Amazon RDS

It is critical to delve into customer's requirements on factors like database use case, traffic and anticipated growth to ensure RDS meets organiztional needs of the customer.

Thus, please provide details on the below in your ressponse:

• Initial size of the database.
• Expected yearly growth of the database.
• Number of tables/objects in the database (required for heterogeneous migrations).
• Anticipated number of concurrent requests during peak database usage.
• Database engine used in application (i.e. Amazon Relational Database Service (Amazon RDS) MySQL, Amazon RDS MariaDB etc.)

Understanding the performance and usage of RDS instance based on instance class and storage helps lower total cost of ownership. Additionally using RDS features like read replica can help reduce load on primary instance thus optimizing performance.

Thereby, provide details on how the partner helped customers to take advantage of Amazon RDS Engine features including monitoring performance to optimize costs. You can include the usage of below features:

• Description of application/process changes to utilize different read and write endpoints for Amazon RDS instance.
• Show measurements on the performance of the Amazon RDS instance(s) as well as how to continuously optimize the performance of the instance(s).
• Show how to continually improve their total cost of ownership of the Amazon RDS instance(s).

If the partner is managing the database then they should provide information on how they are accomplishing theabove listed requirement.

If the customer is managing the database then the partner should provide documentation and training material about how to accomplish the above listed requirement.

Password rotation policies, implementing encryption and network access rules makes sure that database is not at risk from malicious users. Additionally, capturing and analyzing database logs can help you prevent and monitor potential security threats to take necessary action.

Provide details on how case studies are demonstrating the usage of Amazon RDS specific security best practices such as listed below:

• How to implement password policies for their database (password strength, rotation policies etc.).
• How to implement secure password storage, retrieval and rotation for human and application access to the database.
• How to capture and analyze available log files for potential security events related to their database.
• Encryption options for data at rest or at column level.
• KMS key policies across various database instances, database instance life cycles (Prod/Non-prod)
• Network configurations such as subnets, security groups and access control lists.
• Notifying customer of Amazon RDS security best practices as described here (if applicable)

If the partner is managing the database then they should provide information on how they are accomplishing the listed requirement.

If the customer is managing the database then the partner should provide documentation and training material about how to accomplish the listed requirement.

Ensuring that you select the right RDS/Aurora instance w.r.t the application requirements avoid any un-necessary hiccups and establishes that RDS would be able to justify the fulfillment of customer's requirement in terms of operations, cost and performance. Thus, provide information on how an appropriate sized Amazon RDS architecture was selected based on the customer's non-AWS architecture or requirements for a new application being developed.

For Existing Architecture provide details on:

• Final Amazon RDS architecture, how it lines up against previous architecture and how it meets or exceeds the current customer implementation in regards to cost, operations, and performance.

For a New Application provide details on:

• Requirements for the new application and what the database needs were. Details should include: availability needs, regional or multi-regional access needs, transactions per second, database initial size, and expected growth rate of the size of the database.
• Final Amazon RDS architecture and details on how the final architecture lines up with the application requirements.

In case of disaster/AZ failure it is critical to have cross region/regional read replica or Multi-AZ architecture in place to avoid un-necessary downtime to the business. That said, details on approach, implementation and customer acceptance testing make sure that the architecture can withstand any sudden failures.

Thus, provide description of the approach, implementation, and customer acceptance testing on at least ONE of the below use cases for each case study:

• Cross-regional replication or another cross-regional DR setup.
• Use of a primary instance and one or more read replicas with the primary fail-over read replica located in a different availability zone from the primary instance.
• Use of AutoScaling for Read Replicas or other automated re-sizing architectures.
• A migration to Amazon RDS from a different database.

Storing sensitive data in the RDS database comes with additional controls in place to ensure that the data is not compromised because of attacks like DDOS, SQL Injection etc.

Please describe the following:

• A documented process to identify and classify sensitive data stored inside the database and how it is protected
• KMS key policies across various database instances, database instance life cycles (Prod/Non-prod)

Inorder to perform testing incase of upgrades etc there might be a need to create dev/test environment for RDS. It is recommended that these environments aree segregated based on network, IAM, data and database access.

Describe how the partner helps the customers on managing non-production environment in form of:

• Process documentation and/or automation scripts on how the non-production environments are created and managed.
• Process documentation on segregating access to production and non-production environments at various levels – Network, IAM access and Database access
• (If applicable) procedures to de-sanitize the sensitive data when creating non-production environments

Before migration to AWS RDS, we suggest you to finalize a particular engine based on customer’s business and technical needs, not on what’s new or popular. Further, having a fallback plan in case the migration does not go as planned avoids any un-necessary downtime to the business.

If a customer reference is a migration project please provide following details

• Source database type (e.g. Oracle, MS SQL etc.)
• Target database type (e.g. RDS MYSQL, RDS Postgres, etc.)

Along with above information, describe the following:

• Decision matrix around target database environment selection (Homogeneous RDS engine; Heterogeneous engine (RDS / Aurora) )
• Assessment report on current environment in terms of compatibility (SCT analysis/ similar compatibility analysis)
• Documented cutover plan and fall back plan for production environment

It is critical to have clearly defined the RTO, RPO, backup retention and availability/uptime SLA to recover incase of a disaster.Describe

Describe how customer has analyzed customer’s Availability, Scalability and Disaster Recovery requirements and achieved/implemented the same on target RDS based architecture. Include the following in your response:

• Documented evidence of current systems requirements – RTO, RPO, Backup retention policy and High availability requirements
• Target architecture meeting the above guidelines and documentation shared with customer detailing the same
• Implementation of best practices around DNS management, End point management, automation at application layer etc.. to align with availability guidelines
• Detailed backup policy and communication around cost estimates for backups
• Standard operating procedure / guidelines to follow during Disaster recovery scenario including specific monitoring in place to detect a failure and alarm
• (Optionally) automation to identify and mitigate common types of failure scenarios

AWS Partner must submit architecture diagrams depicting the overall design and deployment of its AWS Partner solution on AWS as well as any other relevant details of the solution for the specific customer in question.

The submitted diagrams are intended to provide context to the AWS Solutions Architect conducting the Technical Validation. It is critical to provide clear diagrams with an appropriate level of detail that enable the AWS Solutions Architect to validate the other requirements listed below.

Each architecture diagram must show:

• All of the AWS services used
• How the AWS services are deployed, including virtual private clouds (VPCs), availability zones, subnets, and connections to systems outside of AWS.
• Elements deployed outside of AWS, e.g. on-premises components, or hardware devices.
• how design scales automatically - Solution adapts to changes in demand. The architecture uses services that automatically scale such as Amazon S3, Amazon CloudFront, AWS Auto Scaling, and AWS Lambda.
• how design has high availability with multi-AZ or multi-region deployment. When intentional tradeoffs have been made (e.g. to optimize cost in favor of high availability), please explain the customer's requirements.

Please provide the following as evidence (required for all provided customer examples):

• An architecture diagram depicting the overall design and deployment of your solution on AWS.
• Explanation of how the major solutions elements will keep running in case of failure.
• Description of how the major solutions elements scale up automatically.

AWS expects all Services Partners to be prepared to create AWS accounts and implement basic security best practices. Even if most of your customer engagements do not require this, you should be prepared in the event you work with a customer who needs you to create new accounts for them.

Establish internal processes regarding how to create AWS accounts on behalf of customers when needed, including:

• When to use root account for workload activities
• Enable MFA on root
• Set the contact information to corporate email address or phone number
• Enable CloudTrail logs in all regions and protect CloudTrail logs from accidental deletion with a dedicated S3 bucket

Please provide the following as evidence:

• Documents describing Security engagement SOPs which met all the 4 criteria defined above. Acceptable evidence types are security training documents, internal wikis, or standard operating procedures documents.
• Description of how Secure AWS Account Governance is implemented in one (1) of the submitted customer examples.

Define standard approach to access customer-owned AWS accounts, including:

• Both AWS Management Console access and programmatic access using the AWS Command Line Interface or other custom tools.
• When and how to use temporary credentials such as IAM roles
• Leverage customer's existing enterprise user identities and their credentials to access AWS services through Identity Federation or migrating to AWS Managed Active Directory

Establish best practices around AWS Identity and Access Management (IAM) and other identity and access management systems, including:

• IAM principals are only granted the minimum privileges necessary. Wildcards in Action and Resource elements should be avoided as much as possible.
• Every AWS Partner individual who accesses an AWS account must do so using dedicated credentials

Please provide the following as evidence:

• Security engagement Standard Operation Procedure (SOP) which met all the 2 criteria defined above. Acceptable evidence types are security training documents, internal wikis, standard operating procedures documents. Written descriptions in the self-assessment excel is not acceptable.
• Description of how IAM best practices are implemented in one (1) of the submitted customer examples.

AWS Partner has defined metrics for determining the health of each component of the workload and provided the customer with guidance on how to detect operational events based on these metrics.

Establish the capability to run, monitor and improve operational procedure by:

• Defining, collecting and analyzing workload health metrics w/AWS services or 3rd Party tool
• Exporting standard application logs that capture errors and aid in troubleshooting and response to operational events.
• Defining threshold of operational metrics to generate alert for any issues

Please provide the following as evidence:

• Standardized documents or guidance on how to develop customer workload health KPIs with the three components above
• Description of how workload health KPIs are implemented in (1) of the submitted customer examples.

Create a runbook to document routine activities and guide issue resolution process with a list of operational tasks and troubleshooting scenarios covered that specifically addresses the KPI metrics defined in OPE-001.

Please provide the following as evidence:

• Standardized documents or runbook met the criteria defined above.

Deployments are tested or otherwise validated before being applied to the production environment. For example, DevOps pipelines used for the project for provisioning resources or releasing software and applications.

Use a consistent approach to deploy to customers including:

• A well-defined testing process before launching in production environment
• Automated testing components

Please provide the following as evidence:

• A deployment checklist example or written descriptions met all the criteria defined above.

Establish internal processes regarding how to secure traffic within VPC, including:

• Security Groups to restrict traffic between Internet and Amazon VPC
• Security Groups to restrict traffic within the Amazon VPC
• Network ACL to restrict inbound and outbound traffic
• Other AWS security services to protect network security

Please provide the following as evidence:

• Written descriptions/documents on network security best practices met the criteria defined above.
• Description of how network security is implementation in one (1) of the submitted customer examples.

Establish internal processes regarding a data encryption policy used across all customer projects

• Summary of any endpoints exposed to the Internet and how traffic is encrypted
• Summary of processes that make requests to external endpoints over the Internet and how traffic is encrypted
• Enforcing encryption at rest. By default, you should enable the native encryption features in an AWS service that stores data unless there is a reason not to.

All cryptographic keys are stored and managed using a dedicated key management solution

Please provide the following as evidence:

• Data encryption and key management policy met the criteria defined above.
• Description of how data encryption is implementation in one (1) of the submitted customer examples.

Changes to infrastructure are automated for customer implementation

• Tools like AWS CloudFormation, the AWS CLI, or other scripting tools were used for automation.
• Changes to the production environment were not done using the AWS Management Console.

Please provide the following as evidence:

• Written description of deployment automation and an example template (e.g., CloudFormation templates, architecture diagram for CI/CD pipeline) met the criteria defined above.

Incorporate resilience discussion and advise an RTO & PRO target when engaging with customer. Customer acceptance and adoption on RTO/RPO is not required.

• Establish a process to establish workload resilience including:
• RTO & RPO target
• Explanation of the recovery process for the core components of the architecture
• Customer awareness and communication on this topic

Please provide the following as evidence:

• Descriptions or documents on workload resilience guidance met the three criteria defined above
• Description of how resilience is implementation in one (1) of the submitted customer examples including reasons for exception when RTO&RPO is not defined

Determine solution costs using right sizing and right pricing for both technical and business justification.

Conducted TCO analysis or other form of cost modelling to provide the customer with an understanding of the ongoing costs including all the following 3 areas:

• Description of the inputs used to estimate the cost of the solution
• Summary of the estimates or cost model provided to the customer before implementation
• Business value analysis or value stream mapping of AWS solution

Please provide the following as evidence:

• Description of how to develop cost analysis or modeling with the critical components defined above
• Cost analysis example in one (1) of the submitted customer examples. Acceptable evidence types are price calculator link, reports or presentations on business values analysis