APN Partner Central

Customer-Deployed Foundational Technical Review

Customer-Deployed Validation Checklist

March 2022 - 2022_q1_v1

Self-assessment Spreadsheet

Introduction

The Foundational Technical Review (FTR) assesses an AWS Partner's solution against a specific set of Amazon Web Services(AWS) best practices around security, performance, and operational processes that are most critical for customer success. Passing the FTR is required to qualify AWS Partners for AWS Partner Network(APN) programs such as AWS Competency and AWS Service Ready, but any AWS Partner who offers a technology solution may request an FTR review through AWS Partner Central.

This checklist is for solutions deployed by customers in their own AWS accounts. If your solution is a Partner hosted solution, use the Partner Hosted Validation Checklist..

AWS Partner Solution (formerly Quick Starts) guides published or updated January 2020 or later meet FTR checklist requirements. If your solution has an AWS Partner Solution deployment guide published or updated January 2020 or later, you can complete the shorter AWS Partner Solutions Checklist

If your solution is a container- or Amazon Machine Image (AMI)-based solution listed on AWS Marketplace, you can complete the shorter AWS Marketplace AMI and Container Based Solutions Validation Checklist.

Expectations of parties

You must review this document in detail before submitting an FTR request. If you have questions about this document, contact your Partner Development Representative (PDR) or Partner Development Manager (PDM). AWS reserves the right to make changes to this document at any time.

FTR requests must be submitted using AWS Partner Central. For more information on how to submit a request, visit AWS Foundational Technical Review and choose Request an FTR.

You can can also request an FTR using alternative manual process. For more information, refer to the FTR guide on AWS Partner Central.

After submitting a request, an AWS partner solutions architect (PSA) will review your request and reach out to you if additional information is required. You have up to six months to address issues with your solution if it does not fulfill all of the FTR requirements for approval. If your FTR is not complete within six months, you must submit a new FTR request and meet the FTR requirements then in effect—which may include additional controls.

AWS Foundational Technical Review Prerequisites

AWS Partner must include the solution's architecture diagram in order to pass the FTR requirements.

  1. 1.0Foundational Technical Review Requirements

    1. 1.1Architecture diagram

      Submitted Foundational Technical Review request must include architecture diagrams.

      • Architecture diagrams must detail how the solution interacts with the AWS Cloud; specifically, what AWS tools and services are used in the solution.

      Note: For more information, refer to How to Build an AWS Architecture Diagram.

    2. 1.2AWS Support

      The FTR requires AWS Business Support tier (or higher) for all production AWS accounts or an action plan to handle issues which require help from AWS Support. Production AWS accounts include accounts operated as part of a managed service, accounts essential to the proper functioning of a SaaS or other 'as a service' offerings, accounts from which customer-facing collateral such as AMIs are distributed, and accounts containing customer data. For more information, refer to Compare AWS Support Plans.

Customer Deployed FTR Requirements

The following requirements apply to AWS Partner customer-deployed solutions.

Introduction

  • INT-001 - Introductory material must contain use cases for the software.

    Provide a link to deployment guide and indicate the page number, section title, and paragraph where it describes use cases for the solution.

  • INT-002 - Introductory material contains an overview of a typical customer deployment, including lists of all resources that are set up when the deployment is complete.

    Provide a link to deployment guide and indicate the page number, section title, and paragraph where it provides an overview of the intended use of the solution.

  • INT-003 - Introductory material contains a description of all deployment options discussed in the user guide (e.g. single-AZ, multi-AZ or multi-region), if applicable.

    Provide a link to deployment guide and indicate the page number, section title, and paragraph where it describes the deployment options.

  • INT-004 - Introductory material contains the expected amount of time to complete the deployment.

    Provide a link to deployment guide and indicate the page number, section title, and paragraph where it states the estimated time to deploy.

  • INT-005 - Introductory material contains the regions supported.

    Provide a link to deployment guide and indicate the page number, section title, and paragraph where it lists supported AWS Regions.

Prerequisites and Requirements

  • PRQ-001 - All technical prerequisites and requirements to complete the deployment process are listed (e.g. required OS, database type and storage requirements).

    Provide a link to deployment guide and indicate the page number, section title, and paragraph where it lists the technical requirements.

  • PRQ-002 - The deployment guide lists all prerequisite skills or specialized knowledge (for example, familiarity with AWS, specific AWS services, or a scripting or programming language).

    Provide a link to deployment guide and indicate the page number, section title, and paragraph where it lists the skills or specialized knowledge required to deploy the solution.

  • PRQ-003 - The deployment guide lists the environment configuration that is needed for the deployment (e.g. an AWS account, a specific operating system, licensing, DNS).

    Provide a link to deployment guide and indicate the page number, section title, and paragraph where it describes the environment-configuration requirements.

Architecture Diagrams

  • ARCH-001 - Architecture diagrams must include all AWS services and resources deployed by the solution and illustrate how the services and resources connect with each other in a typical customer environment.

    Architecture diagrams illustrate a standard deployment on AWS.

  • ARCH-004 - Architecture diagrams use official AWS Architecture Icons.

    Architecture diagrams use official AWS Architecture Icons. For more information, refer to AWS Architecture Icons.

  • ARCH-005 - Network diagrams demonstrate virtual private clouds (VPCs) and subnets.

    Network diagrams demonstrate VPCs and subnets.

  • ARCH-006 - Architecture diagrams show integration points, including third-party assets/APIs and on-premises/hybrid assets.

    Architecture diagrams show integration points, including third-party assets/APIs and on-premises/hybrid assets.

Security

  • DSEC-002 - The application does not require the use of AWS account root privileges for deployment or operation.

    Provide a link to deployment guide and indicate the page number, section title, and paragraph where it warns customers to not use the AWS account root user for any deployment or operations.

  • DSEC-003 - The deployment guide provides prescriptive guidance on following the policy of least privilege for all access granted as part of the deployment.

    Provide a link to deployment guide and indicate the page number, section title, and paragraph where it provides prescriptive guidance on following the principle of least privilege for all access granted as part of the deployment.

  • DSEC-004 - The deployment guide clearly documents any public resources (e.g. Amazon S3 buckets with bucket policies allowing public access).

    Provide a link to deployment guide and indicate the page number, section title, and paragraph where it documents any public resources.

  • DSEC-005 - The deployment guide describes the purpose of each AWS Identity and Access Management (IAM) role and IAM policy the user is instructed to create.

    Provide a link to deployment guide and indicate the page number, section title, and paragraph where it describes the purpose of IAM roles/policies the user is instructed to create.

  • DSEC-006 - The deployment guide describes the purpose and location of each key the user is instructed to create.

    Provide a link to deployment guide and indicate the page number, section title, and paragraph where it describes the purpose and location of each key the user is instructed to create.

  • DSEC-007 - The deployment guide provides clear instruction on maintaining any stored secrets such as database credentials stored in AWS Secrets Manager.

    Provide a link to deployment guide and indicate the page number, section title, and paragraph where it provides clear instructions on maintaining any stored secrets when deploying the solution.

  • DSEC-008 - The deployment guide includes details on where customer sensitive data are stored.

    Provide a link to deployment guide and indicate the page number, section title, and paragraph where it describes where sensitive customer data are stored.

  • DSEC-009 - The deployment guide must explain all data encryption configuration (for example. Amazon Simple Storage Service (Amazon S3) server-side encryption, Amazon Elastic Block Store (Amazon EBS) encryption, and Linux Unified Key Setup (LUKS))

    Provide a link to deployment guide and indicate the page number, section title, and paragraph where it explains all data encryption configuration for relevant in-scope services.

  • DSEC-010 - For deployments involving more than a single element, include network configuration (for example, VPCs, subnets, security groups, network access control lists (network ACLs), and route tables) in the deployment guide.

    Provide a link to deployment guide and indicate the page number, section title, and paragraph where it contains details on network configurations.

  • DSEC-011 - The solution must support the ability for the customer to disable Instance Metadata Service Version 1 (IMDSv1).

    All components of the solution that are hosted in the customer's account support the ability for the customer to disable Instance Metadata Service Version 1 (IMDSv1). If your product makes calls to AWS APIs, you should ensure you are using the latest version of the AWS SDK. Current SDK versions use IMDSv2 automatically and ensure that your product meets this requirement.

Costs

  • CST-001 - The deployment guide includes a list of billable services and guidance on whether each service is mandatory or optional.

    Provide a link to deployment guide and indicate the page number, section title, and paragraph where it lists billable services and guidance on whether each service is mandatory or optional.

  • CST-002 - The deployment guide includes the cost model and licensing costs.

    Provide a link to deployment guide and indicate the page number, section title, and paragraph where it includes the cost model and licensing costs.

Sizing

  • SIZ-001 - Either provide scripts to provision required resources or provide guidance for type and size selection for resources.

    Provide a link to deployment guide and indicate the page number, section title, and paragraph where it provides guidance.

Deployment Assets

  • DAS-001 - The deployment guide provides step-by-step instructions for deploying the workload on AWS according to the typical deployment architecture.

    Provide a link to deployment guide and indicate the page number, section title, and paragraph where it provides step-by-step instructions for deploying the workload on AWS according to the typical deployment architecture.

  • DAS-004 - The deployment guide contains prescriptive guidance for testing and troubleshooting.

    Provide a link to deployment guide and indicate the page number, section title, and paragraph where it contains prescriptive guidance for testing and troubleshooting.

Health Check

  • HLCH-001 - The deployment guide provides step-by-step instructions for how to assess and monitor the health and proper function of the application.

    Provide a link to deployment guide and indicate the page number, section title, and paragraph where it provides step-by-step instructions for how to assess and monitor the health and proper function of the application.

Backup and Recovery

  • BAR-001 - Identify the data stores and the configurations to be backed up. If any of the data stores are proprietary, provide step-by-step instructions for backup and recovery.

    Provide a link to deployment guide and indicate the page number, section title, and paragraph where it provides details on backup and recovery.

Routine Maintenance

  • RM-001 - The deployment guide provides step-by-step instructions for rotating programmatic system credentials and cryptographic keys.

    Provide a link to deployment guide and indicate the page number, section title, and paragraph where it provides step-by-step instructions for rotating programmatic system credentials and cryptographic keys.

  • RM-002 - The deployment guide provides prescriptive guidance for software patches and upgrades.

    Provide a link to deployment guide and indicate the page number, section title, and paragraph where it provides prescriptive guidance for software patches and upgrades.

  • RM-003 - The deployment guide provides prescriptive guidance on managing licenses.

    Provide a link to deployment guide and indicate the page number, section title, and paragraph where it provides prescriptive guidance on managing licenses.

  • RM-004 - The deployment guide provides prescriptive guidance on managing AWS service limits.

    Provide a link to deployment guide and indicate the page number, section title, and paragraph where it provides prescriptive guidance on managing AWS service limits.

Emergency Maintenance

  • EMER-001 - The deployment guide provides step-by-step instructions on handling fault conditions.

    Provide a link to deployment guide and indicate the page number, section title, and paragraph where it provides step-by-step instructions on handling fault conditions.

  • EMER-002 - The deployment guide provides step-by-step instructions on how to recover the software.

    Provide a link to deployment guide and indicate the page number, section title, and paragraph where it provides step-by-step instructions on how to recover the software.

Support

  • SUP-001 - The deployment guide provides details on how to receive support.

    Provide a link to deployment guide and indicate the page number, section title, and paragraph where it provides details on how to receive support.

  • SUP-002 - The deployment guide provides details on technical support tiers.

    Provide a link to deployment guide and indicate the page number, section title, and paragraph where it provides details on technical support tiers.

  • SUP-003 - The deployment guide provides details on different support tiers and Service Level Agreements (SLAs).

    Provide a link to deployment guide and indicate the page number, section title, and paragraph where it provides details on different support tiers and SLAs.