By Ram Dileepan, Principal Solutions Architect at AWS

FTR-1

The AWS Foundational Technical Review (FTR) helps identify and mitigate technical risks in solutions built by AWS ISV Partners.

The FTR focuses on a subset of AWS Well-Architected best practices and defines objective criteria for each requirement. This helps AWS Partners prioritize implementing the controls that are most critical to customer success, and creates a standard bar that can be applied to all partners consistently.

The FTR validates a partner solution against a list of controls defined in a checklist; these checklists differ based on the type of solution, such as Partner Hosted and Customer Deployed, for example. You can find links to all the checklists and more details about the FTR process in the AWS FTR Guide (AWS Partner Central login required).

An approved FTR enables partners to earn a “Reviewed by AWS” solutions badge, unlock funding benefits, and become eligible to participate in various AWS Partner Programs. An FTR is valid for two years from the date of approval.

While the FTR has helped many AWS Partners improve their software products, the previous process requires scheduling a live review call with an AWS Partner Solutions Architect which can be time consuming.

In October 2021, we updated the FTR process for Partner Hosted solutions to make it faster, easier, and more accurate than before. In this post, you will learn how the updated FTR process works, benefits of the new process, and how you can get started.

Overview of Updated FTR Process

The updated process automates part of the Foundational Technical Review for Partner Hosted solutions. For solutions deployed by customers in their own AWS accounts, you will continue to use the existing FTR process.

The new process consists of two parts:

  1. Automated assessment of your AWS account configuration.
  2. Self-assessment of your operational practices.

The automated part of the process uses AWS Security Hub or an equivalent partner solution to validate a partner’s AWS accounts to make sure they follow best practices to protect both them and their customers.

The self-assessment questionnaire gathers information on the rest of the controls. AWS will review both the automated report and questionnaire and approve the FTR if you meet all requirements.

Benefits of Updated FTR

The updated FTR process automates validation of controls where possible, which has the following benefits:

  • Automated validation provides more accurate results compared to error-prone manual validation.
  • Automated validation is quicker than individually validating controls in every AWS account in scope.
  • Automated tools provide a single pane of glass to validate and continuously monitor the compliance with FTR best practices.
  • Automated tools such as AWS Security Hub enable partners to continuously monitor compliance to manage risk on an ongoing basis.

End-to-End Review Process

The end-to-end process for the updated FTR has three primary steps:

  1. Run an automated validation of your AWS accounts.
  2. Complete a self-assessment.
  3. Request an FTR via AWS Partner Central by uploading automated report and self-assessment.

We recommend using AWS Security Hub or a validated AWS cloud management tool to run an automated validation of your AWS accounts. You may also use an AWS Security Competency Partner solution that supports the CIS AWS Foundations Benchmark to complete the automated validation.

nOps is an AWS Partner solution with a dedicated FTR feature that allows you to complete both the automated validation and self-assessment through a single interface. If you’d like to use this tool, please follow the nOps FTR documentation.

Once you complete the automated validation, generate a report for the CIS controls defined in the “ Required CIS AWS Foundations Benchmark Controls” section of the AWS FTR Guide.

To complete the self-assessment, download the questionnaire by clicking on the link on the upper left-hand corner of the checklist for Partner Hosted solutions and complete it.

Please note that if you are using the nOps tool, you’ll complete the self-assessment in the tool so you don’t need to download a separate self-assessment questionnaire.

Detailed steps on how to complete the automated validation and self-assessment can be found in the AWS FTR Guide.

After completing both the automated validation and self-assessment, request an FTR in AWS Partner Central and upload the report from the validation tool and the self-assessment questionnaire.

After you submit your documents, AWS will review them offline and approve your FTR if you have met all the requirements. If there are any issues identified with your submissions, we will provide feedback over email, and you can resubmit your documents after addressing any concerns.

Conclusion

In this post, you learned how the updated AWS Foundational Technical Review (FTR) process works and how to use that process to make your solution stronger.

Please use the updated FTR process to request your Foundational Technical Review in the future. More details on the process can be found in the AWS FTR Guide.

You may also view the nOps demo to learn more about their dedicated FTR feature.

Categories: APN