Customer Deployed Foundational Technical Review

Customer-Deployed Validation Checklist

August 2021 - 2021_q3_v1

Introduction

The Foundational Technical Review ('FTR') assesses an AWS Partner's solution against a specific set of AWS best practices around security, performance, and operational processes that are most critical for customer success. Passing the FTR is required to qualify AWS ISV Partners for APN programs such as AWS Competency and AWS Service Ready, but any AWS Partner who offers a technology solution is eligible to request an FTR review through Partner Central.

This checklist is applicable to solutions which are deployed by the customers in their own AWS accounts. If your solution is a Partner hosted solution, please use the checklist for partner hosted solution.

If your solution has a AWS Quick Start (QS) deployment guide which was approved/updated since January 2020, that guide will meet all FTR requirements. Please just provide a link to the QS deployment guide (You don't have to fill out the self assessment spreadsheet).

Expectations of Parties

AWS Partners must review this document in detail before submitting an AWS Foundational Technical Review request. If items in this document are unclear, AWS Partners should contact their Partner Development Representative (PDR) or Partner Development Manager (PDM). AWS reserves the right to make changes to this document at any time.

The FTR request must be submitted on the APN Partner Central. For more information on how to submit a request, please see the "Request an FTR" section on this page. If you need more information, please contact your PDR or PDM.

After submitting a request, an AWS Partner Solutions Architect will reach out with a self-assessment spreadsheet (also available for download at the top of this page) for the Partner to fill out. AWS Partners should prepare for the Technical Validation by reading the Checklist, completing and submitting a self-assessment for solution, and submitting all relevant objective evidence with the application, including architecture diagrams. An AWS Partner Solutions Architect will review for completeness and for compliance with the requirements.

The PSA approves an FTR if the solution meets all FTR requirements. If the solution has unfulfilled requirements, the partner can remediate all unfulfilled requirements to complete the FTR. If the FTR is not completed within six months, the Partner must submit a new FTR request and meet all the FTR requirements effective at that time which may include additional controls.

AWS Foundational Technical Review Prerequisites

AWS Partner must include the solution's architecture diagram in order to pass the FTR requirements.

  1. 1.0Foundational Technical Review Requirements

    1. 1.1Architecture Diagram

      Submitted Foundational Technical Review Request must include architecture diagrams.

      • Architecture diagrams must detail how the solution interacts with the AWS Cloud; specifically, what AWS tools and services are used in the solution

      Note: Click here for best practices on how to build an acceptable Architecture Diagram.

    2. 1.2AWS Support

      The FTR requires AWS Business Support or greater on all production AWS accounts. If you don't have premium support, you must have an action plan to handle issues which require help from AWS Support. 'Production AWS accounts' include accounts operated as part of a managed service, accounts essential to the proper functioning of a SaaS or other 'as a service' offerings, accounts from which customer-facing collateral are distributed (e.g. sharing AMIs), and accounts containing customer data.

Customer Deployed Technical Baseline Requirements

The following requirements apply to AWS Partners' Customer-Deployed Practice

Introduction

  • INT-001 - Introductory material must contain use cases for the software.

    Please provide the link to deployment guide and specify (page number, section, paragraph etc.) where it describes use cases for the software.

  • INT-002 - Introductory material contains an overview of a typical customer deployment, including lists of all resources that will be set up when the deployment is complete.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it describes the intended use of the software.

  • INT-003 - Introductory material contains a description of all deployment options discussed in the user guide (e.g. single-AZ, multi-AZ or multi-region), if applicable.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it describes all deployment options.

  • INT-004 - Introductory material contains the expected amount of time to complete the deployment.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it describes the expected amount of time it takes to complete deployment.

  • INT-005 - Introductory material contains the regions supported.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it lists the regions supported.

Prerequisites and Requirements

  • PRQ-001 - All technical prerequisites and requirements to complete the deployment process are listed (e.g. required OS, database type and storage requirements).

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it lists all technical prerequisites and requirements needed to complete the deployment process.

  • PRQ-002 - The deployment guide lists all skills or specialized knowledge needed by the user (e.g. familiarity with AWS, specific AWS services, a scripting or programming language).

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it lists all skills or specialized knowledge that users need.

  • PRQ-003 - The deployment guide lists the environment configuration that is needed for the deployment (e.g. an AWS account, a specific operating system, licensing, DNS).

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it lists what environment configuration is needed for deployments.

Architecture Diagrams

  • ARCH-001 - Architecture diagram(s) must illustrate all AWS services running and the relationships between them in a typical customer deployment.

    Architecture diagram(s) illustrate standard deployment(s) on AWS.

  • ARCH-004 - Architecture diagram(s) use AWS Simple Icons.

    Architecture diagram(s) use AWS Simple Icons.

  • ARCH-005 - Network diagram(s) demonstrate VPCs, subnets.

    Network diagram(s) demonstrate VPCs, subnets.

  • ARCH-006 - Architecture diagram(s) show integration points, including third party assets/APIs and on-premises/hybrid assets.

    Architecture diagram(s) show integration points, including third party assets/APIs and on-premises/hybrid assets.

Security

  • DSEC-002 - The application does not require the use of root privileges for deployment or operation.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it warns customers to not use the root user for any deployment or operations.

  • DSEC-003 - The deployment guide provides prescriptive guidance on following the policy of least privilege for all access granted as part of the deployment.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides prescriptive guidance on following the principle of least privilege for all access granted as part of the deployment.

  • DSEC-004 - The deployment guide clearly documents any public resources (e.g. Amazon S3 buckets with bucket policies allowing public access).

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it documents any public resources.

  • DSEC-005 - The deployment guide describes the purpose of each IAM role and IAM policy the user is instructed to create.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it describes the purpose of IAM roles/policies the user is instructed to create.

  • DSEC-006 - The deployment guide describes the purpose and location of each key the user is instructed to create.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it describes the purpose and location of each key the user is instructed to create.

  • DSEC-007 - The deployment guide provides clear instruction on maintaining any stored secrets such as database credentials stored in AWS Secrets Manager.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides clear instruction on maintaining any stored secrets when deploying the solution.

  • DSEC-008 - The deployment guide includes details on where customer sensitive data are stored.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it describes where sensitive customer data are stored.

  • DSEC-009 - The deployment guide must explain all data encryption configuration (e.g. Amazon S3 server-side encryption, Amazon Elastic Block Store (Amazon EBS) encryption, Linux Unified Key Setup (LUKS), etc.)

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it explains all data encryption configuration for relevant in-scope services.

  • DSEC-010 - Deployments involving more than a single element (e.g. launching an EC2 node with a partner AMI) include c (e.g. VPCs, subnets, security groups, NACLs, and route tables) in the deployment guide.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it contains details on network configurations.

Costs

  • CST-001 - The deployment guide includes a list of billable services and guidance on whether each service is mandatory/optional.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it lists billable services and guidance on whether each service is mandatory/optional.

  • CST-002 - The deployment guide includes the cost model and licensing costs.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it includes the cost model and licensing costs.

Sizing

  • SIZ-001 - Either provide scripts to provision required resources or provide guidance for type and size selection for resources.

    Please provide the link to the scripts or the deployment guide and specify (page number, section, paragraph etc.) where it provides guidance.

Deployment Assets

  • DAS-001 - The deployment guide provides step-by-step instructions for deploying the workload on AWS as per typical deployment architecture.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides step-by-step instructions for deploying the workload on AWS as per typical deployment architecture.

  • DAS-004 - The deployment guide contains prescriptive guidance for testing/troubleshooting.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it contains prescriptive guidance for testing/troubleshooting.

Health Check

  • HLCH-001 - The deployment guide provides step-by-step instructions for how to assess and monitor the health and proper function of the application.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides step-by-step instructions for how to assess and monitor the health and proper function of the application.

Backup and Recovery

  • BAR-001 - Identify the data stores and the configurations to be backed up. If any of the data stores are proprietary, provide step by step instructions for backup and recovery.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides details on backup and recovery.

Routine Maintenance

  • RM-001 - The deployment guide provides step-by-step instructions for rotating programmatic system credentials and cryptographic keys.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides step-by-step instructions for rotating programmatic system credentials and cryptographic keys.

  • RM-002 - The deployment guide provides prescriptive guidance for software patches and upgrades.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides prescriptive guidance for software patches and upgrades.

  • RM-003 - The deployment guide provides prescriptive guidance on managing licenses.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides prescriptive guidance on managing licenses.

  • RM-004 - The deployment guide provides prescriptive guidance on managing AWS service limits.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides prescriptive guidance on managing AWS service limits.

Emergency Maintenance

  • EMER-001 - The deployment guide provides step-by-step instructions on handling fault conditions.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides step-by-step instructions on handling fault conditions.

  • EMER-002 - The deployment guide provides step-by-step instructions on how to recover the software.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides step-by-step instructions on how to recover the software.

Support

  • SUP-001 - The deployment guide provides details on how to receive support.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides details on how to receive support.

  • SUP-002 - The deployment guide provides details on technical support tiers.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides details on technical support tiers.

  • SUP-003 - The deployment guide provides details on different support tiers and SLAs.

    Please provide the link to the deployment guide and specify (page number, section, paragraph etc.) where it provides details on different support tiers and SLAs.