complex, multi-stage threats.
  • The solution must use advanced analytics techniques, such as machine learning and behavioral analysis, to detect and prioritize security incidents.
  • The solution must provide detailed threat intelligence and context to aid in threat investigation and response.

• Incident Response and Remediation:

  • The solution must support streamlined incident response workflows, including the ability to contain and remediate threats across the customer's environment.
  • The solution must provide automated or guided remediation capabilities, such as the ability to isolate infected hosts, deploy security updates, or roll back changes.
  • The solution must integrate with the customer's existing security tools and processes to enhance the overall incident response capabilities.

• Continuous Monitoring and Threat Hunting:

  • The solution must provide continuous monitoring of the customer's environment, including the ability to detect new and emerging threats.
  • The solution must offer proactive threat hunting capabilities, allowing security teams to actively search for and investigate potential threats.
  • The solution must provide actionable insights and recommendations to help the customer's security team improve their defensive posture.

• Open Integration and Ecosystem:

  • The solution must support integration with a wide range of security tools, cloud services, and other relevant systems, using open standards and APIs.
  • The solution must demonstrate the ability to ingest and correlate data from various sources, including third-party security solutions.
  • The solution must have a robust partner ecosystem and a track record of successful integrations with a variety of security products and platforms.

• Compliance and Regulatory Support:

  • The solution must assist the customer in meeting relevant compliance requirements and regulatory standards, such as HIPAA, PCI DSS, or GDPR.
  • The solution must provide features and capabilities that help the customer maintain a strong security posture and demonstrate compliance to auditors.
  • The solution must have a track record of successful deployments in customers' environments that are subject to compliance and regulatory requirements.

Evidence Requirements:

• Provide detailed product documentation and technical specifications demonstrating the capabilities listed above.
• Demonstrate the solution's capabilities through a live or recorded product demo, highlighting the key functionalities and the user experience.
• If applicable, provide evidence of the solution's integration with other security tools and the breadth of the partner ecosystem.

Applies to: SaaS | Customer Deployed

The Partner has the ability to meet the requirements of XDR with a 24/7 Security Operations Center. Partner must be able to install, configure, and manage an XDR solution for customers.

Please provide the following as evidence:

• Show that the XDR requirements of this category are met in this application or that they have been met at a previous time.
• Demonstrate that the Partner has a 24/7 Security Operations Center.

Applies to: SaaS | Customer Deployed

Security Information and Event Management solutions must provide the following functionalities:

• Metadata Searching: The solution supports capturing and displaying AWS resource specific metadata (tags, AMI, region, etc.) related to AWS resources displayed to customers. The customer dashboard must be searchable based on AWS metadata.

  Evidence: Provide screenshots, video link/timing, or demo.

• AWS Security Finding Format: The solution can be configured to ingest findings from AWS Security Hub using the AWS Security Finding Format (ASFF).

  Evidence: Provide documentation.

• High Velocity Logs: The solution supports high velocity ingestion of logs and minimizes the use of API based inquiries such as AWS CloudTrail LookupEvents API. API Calls to obtain information about specific AWS resources should be done for initial resource discovery in customer's environment, to obtain additional information about a specific resource discovered through AWS Config or AWS CloudTrail, or to do a reconciliation against data obtained through other ingestion mechanisms.

  Evidence: Provide documentation.

• Data Ingestion: The solution is able to ingest data from at least five of the following sources: AWS CloudTrail, VPC flow logs, Amazon Route 53 public DNS query logs, AWS WAF logs, AWS X-Ray, Amazon RDS logs, AWS Config, Amazon Inspector, Amazon GuardDuty, Amazon Macie, AWS Security Hub, VPC Traffic Mirroring, AWS Network Firewall, S3 object query logs.

  Evidence: Provide documentation.

Applies to: SaaS | Customer Deployed

Security Orchestration, Automation, and Response solutions must provide the following functionalities:

• Global Threat Intelligence: Solution leverages global threat intelligence and indicators of compromise to automate responses to alerts that meet current playbook actions.

  Evidence: Provide documentation.

• Automation Response: The solution has the ability to automate the remediation of key findings.

  Evidence: Provide documentation of the process for automating a response to a finding.

Applies to: SaaS | Customer Deployed

Briefly describe how the solution addresses the sections of this category. Highlight all sections where the product can meet the requirements, only one section is required.

Please provide the following as evidence:

• Provide one or more reference architecture diagrams based on the AWS Security Reference Architecture that show how the product applies to each of the sections in this category.

Applies to: SaaS | Customer Deployed

• Distributed Denial of Service Protection: The AWS Partner solution provides DDoS protection for the applications running in customer's AWS accounts. The DDoS solution must provide protection from layer 3, 4, and 7 attacks at internet scale.

  Evidence: Provide documentation.

• Logging Integration: The AWS Partner solution can be configured to send detailed DDoS log information to Amazon S3 and to send findings to AWS Security Hub using the AWS Security Finding Format (ASFF).

  Evidence: Provide documentation and show listing as a Security Hub third party product integration.

Applies to: SaaS | Customer Deployed

The Partner solution provides a comprehensive view of network security policy from firewalls and other rules-based security solutions across AWS Cloud and other environments. The solution identifies rules that are redundant or out of date and provide a process for simplifying those rules. The solution must provide a visualization of the network edge where managed policies reside.

Evidence: Provide documentation.

Applies to: SaaS | Customer Deployed

The solution provides an inline content filter via proxy or API to protect enterprise users' outbound connections from malicious content, data leakage, and advanced threats.

Evidence: Provide documentation.

Applies to: SaaS | Customer Deployed

The solution provides a Web Gateway that provides protection for inbound as well outbound connections using advanced malware protection, data leakage prevention, application control, geo-awareness, HTTPS inspection, SSL decryption, and blocklist URL filtering.

Evidence: Provide documentation.

Applies to: SaaS | Customer Deployed

Zero Trust Network Access (ZTNA) solutions must provide the following functionalities:

• Workload Security: The solution must safeguard workloads beyond the network perimeter, including remote and BYOD scenarios.

  Evidence: Provide video link with timing or demo.

• Zero Trust Network Access: The solution ensures that there is no implicit trust in the network based on physical or network location. Focus on users, assets, and resources.

  Evidence: Provide documentation.

Applies to: SaaS | Customer Deployed

The solution incorporates all of the protections listed in this checklist for Cloud Access Security Brokers (CASB), Secure Web Gateway (SWG), and Zero Trust Network Access (ZTNA).

Evidence: Provide documentation.

Applies to: SaaS | Customer Deployed

Next Generation Firewalls solutions must provide the following functionalities:

• Next Generation Firewalls (NGFW) Inspection: NGFW provides stateful inspection and deep packet inspection.

  Evidence: Provide documentation.

• Next Generation Firewalls (NGFW) Protection: NGFW is able to block traffic based on port, protocol, and IP Address.

  Evidence: Provide documentation.

• Highly available architecture: The solution must support customers' ability to deploy highly available architectures. This must include:

  • Integration with Autoscaling
  • Integration with AWS Elastic Load Balancer (ELB) such as Gateway Load Balancer [preferred]
  • Ability to run in a multi-Availability Zone (AZ) configuration
  • Support for automated bootstrapping of instances (e.g., via user data scripts)
  • Worker/support nodes must use AWS Lambda/Step Functions instead of long-lived Amazon EC2 instances

  Evidence: Provide documentation.

Applies to: SaaS | Customer Deployed

Briefly describe how the solution addresses the sections of this category (DATP-002 to DATP-009). Highlight all sections where the product can meet the requirements. Only one section needs to be addressed to fulfill this requirement.

Please provide the following as evidence:

• Provide one or more reference architecture diagrams based on the AWS Security Reference Architecture that show how the product applies to the selected section(s) in this category.

Applies to: SaaS | Customer Deployed

Database Security solutions must provide the following functionalities:

• Data Dashboard: The solution provides a visual dashboard for users to see where their data is stored, the configuration compliance with active policy, and type of data.

  Evidence: Provide screenshots, video link, or demo that showcases the data dashboard. The evidence should demonstrate how the solution presents information about data storage locations, configuration compliance status, and data types in a clear and easily understandable format for users.

• Data discovery: The solution has the ability to discover and classify sensitive data stored in AWS.

  Evidence: Describe your integration with at least three AWS RDS (Relational Database Service) databases. The documentation should explain how the solution integrates with AWS RDS to perform data discovery, identify sensitive data, and classify it accordingly.

• Database scanning: The solution has the ability to scan databases for misconfigurations, patch levels, lack of encryption, lack of backups, and identity and access control issues that allow for privilege escalation.

  Evidence: Provide documentation that explains the scanning capabilities of the solution. This documentation should outline the types of scans performed, the scope of databases covered (including support for AWS RDS and potentially other database services), and the methodology used to identify misconfigurations, vulnerabilities, and access control issues. Additionally, provide details on how the solution ensures data security through encryption and backup checks.

Applies to: SaaS | Customer Deployed

Data Loss Prevention solutions must provide the following functionalities:

• AWS IAM Access Analyzer DLP: The solution ingests and responds to IAM Access Analyzer findings.

  Evidence: Provide documentation that details how a customer can integrate the solution with AWS IAM Access Analyzer to detect and respond to data loss prevention events.

• Amazon GuardDuty DLP: The solution ingests and responds to Amazon GuardDuty findings related to Amazon S3.

  Evidence: Provide documentation that details how a customer can integrate the solution with Amazon GuardDuty to detect and respond to data loss prevention events related to Amazon S3.

• Amazon S3 DLP: The solution ingests and responds to Amazon S3 object-level actions from AWS CloudTrail.

  Evidence: Provide documentation that details how a customer can integrate the solution with Amazon S3 and AWS CloudTrail to receive alerts and remediation guidance for data loss prevention events related to Amazon S3.

• Amazon Macie DLP: The solution ingests and responds to Amazon Macie findings.

  Evidence: Provide documentation that details how a customer can integrate the solution with Amazon Macie to detect and respond to data loss prevention events detected by Amazon Macie.

• Data Loss Prevention (DLP): AWS Partner solution has the ability to scan data at rest (storage) and data in motion (network) to determine when sensitive data is improperly used or exchanged.

  Evidence: Provide screenshots showing how the system marks data with the appropriate classification in a customer report. Also, describe how the solution can identify and prevent the improper use or exchange of sensitive data, either through direct TLS/SSL traffic processing or integrations with Next Generation Firewalls (NGFW). Include details on the data scanning capabilities of the DLP solution to ensure effective data protection.

Applies to: SaaS | Customer Deployed

Keys and Secrets Management solutions must provide the following functionalities:

• Key Management: The solution provides the ability to manage keys and secrets in AWS, on-premise, and in non-AWS environments.

  Evidence: Provide documentation that describes the key management capabilities of the solution. Include details on how the solution allows users to create, store, rotate, and manage cryptographic keys and secrets across various environments, including AWS, on-premise systems, and non-AWS environments.

• AWS Key Management Service (KMS) integration: The solution integrates with either AWS Key Management Service (KMS) or AWS CloudHSM for managing cryptographic keys.

  Evidence: Provide documentation that details the integration with AWS Key Management Service (KMS) or AWS CloudHSM.

• Data Encryption and Key Management: Partner solution provides details on how they manage customer keys, including rotation and recovery strategies.

  Evidence: Provide documentation that outlines the data encryption and key management practices of the solution. Describe the key generation, storage, and rotation processes implemented by the solution to ensure the security and integrity of customer keys. Include information on how key recovery and backup procedures are handled in case of data loss or system failures.

Applies to: SaaS | Customer Deployed

Partner solution provides the ability to scan for malware in S3 in an API-based, event-based, or scheduled fashion.

Evidence: Documentation must be accessible to customers and clearly describe the scanning approach.

Applies to: SaaS | Customer Deployed

Tokenization and Masking solutions must provide the following functionalities:

• Masking: The solution has the ability to identify sensitive information and remove it permanently, either by deletion or by replacing it with non-sensitive data.

  Evidence: Provide documentation that explains the masking capabilities of the solution.

• Tokenization: The solution has the ability to identify sensitive information and replace it with non-sensitive information in the same data format. The solution will maintain the sensitive information in a trusted storage and be able to re-insert that sensitive data in the right place and format.

  Evidence: Provide documentation that explains the tokenization capabilities of the solution.

Applies to: SaaS | Customer Deployed

The solution provides the ability to identify threats in inbound email. Provide protection action based on the threat.

Evidence: Provide documentation of the abilities to: 1/ scan email for malicious code or attachments and 2/ identify and remove phishing attack emails.

Applies to: SaaS | Customer Deployed

The solution provides the ability to identify threats in outbound emails. Provide identification and protection for data leakage prevention in emails.

Evidence: Provide documentation of the abilities to 1/ identify data leakage based on sensitive information such as keywords and Personally Identifiable Information (PII) patterns. 2/ protect identified sensitive emails by encryption or blockage.

Applies to: SaaS | Customer Deployed

Data Security Posture Management solutions must provide the following functionalities:

• Data Security Assessment and Continuous Monitoring (Agentless): The solution should continuously assess the data security posture of AWS resources, including databases, storage, and data repositories, without requiring the installation of agents on the monitored systems. It should identify security vulnerabilities, misconfigurations, and potential risks related to data protection. The solution should also support real-time monitoring of data security, regularly checking for changes in the data environment and potential security issues. It should provide real-time alerts for security incidents or changes that may impact data protection.

  Evidence: Provide documentation that describes how the solution performs data security assessments and continuous monitoring in an agentless manner. This documentation should outline the types of security checks performed, the scope of resources covered, the frequency of checks, and the methodology used to identify vulnerabilities and misconfigurations. Additionally, include details on how real-time alerts are generated and the process for notifying customers about security incidents or changes. The evidence should showcase the integration with AWS services, particularly focusing on data security assessment and continuous monitoring for AWS resources, such as Amazon S3 and Amazon RDS.

• Data Security Compliance Reporting: The solution should generate compliance reports that summarize the data security posture of AWS resources. These reports should provide insights into compliance with data protection regulations, industry standards, and best practices. The compliance reports should cover at least two of the following compliance organizations:

  • CIS AWS Foundations Benchmark v1.2 or 1.3
  • HITRUST v9.3
  • HIPAA
  • ISO 27001:2013
  • MITRE ATT@CK
  • PCI DSS v3.2

  Evidence: Provide a sample data security compliance report generated by the solution. The report should showcase the level of detail provided, including compliance status, identified issues, and recommendations for improving data security.

• Remediation and Risk Mitigation: The solution should offer remediation recommendations and risk mitigation strategies for identified security issues and vulnerabilities. It should provide actionable steps to address data security risks effectively.

  Evidence: Provide documentation that demonstrates how the solution provides remediation recommendations and risk mitigation strategies. Include examples of actionable steps provided to customers to address identified security issues.

• Data Security Policy Management and Access Control: The DSPM solution should enable administrators to define and manage data security policies for AWS resources, including databases, storage, and data repositories. The solution should also provide granular access control capabilities to enforce these policies, ensuring that only authorized users and applications have appropriate access to sensitive data.

  Evidence: Provide documentation that demonstrates how the DSPM solution allows administrators to create and configure data security policies, specifying rules and restrictions on data access and usage. Additionally, showcase the solution's access control features, highlighting the ability to enforce these policies by managing user permissions, roles, and access privileges to AWS resources.

The evidence for each functionality should be included in the customer-facing partner documentation, demonstrating the support and successful implementation of the specified requirements. The documentation should be comprehensive, enabling customers to understand and utilize the Data Security Posture Management solution effectively in their AWS environment.

Applies to: SaaS | Customer Deployed

Briefly describe how the solution addresses the sections of this category (CPR-004 to CPR-005). Highlight all sections where the product can meet the requirements, only one section is required.

Please provide the following as evidence:

• One or more reference architecture diagrams based on the AWS Security Reference Architecture that show how the product applies to each of the sections in this category.

Applies to: SaaS | Customer Deployed

For solution that provides guardrails, ensure desired state using any of the following: AWS CloudTrail, AWS Config, or AWS CloudFormation.

Evidence: Provide documentation.

Applies to: SaaS | Customer Deployed

The Solution only uses API Calls to obtain initial information about specific AWS resources such as for resource discovery. To obtain additional information about a specific resource in a more efficient way, use AWS Config, AWS CloudTrail, or do a reconciliation against data obtained through other ingestion mechanisms.

Evidence: Provide documentation.

Applies to: SaaS | Customer Deployed

Cloud Security Posture Management solutions must provide the following functionalities:

• Misconfiguration Check: The Solution is able to check and alert on misconfiguration of AWS resources. Examples include the following scenarios: unencrypted databases, data storage exposed to the Internet, and MFA required for root access.
• Evaluation Frequency: The solution detects and evaluates changes to the environment within one hour.
• Compliance Remediation: The solution recommends or automates a process to remediate resources that are out of compliance.
• Compliance Check: The solution provides the ability to check compliance against third party compliance standards.
• Documentation: The solution's documentation or landing page lists the specific frameworks and controls (e.g. PCI-DSS, HIPAA, FIPS 140-2, NIST 800-53, GDPR, SOC2, CIS, etc.) the solution evaluates.
• AWS Resource List: The solution provides the ability to track and display a list of AWS resources and their configuration status regarding storage, compute, identity, and access.

Evidence: Provide documentation.

Applies to: SaaS | Customer Deployed

Cloud Workload Protection Platform solutions must provide the following functionalities:

• Provide a single pane of glass for protection based around the workload as it operates across AWS and on-prem environments.

• Meet all requirements from the CSPM use case section and also provide agent-based host protections.

Evidence: Provide documentation.

Applies to: SaaS | Customer Deployed

Cyber Asset Attack Surface Management (CAASM) helps security teams solve challenges related to asset visibility, their relationships, coverage gaps, and threat exposure across the entire asset estate. By integrating with existing tools through APIs, CAASM solutions provide organizations with a comprehensive, contextualized view of their digital environment, enable querying of consolidated asset data, identify security gaps and exposures, and facilitate the remediation of these uncovered issues.

CAASM solutions must provide the following functionalities:

• Asset Discovery and Inventory Management:

  • Ability to discover and catalog all assets within the organization's environment, including devices, cloud resources, users, identities, vulnerabilities, installed software, SaaS applications, and more.
  • Automatically correlate and provide information about each asset, such as operating system, applications, versions, and configuration settings, using multiple data points with different levels of confidence.
  • Maintaining a centralized and continuously updated asset inventory.

  Evidence:

  1. Detailed product documentation showcasing the asset discovery and cataloging capabilities.
  2. Demonstration or screenshots of the asset inventory, including the types of information gathered.
  3. A complete catalog of integrations with descriptions, assets fetched, and step-by-step instructions for each integration.

• Security Posture and Attack Surface Management:

  • Provides a detailed, contextualized view of the organization's attack surface, including asset ownership, interconnections, dependencies, and potential vulnerabilities.
  • Security hygiene monitoring and management, including agent health (missing or non-performing agents), security gaps, and configuration changes, with automated real-time alerts for high-risk events or emerging threats.
  • Identifies risks, highlights top-priority areas, and provides remediation guidance.
  • Enables security teams to automate response actions and address vulnerabilities, missing or malfunctioning controls, and assets not adhering to IT and security policies.

  Evidence:

  1. Product screenshots or walkthroughs showcasing the attack surface visualization, including the ability to identify high-risk areas.
  2. Product screenshots demonstrating how the solution uncovers security gaps (like missing EDR), lateral movement possibilities, asset relationships, and the blast radius of security threats.
  3. Detailed product documentation explaining the attack surface mapping and visualization capabilities.

• Risk Assessment and Mitigation:

  • Understanding the overall risk exposure, potential impact, and likelihood of cyber-attacks based on the identified attack surface.
  • Developing and implementing strategies to reduce the attack surface, such as asset decommissioning, network segmentation, and access control policies.
  • Providing recommendations and guidance for risk mitigation.

  Evidence:

  1. Product documentation describing the risk assessment methodology, including the factors considered and the risk scoring/ranking system.
  2. Demonstration of the risk mitigation strategies and recommendations provided by the CAASM solution.

• Continuous Monitoring and Alerting:

  • Continuously monitoring the attack surface for changes, new vulnerabilities, and potential threats.
  • Providing real-time alerts and notifications to security teams about high-risk activities or emerging threats.
  • Ability to integrate with other security tools and platforms for consolidated monitoring and response.

  Evidence:

  1. Product documentation showcasing the real-time monitoring and alert capabilities, including the types of events and thresholds monitored.
  2. Demonstration of the alert notification system, including the delivery channels and escalation procedures.

• Vulnerability Management:

  • Capability to continuously scan and monitor assets for known vulnerabilities.
  • Vulnerability prioritization based on factors like threat level, exploitability, and potential impact.
  • Providing remediation guidance and recommendations to address identified vulnerabilities.

  Evidence:

  1. Product documentation describing the vulnerability scanning, prioritization, and remediation guidance features.
  2. Demonstration of the vulnerability management workflow, including vulnerability detection, risk scoring, and remediation recommendations.

• Integration and Automation:

  • Providing APIs or other integration mechanisms to enable the exchange of data and actions with other security tools.
  • Seamless integration with vulnerability scanners, SIEM systems, incident response tools, and non-security systems to gather additional information about assets, validate security posture, and detect security gaps not covered by the security stack.
  • Automating processes, such as asset discovery, vulnerability assessment, ticketing and case management, and policy enforcement.

  Evidence:

  1. Product documentation detailing the integration capabilities and supported security tools and platforms.
  2. Demonstration of the automated workflows and integrations, such as vulnerability remediation or incident response.

• Reporting and Analytics:

  • Generating comprehensive reports on the organization's attack surface, vulnerability status, and risk posture.
  • Providing analytics and insights to help security teams identify trends, patterns, and areas for improvement.
  • Ability to customize and tailor reports to meet the specific needs of the organization.

  Evidence:

  1. Product screenshots or walkthroughs of the reporting and analytics capabilities, including the types of reports and dashboards available.
  2. Detailed product documentation describing the reporting and analytics features, and the level of customization and flexibility provided.

Applies to: SaaS | Customer Deployed

Briefly Describe how the solution addresses the sections of this category (APSEC-002 to APSEC-005). Highlight all sections where the product can meet the requirements, only one section is required.

Please provide the following as evidence:

• Provide one or more reference architecture diagrams based on the AWS Security Reference Architecture that show how the product applies to each of the sections in this category.

Applies to: SaaS | Customer Deployed

Runtime Application and Self-Protection solutions must provide the following functionalities:

• Runtime Application and Self-Protection (RASP): The solution detects and blocks security attacks and anomalies from inside a running application.

• Deployment: Solution operates on the same server as the app it is protecting and applies security algorithms in-line to all system level calls, including any data exchanges.

Evidence: Provide documentation.

Applies to: SaaS | Customer Deployed

The partner's service suite must offer a variety of solutions, potentially including but not limited to:

• Web Application Firewall (WAF) solutions
• Bot management solutions
• API Security solutions
• AI Firewalls

These solutions can be offered individually or as an integrated platform. They are primarily for Production applications but can also be deployed in Build and Test environments.

Please provide the following as evidence:

• A comprehensive reference architecture outlining the proposed offer. This should include a clear reference architecture diagram, a detailed description of customized services (such as policies, scripts, procedures, runbooks, or training), and an exhaustive list of employed products.

Evidence must meet the following requirements:

• Demonstrate the ability to provide and manage the chosen solutions (WAF, bot management, API security, AI firewalls) in a variety of environments (Production, Build, Test).
• Show how your WAF solution integrates with AWS CloudFront, Elastic Load Balancer (ELB), and other AWS services.
• Show how your API Security solution integrates with AWS and 3rd-party API gateways, load balancers, and even VPC Traffic Mirroring.
• Show how your bot management solution integrates with AWS CloudFront, and potentially with AWS WAF.
• Show how your AI Firewall solution sits between the application and the GenAI service, monitoring the prompts and the outputs.

Applies to: SaaS | Customer Deployed

Partner solution has the ability to scan code within the development pipeline, pre-production.

Please provide the following as evidence:

• Automated tooling that identifies issues including: weaknesses, flaws, and vulnerabilities in software code.
• Identify the CWE Top 25 (Common Weakness Enumeration).
• Identify the OWASP Top 10 (Open Web Application Security Project).
• Make recommendations about how to resolve identified issues.
• Documented integration with code development pipelines.
• Ability to scan imbedded Open Source Code.

Applies to: SaaS | Customer Deployed

Vulnerability Management solutions must provide the following functionalities:

• Resource Metadata: The AWS Partner's vulnerability scanning solution supports collection and display of the AWS metadata from Amazon EC2 instances and containers for findings from a vulnerability scan.

  Evidence: Screenshots showing the display of the necessary metadata, including: Amazon EC2 tags, Amazon EC2 instance ID, Amazon EC2 AMI ID, Amazon EC2 public and private IP address, Amazon EC2 public and private DNS address, VPC ID, Subnet ID, region, AWS account ID, and container-related metadata (if applicable).

• Infrastructure Vulnerability Scanning: Infrastructure vulnerability scanning solutions support scanning EC2 instances and containerized environments for common operating systems.

  Evidence: Provide documentation showing the ability to scan these operating systems: Amazon Linux 2, Microsoft Windows Server, Ubuntu Server, RedHat Enterprise Linux, SUSE Linux Enterprise, and popular container runtimes.

• Continuous Scanning: The primary method to detect changes to resources in the customer's account is via AWS CloudTrail, Amazon EventBridge, or AWS Config.

  Evidence: Provide documentation.

• Findings: The solution provides remediation guidance for findings in both EC2 instances and containerized environments.

  Evidence: Provide documentation or screenshots showing guidance for common findings.

• Centralized Scanning: The solution provides centralized management for customer environments spanning multiple AWS accounts, Regions, VPCs, and container orchestrators (e.g., Kubernetes).

  Evidence: Provide documentation.

• Network Scans: Network scanning solutions automatically enumerate target IPs using Amazon EC2 APIs, extending support to include containerized environments.

  Evidence: Provide documentation.

Applies to: SaaS | Customer Deployed

Software Bill of Materials (SBOM) and Supply Chain Security solutions must provide the following functionalities:

• SBOM Generation: The solution generates a Software Bill of Materials (SBOM) for applications and software components, including open-source libraries and third-party dependencies. The SBOM should provide detailed information about the software components, their versions, dependencies, and associated vulnerabilities.

  Evidence: Provide documentation that describes how the solution generates SBOMs for applications and software components. Include details on the format of the SBOM, the level of detail provided, and the process for updating and maintaining the SBOM.

• Supply Chain Security: The solution ensures the security of the software supply chain by identifying and mitigating risks associated with third-party components, dependencies, and integrations. It should provide visibility into the software supply chain, including the origin of components, known vulnerabilities, and potential security issues.

  Evidence: Provide documentation that explains how the solution addresses supply chain security risks. Describe the mechanisms used to identify and mitigate risks in third-party components, dependencies, and integrations. Include details on how the solution monitors the software supply chain for security threats and vulnerabilities.

• Vulnerability Management: The solution integrates with vulnerability databases and security feeds to identify known vulnerabilities in software components. It should provide real-time alerts and notifications about new vulnerabilities and security issues that may impact the software supply chain.

  Evidence: Provide documentation that showcases the vulnerability management capabilities of the solution. Include information on the vulnerability databases and security feeds used by the solution, the process for identifying and prioritizing vulnerabilities, and the mechanisms for alerting customers about security threats.

• Integration and Automation: The solution integrates with software development tools, CI/CD pipelines, and DevOps workflows to automate SBOM generation, vulnerability scanning, and supply chain security checks. It should provide APIs or integration mechanisms to enable seamless data exchange and action across the software supply chain.

  Evidence: Provide documentation that demonstrates the integration and automation capabilities of the solution. Include examples of how the solution integrates with software development tools, CI/CD pipelines, and DevOps workflows to streamline SBOM generation, vulnerability scanning, and supply chain security checks. Describe the APIs and integration mechanisms used to facilitate data exchange and automation.

• Reporting and Analytics: The solution generates reports and analytics on software components, vulnerabilities, and supply chain security risks. It should provide insights into the software supply chain, including risk assessments, compliance status, and security posture. The reports should be customizable and tailored to meet the specific needs of organizations.

  Evidence: Provide documentation that showcases the reporting and analytics features of the solution. Include examples of the reports and dashboards generated by the solution, highlighting the level of detail provided, the types of insights available, and the customization options offered to customers.

Applies to: SaaS | Customer Deployed

The AI Security category focuses on the unique requirements for AI workloads across data security, security posture management, and threat detection and response, compared to the security requirements of generic workloads customers deploy. Briefly describe how the solution addresses the sections of this category (AISEC-002 to AISEC-004). Highlight all sections where the product can meet the requirements, only one section is required.

Please provide the following as evidence:

• Provide one or more reference architecture diagrams based on the AWS Security Reference Architecture that show how the product applies to the selected section(s) in this category.

Applies to: SaaS | Customer Deployed

The partner’s solutions must encompass features capable of delivery the following functionalities:

• Discovery and classification of data used with AI workloads, with the ability to define data-specific security policies. This includes data for model training, fine-tuning, RAG, and other data repositories.

  Evidence: Written description of the technical solution that is used to support this requirement.

• Discovery and removal of sensitive data within data repositories used for AI workloads. This includes, but is not limited to, PII, first party data (customers, patients, suppliers, employees, etc.), intellectual property (IP), and other sensitive data.

  Evidence: Written description of the technical solution that is used to support this requirement. Identify what type of data you support discovery and removal.

• Ensuring adherence to relevant data protection laws and standards.

  Evidence: Provide documentation. Identify what laws and standards

• Monitoring of data source activity to enforce usage policies are maintained. Provide remediation and risk mitigation strategies for identified issues.

  Evidence: Written description of the technical solution that is used to support this requirement.

• Provide reporting of data usage and data security posture for AI workloads.

  Evidence: Provide documentation.

• Implementation of data encryption and secure storage practices for AI-related data.

  Evidence: Provide documentation.

• Establish and enforce data access controls and authentication mechanisms for AI data repositories.

  Evidence: Written description of the technical solution that is used to support this requirement.

• Provide data tracking and auditing capabilities for AI workloads.

  Evidence: Provide documentation.

• The solution has the ability to support data stored in AWS.

  Evidence: Describe your integration with at least Amazon S3. Provide documentation.

Applies to: SaaS | Customer Deployed

The partner’s solutions must encompass features capable of delivery the following functionalities:

• Discovery and reporting on AI models, services, and data stores used for AI workloads.

  Evidence: Written description of the technical solution that is used to support this requirement.

• Identifying potential security risks and vulnerabilities specific to AI workloads.

  Evidence: Written description of the technical solution that is used to support this requirement.

• Ensuring the security and privacy of training data, input data, and output data.

  Evidence: Written description of the technical solution that is used to support this requirement.

• Monitoring of security posture for AI workload deployment. Provide remediation and risk mitigation strategies for identified issues.

  Evidence: Written description of the technical solution that is used to support this requirement.

• Identification of users who have access to sensitive data and AI workloads. Provide remediation and risk mitigation for identified issues.

  Evidence: Written description of the technical solution that is used to support this requirement.

• Provide reporting of AI security posture for AI workloads.

  Evidence: Provide documentation.

• Implement and manage access controls and authentication for AI models and services.

  Evidence: Written description of the technical solution that is used to support this requirement.

• Conduct regular security assessments for AI workloads.

  Evidence: Written description of the technical solution that is used to support this requirement.

• Implement and manage model versioning and integrity checks.

  Evidence: Written description of the technical solution that is used to support this requirement.

• Establish and enforce ethical AI guidelines and governance frameworks.

  Evidence: Written description of the technical solution that is used to support this requirement.

• The solution has the ability to support AI workloads on AWS.

  Evidence: Describe your integration with at least one AWS AI service (Amazon Bedrock, Amazon Q, Amazon Sagemaker). Provide documentation.

Applies to: SaaS | Customer Deployed

The partner’s solutions must encompass features capable of delivery the following functionalities:

• Identifying unusual patterns or behaviors in AI workload operations.

  Evidence: Written description of the technical solution that is used to support this requirement. Identify what patterns and behaviors supported.

• Checking for unauthorized modifications to AI models.

  Evidence: Written description of the technical solution that is used to support this requirement.

• Analyzing model outputs for signs of compromise and unexpected results.

  Evidence: Written description of the technical solution that is used to support this requirement.

• Monitoring user interactions with AI workloads for suspicious activity.

  Evidence: Written description of the technical solution that is used to support this requirement.

• Identifying changes to the distribution of input or output data.

  Evidence: Written description of the technical solution that is used to support this requirement.

• Implement real-time countermeasures against detected threats.

  Evidence: Written description of the technical solution that is used to support this requirement. Provide details on countermeasures supported.

• Updating threat detection models based on new data and emerging threats.

  Evidence: Written description of the technical solution that is used to support this requirement.

• Implement prompt instruction and formatting techniques to prevent both direct and indirect prompt injection attacks.

  Evidence: Written description of the technical solution that is used to support this requirement.

• Implement prevention measures for insecure output handling, including but not limited to SQL injections, XSS/CSRF in web browsers, privilege escalation, and remote code execution.

  Evidence: Written description of the technical solution that is used to support this requirement. Provide details on which insecure output handling supported.

• Reporting of identified threats and remediation actions.

  Evidence: Provide documentation.

• Detect and prevent attempts to extract sensitive information or model details.

  Evidence: Written description of the technical solution that is used to support this requirement.

• Implement anomaly detection for AI model performance and resource usage.

  Evidence: Written description of the technical solution that is used to support this requirement.

• Provide capabilities for detecting and preventing AI-specific attack vectors such as model inversion or membership inference attacks.

  Evidence: Written description of the technical solution that is used to support this requirement.

• The solution has the ability to support AI workloads on AWS.

  Evidence: Describe your integration with at least one AWS AI service (Amazon Bedrock, Amazon Q, Amazon Sagemaker).

Applies to: SaaS | Customer Deployed

AWS Support provides a mix of tools and technology, people, and programs designed to proactively help you optimize performance, lower costs, and innovate faster. AWS Business Support provides additional benefits including access to AWS Trusted Advisor and AWS Personal Health Dashboard and faster response times.

For SaaS solutions, subscribing to AWS Business Support or greater (including AWS Partner-Led Support) for all production accounts is a requirement to successfully complete the validation for Competency Program. For customer deployed solutions, the Partner must subscribe to premium support for the AWS accounts which produce the solution.

Applies to: SaaS | Customer Deployed

AWS Partner offers product support via web chat, phone, or email support to customers.

Evidence must be in the form of description of support offered to customers for their product or solution.

Applies to: SaaS | Customer Deployed

AWS Partner must submit architectural diagrams depicting the overall design and deployment of the solution on AWS as well as any other relevant details of the solution.

The provided diagrams are intended to provide context to the AWS Solutions Architect conducting the technical validation. These diagrams will be referenced during the validation call. It is critical to provide clear diagrams with an appropriate level of detail in order to enable an efficient conversation about the product architecture with respect to the other technical requirements described in this document.

Each architecture diagram must show:

• The major elements of the architecture, and how they combine to provide the AWS Partner Solution to customers
• All of the AWS services used, using the appropriate AWS service icons.
• How the AWS services are deployed, including, VPCs, Availability Zones (AZs), subnets, and connections to systems outside of AWS.
• Includes elements deployed outside of AWS, e.g. on-premises components, or hardware devices.

Applies to: Customer Deployed

The deployment guide must provide best practices for deploying the AWS Partner Solution on AWS, and include all of the sections outlined in the AWS Foundational Technical Review Guide

Applies to: SaaS | Customer Deployed

All customer facing documentation and artifacts to deploy, operate and maintain the solution must meet the following standards:

• All references to AWS services must use the correct product names. (Please reference the official AWS product landing pages for the correct spelling and styling of product names)
• Documentation must be generally free of typos and grammatical errors.

Evidence: Provide a link to, or attach a copy of, your customer facing documentation.

Applies to: SaaS | Customer Deployed

AWS Partner has field-ready documentation and a seller toolkit that enable their field sellers to articulate a clear product value proposition to AWS customers.

Evidence must be in the form of sales collateral including a customer presentation, one-pager, and customer success stories.

Applies to: SaaS | Customer Deployed

If the solution is available via AWS Marketplace, AWS Partner must provide a link to the AWS Marketplace listing in their application.

An AWS Marketplace listing is not mandatory to achieve the AWS Competency.

Applies to: SaaS | Customer Deployed

Static AWS Access Keys are not used, except in the following cases:

1. Used by humans to access AWS services, and stored securely on a device controlled by that human.
2. Used by a service to access AWS services, but only in cases where all of the following are true:
   • It is not feasible to use an Amazon EC2 instance role, ECS Task role or similar mechanism
   • The AWS Access Keys are rotated at least weekly
   • Associated IAM Policies are tightly scoped such that it only allows access to specific actions and resources.
   • An IAM policy is in place that denies access to all actions except when requests originate from an IP address owned by the AWS Partner (see Example IAM Identity-Based Policies).

This requirement is applicable to internal processes running in the AWS Partner's AWS accounts as well as any components of the solution running in the customer's account. Customers must never be required to create IAM users in order to use any feature or capability of the solution. Partner-hosted or SaaS solutions must use cross-account IAM roles with external IDs to gain access to the customer's account. Customer deployed solutions must natively support using IAM roles associated with AWS compute resources.

Applies to: SaaS

All events from AWS Health with the service type "RISK" are handled within defined SLAs. APN Partner must implement all of the following:

• Define an SLA for security operations staff to evaluate and mitigate AWS Health RISK events.
• Implement automated integration with the primary internal issue tracking system such that a new issue is created for all events published by the AWS Health service with detail type "AWS Health Event" and service equal to "RISK". These events include "AWS_RISK_CREDENTIALS_COMPROMISED" and "AWS_RISK_CREDENTIALS_EXPOSED".
• Implement alerting and notification to security operations staff for both new issues created and SLA breeches.

Applies to: SaaS

All SaaS solutions must authenticate paid API or UI requests. The solution has specific technologies and mechanisms in place to mitigate the attacks described in the OWASP Top 10 Web Application Security Attacks

Applies to: SaaS

A hardened configuration based on CIS or equivalent benchmark has been defined for operating systems and containers used to host the solution. There are automated mechanisms in place to ensure this hardened configuration is applied to all compute resources (e.g., persisting the configuration to an immutable Amazon Machine Image [AMI]).

Applies to: SaaS

Protect your compute resources (e.g., instances, containers, functions, etc.) from unauthorized activity. This may include detecting any changes to the OS or application files and storing these changes in a durable location to allow for future forensic investigation. The mechanism employed for this purpose must at least:

• Detect any changes to the OS or application files in the compute resources used in the solution.
• Store data recording these changes in a durable location, external to the compute resources.

Applies to: SaaS | Customer Deployed

All cryptographic keys are encrypted at rest and in transit, and access to use the keys is controlled using an AWS solution such as AWS Key Management Service (AWS KMS) or an AWS Partner solution such as HashiCorp Vault.

Applies to: SaaS | Customer Deployed

A purpose-built ticketing system or similar tool is used by the security team to manage and track the ownership and resolution of any reported or detected security issues with the solution. This system should at a minimum track externally or internally reported security concerns about the solution. Additionally, for partner hosted/SaaS solutions, this system should track security operations tasks such as host patching as well as the analysis and remediation of any alerts raised by other detective measures.

This can be the same system used to fulfill OPE-005.

Applies to: SaaS

AWS CloudTrail logs are actively monitored using automated tools (e.g. Amazon GuardDuty) to detect suspicious or anomalous behavior, and alerting is configured to notify security operations staff in the event such behaviors are detected. Alerting must be integrated with the security ticketing system referenced in SECOPS-006.

Applies to: SaaS

Network activity for production VPCs is actively monitored using automated tools (e.g. Amazon GuardDuty) to detect suspicious or anomalous behavior, and alerting is configured to notify security operations staff in the event such behaviors are detected. Alerting must be integrated with the security ticketing system referenced in SECOPS-006.

Applies to: SaaS

The AWS Partner has defined a set of configuration policies for their AWS infrastructure (e.g. all Amazon Elastic Block Store (EBS) volumes must be encrypted), and these policies are enforced or monitored using automated tooling such as AWS Config or other comparable tools. This does not require automated remediation of policy violations, but detected violations must be automatically logged in a centralized ticketing system to ensure they are properly resolved by human operators.

Applies to: SaaS

Automated mechanisms are in place to prevent certificates from expiring unexpectedly.

Applies to: SaaS

Any components that are deployed to infrastructure shared across multiple tenants must model tenant identity in the software layer. The code for the component implements controls to ensure that tenants are isolated from one another and data is not leaked across tenant boundaries.

Applies to: SaaS

Any components which are not explicitly designed to isolate multiple tenants at the software layer are deployed to tenant-specific compute resources in tenant-specific VPCs. (In this context "tenant" refers to tenants of the AWS Partner solution.)

Supporting existing, legacy customers who may already be deployed to shared VPCs is acceptable as long as this model is completely deprecated and all new customers are deployed using a VPC-per-tenant model. There must be multiple active customers in production using the VPC-per-tenant model.

Applies to: SaaS

All single-tenant components must use dedicated IAM roles per tenant. These roles must limit access to only that tenant's resources using Resource and Condition statements within the attached policies.

Evidence must be provided in the form of a description of the roles used per tenant and an example of the IAM policies attached to those roles which provide explicit resource isolation.

Applies to: SaaS | Customer Deployed

The solution uses an official AWS SDK for all calls made to AWS API endpoints, or alternatively the solution implements retries with exponential backoff and jitter for all AWS API calls.

Applies to: SaaS | Customer Deployed

Measures are in place to rate limit calls to AWS APIs in the customer's account in order to prevent API throttling.

Applies to: SaaS | Customer Deployed

The solution uses methods such as ingesting AWS CloudTrail logs, consuming Amazon EventBridge events, or integrating with AWS Config to avoid polling AWS APIs wherever possible.

AWS Partner must describe what AWS resources state the solution tracks (if any), and how that resource state is discovered. In cases where there is no alternative to polling, AWS Partner must provide a detailed description of how they avoid causing API throttling issues.

Applies to: Customer Deployed

All components of the solution that are hosted in the customer's account support the ability for the customer to disable Instance Metadata Service Version 1 (IMDSv1). The solution must support the use of IAM roles associated with Amazon EC2 instances in conjunction with IMDSv2 for getting credentials to make calls to AWS APIs. Legacy support for static IAM access keys must be clearly deprecated.

AWS Partner must provide the specific version of the official AWS SDK used by the latest generally available version of the solution. The version of the AWS SDK in use must have been released after November 20th 2019.

If the solution accesses AWS APIs without using an official AWS SDK, AWS Partner must describe the steps taken to ensure IMDSv2 is supported.

Applies to: SaaS

Network connectivity to the solution must be highly available. If using VPN or Direct Connect to connect to customer networks, the solution must support redundant connections, even if the customers do not always implement this.

Applies to: SaaS

Logs and metrics for each component of the system are actively monitored. Critical metrics and thresholds are defined for each components and alarms are configured to notify operators in the event those thresholds are breached.

Evidence must be provided in the form of a list of the metrics and thresholds defined for each system component and a description of the tools used to surface alarms to operators.

Applies to: SaaS

All log information from the application, and from the AWS infrastructure, must be consolidated into a single system.

Applies to: SaaS

The application and the AWS infrastructure must be monitored centrally, with alarms generated and sent to the appropriate operations staff.

Applies to: SaaS

The solution must use an automated tool such as AWS CloudFormation or Terraform to provision and manage the AWS infrastructure. The AWS Management Console must not be used to make routine changes to the production AWS infrastructure.

Applies to: SaaS | Customer Deployed

Key Performance Indicators (KPIs) that indicate whether the product is performing as expected from the perspective of the customer have been defined. The definition of these KPIs must include how to measure the indicator as well as the acceptable threshold.

For example, p99 roundtrip response latency for API methods X, Y, and Z must be less than 200ms as measured by the TargetResponseTime AWS CloudWatch metric.

Partner must provide a list of KPIs and the defined acceptable thresholds as evidence.

Applies to: SaaS | Customer Deployed

Performance test suites (either automated or manual) are run before major releases or production deployments in order to ensure new versions meet defined performance targets.

Applies to: SaaS

The solution must use an automated method of deploying code and configuration to the AWS infrastructure. Interactive SSH or RDP sessions must not be used to deploy updates in the AWS infrastructure.

Applies to: SaaS

Runbooks must be developed to define the standard procedures used in response to different application and AWS events. An escalation process must be defined to deal with alerts and alarms generated by the system, and to respond to customer-reported incidents. The escalation process must also include escalating to AWS Support where appropriate.

Applies to: SaaS | Customer Deployed

Code is peer reviewed before being released or deployed to production.

Applies to: SaaS | Customer Deployed

Automated functional test suites exist and are automatically run before software is released or deployed to production.

Applies to: SaaS | Customer Deployed

A purpose-built issue tracking tool or set of tools is used to manage product backlogs, feature requests, defects and identified operational issues.

Applies to: SaaS | Customer Deployed

A process is established to track and remediate all customer reported product bugs as well as operational incidents that cause customer impact.