AWS FTR Foundation Technical Review process for ISVs

The AWS Foundational Technical Review (FTR) enables AWS Partners to qualify their software products that run on or integrate with AWS. It defines a set of required best practices based on the AWS Well-Architected Framework and standards for evaluating the systems architecture, operational practices, and AWS resource configurations of Partner offerings. AWS recommend AWS Partners complete an FTR for all software products they sell that run on or integrate with AWS. After completing an FTR, your offering will be listed in the AWS Partner Solutions Finder and you will have access to use AWS badging to promote your product. An FTR is also a prerequisite for many other AWS Partner Network programs such as AWS Competency and AWS Service Ready. FTR is valid for two years from the date of approval.

What is an FTR?

An FTR’s primary purpose is to ensure Software products offered by AWS Partners have implemented a basic set of architectural, security, and operational best practices. The FTR defines a set of objective criteria based on the AWS Well-Architected framework. This serves as a gate to ensure the products AWS endorses to customers have appropriate mitigations for the most common risks that impact end customers.

What are the benefits of doing an FTR?

Completing an FTR is one of the primary requirements for Partners to move to the Validated stage within the AWS Partner Network Software Path. After receiving FTR approval, Partners are eligible to go to market with AWS. FTR is a self-service review that is valuable at any stage of your cloud journey. Partners can leverage FTR process to help identify and remediate risks for the benefit of your end customer.

How can I conduct FTR?

Step1: To conduct an FTR, Partners must submit a self-assessment checklist and security tool report (if applicable). A security report is only required for Partner Hosted solutions, and it can be generated automatically using AWS SecuityHub or other tools.

Step2: Request an FTR (Login to Partner Central > Build> Offerings > View Details of existing or Create Offering > Validations. Upload the self-assessment checklist & Security Tool Report (if applicable) to request a FTR)

Step3: Once the FTR is requested, a Partner Solutions Architect will contact you to provide details on the outcome and will work with you to remediate issues to get your offering approved.

Expedited FTR process with automated security assessment against the CIS AWS Foundations Benchmark

You may use any tool that supports the CIS AWS Foundations Benchmark to complete the automated assessment of your AWS environment. Using your own tooling If you already have a tool in place that supports this standard, please use it to generate a report following these guidelines:

1. Include all of your Production AWS accounts and AWS Regions (i.e., any account and Region where customer data is stored or processed) in your report. It is okay to submit multiple files.
2. Include all of the required controls in your report.
3. Ensure all required controls are marked as passed before submitting your report.
4. If possible, use the comma-separated values (CSV) format. AWS will accept other report formats, but it may take longer to process your review.
5. Only include CIS AWS Foundations Benchmark controls in the report you submit.

Using AWS Security Hub

If you are not using an AWS Partner solution and would like to use AWS Security Hub to generate the required report, please follow these instructions:

1. Complete all prerequisites for enabling Security Hub. Please note that the prerequisites include enabling AWS Config.
2. Enable Security Hub with the CIS AWS Foundations Benchmark security standard in each account and AWS Region where you handle customer data. It might take a few hours for Security Hub to complete its security checks. Please note that enabling Security Hub will incur additional costs after the 30-day free trial window as indicated in the Security Hub pricing page.
3. Once Security Hub completes its security checks, you can view a summary of your findings on the Summary page. Navigate to the ‘Security standards’ section and click on ‘View results’ for CIS AWS Foundations Benchmark. Review this summary against the list of required controls below.
4. If any of the required controls are marked as failed, follow the remediation instructions in the AWS Security Hub documentation.
5. Click on the ‘Download’ button located in the top right corner of the enabled controls list to download your Security Hub report in CSV format. You will be submitting this file along with your attestation worksheet. You will need to repeat this process in each account and AWS Region where you handle customer data

Required CIS AWS Foundations Benchmark Controls

You must pass all of the following controls in order for your FTR to be approved:

1. CIS 1.1 — Avoid the use of the “root” account
2. CIS 1.13 — Ensure MFA is enabled for the “root” account
3. CIS 1.12 — Ensure no root account access key exists
4. CIS.2.1 — Ensure CloudTrail is enabled in all regions
5. CIS.2.2 — Ensure CloudTrail log file validation is enabled
6. CIS.1.2 — Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
7. CIS.1.4 — Ensure access keys are rotated every 90 days or less
8. CIS 1.22 — Ensure IAM policies that allow full “*:*” administrative privileges are not created
9. CIS1.5 — Ensure IAM password policy requires at least one uppercase letter
10. CIS1.6 — Ensure IAM password policy requires at least one lowercase letter
11. CIS1.7 — Ensure IAM password policy requires at least one symbol
12. CIS1.8 — Ensure IAM password policy requires at least one number
13. CIS1.9 — Ensure IAM password policy requires minimum password length of 14 or greater

Getting Help

If you have issues completing the review or remediating any issues you discovered while conducting your self-assessment and would like to meet with an AWS Partner Solutions Architect (PSA), you can request a review through AWS Partner Central even if you have not yet met all the requirements.

You can also leverage Cloud202 AWS FTR offering, & get help from experienced Cloud202 Architects to prepare & submit your FTR application

Cloud202 AWS Foundational Technical Review (FTR) for ISV

Author: Komal Sharma( Cloud Sales Lead, Cloud202 UK) hello@cloud202.com

References:

AWS Foundational Technical Review

New Foundational Technical Review Process for Partner Hosted Solutions | Amazon Web Services