APN Partner Central

Partner Hosted Alternative Foundational Technical Review

Partner Hosted Alternative Validation Checklist

Validity Period: August 2025-February 2026

This version of the checklist was released on August 29th, 2025. The next version of this checklist is expected to be released in February 2026. AWS Partners may continue to use this version of the checklist until May 2026. AWS Partners may submit applications using the previous release (February 2025) until November 27th, 2025. Please review the change log for a list of changes (if any) since the previous version.

Self-assessment Spreadsheet

Introduction

The Foundational Technical Review (FTR) assesses an AWS Partner's solution against a specific set of Amazon Web Services (AWS) best practices around security, performance, and operational processes that are most critical for customer success. Passing the FTR is required to qualify AWS Software Partners for AWS Partner Network (APN) programs such as AWS Competency and AWS Service Ready but any AWS Partner who offers a technology solution may request a FTR review through AWS Partner Central.

The FTR alternative process can be used in two cases:

  1. If you have conducted an System and Organization Control 2 (SOC 2) Type II led by an auditor meeting below conditions:

    • SOC 2 report is currently active
    • The opinion is unqualified
    • AWS is in scope
    • The Partner solution is in scope
    • Security and Availability trust centers are part of SOC 2 audit.

  2. If you have completed an AWS Well-Architected Framework Review (WAFR), you can use it in lieu of a FTR under the following conditions:

    • The WAFR must be conducted by either an AWS employee OR a confirmed AWS Well-Architected Program Partner (WAPP) that can be found in the Partner Solution Finder
    • The review must be completed within the last 12 months
    • The assessment must show no active high-risk issues (HRIs) in: Security pillar, Operational Excellence pillar, Reliability pillar

This checklist is applicable to solutions which are hosted by the Partner on AWS (for example, SaaS solutions). All critical application components must be hosted on AWS. If your solution does not meet these requirements, refer to the Foundational Technical Review Checklist Index . For more information refer to SaaS Marketplace Guidelines

Expectations of parties

AWS Partners must review this document and the FTR guide in detail before submitting an FTR request. If you have questions about this document, contact your Partner Development Representative (PDR) or Partner Development Manager (PDM). AWS reserves the right to make changes to this document at any time.

FTR requests must be submitted using AWS Partner Central. For more information on how to submit a request, AWS Foundational Technical Review and choose Request an FTR.

You can can also request an FTR using alternative manual process. For more information, refer to the FTR guide on AWS Partner Central.

After you submit your Offering for a FTR review through AWS Partner Central, an AWS Partner Solutions Architect (PSA) will review your submitted documents and contact you via email. If the FTR self-assessment is submitted and all requirements are met, your FTR will be approved. If any requirements are not met, an AWS PSA will provide you with a list of remediation steps and guidance on how to complete your FTR. Your FTR will be approved after you implement all the remediations and provide confirmation to the PSA. If you don't remediate all FTR findings and receive FTR approval within six months, then you must submit your offering for a new FTR review which may be subject to additional controls due to changes in the validation checklist over time. In case of renewal, if you don't complete the FTR before the current FTR expiration date, your Offering being reviewed will be de-listed from Partner Solution Finder (PSF).

If you do not have an approved FTR for at least one Offering, then the account will be removed from the Validated+ stage in the AWS Software Path. When you are downgraded in the Software Path, you will lose the benefits of Validated Stage including access to APN Customer Engagements (ACE) and AWS ISV Accelerate programs.

AWS Foundational Technical Review prerequisites

The following items will be verified by AWS before a technical validation is executed.

  1. 1.0Foundational Technical Review Requirements

    1. 1.1Software Path Membership

      AWS Partners must be enrolled in Software Path. AWS Systems Integrator (SI) Partners should talk to their PDR/PDM on how to join the Software Path.

Partner-hosted FTR requirements

The following requirements apply to all Partner-hosted software products and must be met for an FTR to be approved.

Hosting

  • HOST-001 - Confirm your hosting model.

    To qualify for FTR your product must run entirely on AWS. This includes the application and control planes. The application plane can run in the seller's AWS account, the buyer's AWS account, or both. For more information, refer to the Control plane vs. application plane whitepaper. Third-party services used by the product to transmit, store, or process application data must also run entirely on AWS —except for content delivery networks (CDNs), domain name systems (DNSs), and corporate identity providers (IdPs).

    Agents or gateways used by the product for security, monitoring, data replication, or migration can run on buyer-owned environments outside AWS, including on premises, but must send data only to AWS for storage and analysis.

    You must include an architecture diagram for review. For more information, refer to Architecture diagram.

    Listing on Marketplace is not required to complete a FTR.

Support level

  • SUP-001 - Subscribe to the AWS Business Support tier (or higher including AWS Partner-led Support) for all production AWS accounts or have an action plan to handle issues which require help from AWS Support.

    It is recommended that you subscribe to the AWS Business Support tier or higher (including AWS Partner-Led Support) for all of your AWS production accounts. For more information, refer to Compare AWS Support Plans. If you don't have premium support, you must have an action plan to handle issues which require help from AWS Support. AWS Support provides a mix of tools and technology, people, and programs designed to proactively help you optimize performance, lower costs, and innovate faster. AWS Business Support provides additional benefits including access to AWS Trusted Advisor and AWS Personal Health Dashboard and faster response times.

Architecture review

  • WAFR-001 - Conduct periodic architecture reviews (minimum once every year).

    Conduct periodic architecture reviews of your production workload (at least once per year) using a documented architectural standard that includes AWS-specific best practices. If you have an internally defined standard for your AWS workloads, we recommend you use it for these reviews. If you do not have an internal standard, we recommend you use the AWS Well-Architected Framework.

  • WAFR-002 - Review the AWS Shared Responsibility Models for Security and Resiliency.

    Review the AWS Shared Responsibility Model for Security and the AWS Shared Responsibility Model for Resiliency. Ensure that your product’s architecture and operational processes address the customer responsibilities defined in these models. We recommend you to use AWS Resilience Hub to ensure your workload resiliency posture meets your targets and to provide you with operational procedures you may use to address the customer responsibilities.

Architectural and Operational Controls

The following requirements apply to any components hosted and operated by the AWS Partner in their own AWS account.

Cross-account access

  • CAA-001 - Use cross-account roles to access customer AWS accounts.

    Cross-account roles reduce the amount of sensitive information AWS Partners need to store for their customers.

  • CAA-007 - Provide guidance or an automated setup mechanism (for example, an AWS CloudFormation template) for creating cross-account roles with the minimum required privileges.

    The policy created for cross-account access in customer accounts must follow the principle of least privilege. The AWS Partner must provide a role-policy document or an automated setup mechanism (for example, an AWS CloudFormation template) for the customers to use to ensure that the roles are created with minimum required privileges. For more information, refer to the AWS Partner Network (APN) blog posts.

  • CAA-002 - Use an external ID or dedicated issuer URL with cross-account roles to access customer accounts.

    Depending on if you're using the AssumeRole API or AssumeRoleWithWebIdentity API, an external ID (AssumeRole) or dedicated issuer URL (AssumeRoleWithWebIdentity) must be used to access customer accounts. It allows the user that is assuming the role to assert the circumstances in which they are operating. It also provides a way for the account owner to permit the role to be assumed only under specific circumstances. The primary function of the external ID and dedicated issuer URL is to address and prevent the confused deputy problem. To implement the dedicated issuer URL for AssumeRoleWithWebIdentity API, refer to this documentation.

  • CAA-004 - Use a value you generate (not something provided by the customer) for the external ID or dedicated issuer URL.

    When configuring cross-account access using IAM roles, you must use a value you generate for the external ID or dedicated issuer URL, instead of one provided by the customer, to ensure the integrity of the cross-account role configuration. A partner-generated external ID or dedicated issuer URL ensures that malicious parties cannot impersonate a customer's configuration and enforces uniqueness and format consistency across all customers. If you are not generating an external ID or dedicated issuer URL today we recommend implementing a process that generates a random unique value (such as a Universally Unique Identifier) for the external ID or dedicated issuer URL that a customer uses to set up a cross-account role.

  • CAA-005 - Ensure that all external IDs or dedicated issuer URLs are unique.

    The external IDs or dedicated issuer URLs used must be unique across all customers. Re-using external IDs or dedicated issuer URLs for different customers does not solve the confused deputy problem and runs the risk of customer A being able to view data of customer B by using the role ARN and the external ID or dedicated issuer URL of customer B. To resolve this, we recommend implementing a process that ensures a random unique value, such as a Universally Unique Identifier, is generated for the external ID or dedicated issuer URL that a customer would use to setup a cross account role.

  • CAA-006 - Provide read-only access to external ID or dedicated issuer URL to customers.

    Customers must not be able to set or influence external IDs or dedicated issuer URLs. When the external ID or dedicated issuer URL is editable, it is possible for one customer to impersonate the configuration of another. For example, when the external ID or dedicated issuer URL is editable, customer A can create a cross account role setup using customer B’s role ARN and external ID or dedicated issuer URL, granting customer A access to customer B’s data. Remediation of this item involves making the external ID or dedicated issuer URL a view-only field, ensuring that the external ID or dedicated issuer URL cannot be changed to impersonate the setup of another customer.

  • CAA-003 - Deprecate any historical use of customer-provided IAM credentials.

    If your application provides legacy support for the use of static IAM credentials for cross-account access, the application's user interface and customer documentation must make it clear that this method is deprecated. Existing customers should be encouraged to switch to cross-account role based-access, and collection of credentials should be disabled for new customers.

Resources

Changes between previous and current versions
Change Log
FTR Guide
FTR Guide