Service Offering Foundational Technical

Review Calibration Guide

Table of Contents
Service Offering Foundational Technical Review Calibration Guide ............................. 1
Introduction ........................................................................................................................ 3
DEF-001 - define the core of service offering (what, who, and how) ............................ 4
Requirement .....................................................................................................................................................4
Criteria for Passing ..........................................................................................................................................4
Why is this important? ...................................................................................................................................4
How can you implement this? ......................................................................................................................4
Good Example Response ................................................................................................................................5
Unacceptable/Insufficient Information......................................................................................................5

PROJ-001 - Define a customer engagement project plan template .............................. 5

Requirement .....................................................................................................................................................5
Criteria for Passing ..........................................................................................................................................6
Why is this important? ...................................................................................................................................6
How can you implement this? ......................................................................................................................6
Good Example Response ................................................................................................................................7
Unacceptable/Insufficient Information......................................................................................................7

TECH-001 - Identify relevant AWS technical expertise for the service offering ........... 8
Requirement .....................................................................................................................................................8
Criteria for Passing ..........................................................................................................................................8
Why is this important? ...................................................................................................................................8
How can you implement this? ......................................................................................................................8
Good Example Response ................................................................................................................................9
Unacceptable/Insufficient Information......................................................................................................9

RISK-004 - Identify and mitigate risks associated with the service offering ............... 9
Requirement .....................................................................................................................................................9
Criteria for Passing ........................................................................................................................................10
Why is this important? .................................................................................................................................10
How can you implement this? ....................................................................................................................10
Good Example Response ..............................................................................................................................10
Unacceptable/Insufficient Information....................................................................................................10

SEC-001 - Secure AWS accounts governance ................................................................. 11

Requirement ...................................................................................................................................................11
Criteria for Passing ........................................................................................................................................11
Why is this important? .................................................................................................................................11
How can you implement this? ....................................................................................................................11
Additional Resources ......................................................................................................................................11
Good Example Response ..............................................................................................................................12
Unacceptable/Insufficient Information....................................................................................................12

1
 Criteria for Passing ........................................................................................................................................12
Why is this important? .................................................................................................................................13
How can you implement this? ....................................................................................................................13
Good Example Response ..............................................................................................................................14
Unacceptable/Insufficient Information....................................................................................................14

SAAS-001 - SaaS components pass a software AWS Foundational Technical Review

(FTR). ................................................................................................................................. 14
Requirement ...................................................................................................................................................14
Criteria for Passing ........................................................................................................................................14
Why is this important? .................................................................................................................................14
How can you implement this? ....................................................................................................................14
Good Example Response ..............................................................................................................................15
Unacceptable/Insufficient Information....................................................................................................15

CUS-001- Implement a process to collect customer feedback ..................................... 15

Requirement ...................................................................................................................................................15
Criteria for Passing ........................................................................................................................................15
Why is this important? .................................................................................................................................15
Good Example Response ..............................................................................................................................15
Unacceptable/Insufficient Information....................................................................................................16

Resources........................................................................................................................... 16
Notices ............................................................................................................................... 16
Appendix A- Project Plan Template Example ................................................................ 17
Appendix B- Project Plan Template Autoverse Example............................................... 20

2
Introduction
This technical calibration guide is developed for AWS partners who have applied, or
are interested in, the Amazon Web Services (AWS) Foundational Technical Review
(FTR) for Service Offerings. This guide covers all 8 controls in “FTR for Service
Offering Requirements” checklist.

The calibration guide format is the FAQs for each control. It provides clarity on the
expected level of details of the requested evidence and improve the application
quality. It helps partners reduce application cycle time and achieve FTR validation and
consulting offer listing with AWS faster. Additionally, partners can adopt the best
practices in this technical guide to improve their AWS service offerings.

Each control has the following FAQs:

What are the criteria for passing this control?

This section discusses what level of information is needed to pass a particular control.
It clarifies the requirement for partner to self-assess when collecting artifacts.

Why is this important?

This section explains why a particular control is essential from a customer success or
AWS Well-Architected perspective.

How can you implement this?

This section discusses how to implement the specific control using AWS services. It
provides step-by-step guidance and different options for partner to adopt AWS
recommended best practices.

What are good example responses?

This section provides good response examples that meet the control and displays the
level of depth and expertise required in the assessment.

What are unacceptable responses?

This section is composed of response examples not meeting the requirement of the
control.

3
DEF-001 - define the core of service offering
(what, who, and how)

Requirement

This is the foundation of your service offering. It must provide customers with details
of your technical capabilities and experience on the service offering to make an
informed decision. Provide an offering URL listed in Partner Central which contains
the following information:

• Service details including reference architecture diagram if applicable, use cases

and AWS value proposition
• Characteristics and profiles of target customers
• Customer engagement and delivery mechanism

Criteria for Passing

• Provide a public landing page that describes your offer specifics related with
AWS
• Partner website, AWS Marketplace listing, or any other publicly accessible link
qualifies

Why is this important?

It provides clear value proposition and technical expertise so that customers can
assess if this fits their use case.

How can you implement this?

You can create a publicly accessible page from homepage by highlighting specific
practice, solutions on AWS, or leveraged AWS services related with the offer. You
should consider including customer reference if applicable.

As an alternative, you can leverage AWS Market place and use the listing URL for
Professional Service Products.

To create a reference architecture diagram, you can use a tool such as draw.io or other
tools of your choice and import AWS service and product list from our toolkits. It’s
important that the diagrams indicate primary AWS native services, demonstrate
major networking components and how components communicate with users over
the internet.

4
Additional Resources
How to Build an Architecture Diagram

Good Example Response

• Service Offering Details example (From tecRacer): This consulting offering

enables EKS clusters to use multi-AZ block storage based on Amazon FSx for
NetApp ONTAP - including capabilities like fast cloning, storage deduplication,
and synchronization with classical NetApp on-premises storage.
• Target customer profile example: Any Company targeted customer profile
includes (1) customers who have e-commerce platforms who are looking to
enhance consumer’s shopping experiences (2) entrepreneurs who are looking
to launch a digital customer experience platform (3) physical retail stores who
are looking to take business online.
• Customer engagement and delivery mechanism example: This is a consulting
offer by Any Company. Once we have identified client needs in the first or
second client call, we issue a Statement of Work (SoW) with a timeline. This
SoW will be submitted to client (for approval of the overall approach) and to
AWS (e.g. to the AWS APN funding portal)

Unacceptable/Insufficient Information

Response is unacceptable or doesn’t have the sufficient information when:

• Partner doesn't have a public URL for the listed offer

• Public link doesn’t indicate AWS relevance
• Response doesn't have all three components - who, what & how.
• No architecture diagram included for an offer involves hands-on
implementation

PROJ-001 - Define a customer engagement

project plan template
Requirement

A project plan with an end-to-end engagement process (for example, scope-define-

implement-deliver-conclude) is critical to align customer expectation. Partner
provides a project plan template with the following components:

5
 • Definition of statement of work, project deliverables and expected timeline
• Representative project implementation phases, roles and responsibilities on
staff (project management, technical consultants) allocation for each phase
• Process of how & when handover to customers occur

Criteria for Passing

Partner Provides a stand-alone project plan template that describes your offer
specifics related with AWS

Why is this important?

A standard project plan template is essential for consulting offers to ensure
consistency, efficiency, communication, quality, and risk management. It provides a
clear framework for executing projects and ensures that all team members are aligned
on the project goals and objectives.

How can you implement this?

Partner Provides project plan template document that includes the following aspects
of a standard project plan:

Executive Summary

Provide a high-level overview of the project. Briefly describe customer's business

goals and technical requirements, and how partners' deliverables help customer
achieve those.

Scope of Work

Provide a list of items and activities as scope of the work expected to be

accomplished by the AWS Service Partner.

Summary of milestones and deliverables

Provide project milestones with timeline and respective deliverables per stage.

Project sponsor(s) / Stakeholder(s) / Project team

Identify and list the customer’s Executive Sponsor and Project Stakeholders as well as
Partners’ Project team.

Solution Architecture/Architecture Diagrams

6
If your offering includes solution architecture, provide an architecture diagram with a
description of the proposed high-level technical architecture. Proposed Architecture
should follow AWS Well-Architected Framework best practices.

Handover Process and customer sign off

Provide description of handover readiness check and customer routine ops after
engagement.

Good Example Response

See Appendix A for a project plan template example and Appendix B example from
Autoverse Database Refactor and Migration offer. Each component of project plan
described in this requirement has relevant details related to the specific offer.

Additionally, see below for some example project plan components related to
building a Amazon QuickSight dashboard as a digital customer experience offer.

• Project Deliverables:
o Fully enabled technical solution package capable of integrating different
platforms with timeline X
o Data visualization dashboard for reporting and analytical capability
using Amazon QuickSight with timeline X
• Roles:
o Project Manager – Oversee projects and work, involved throughout the
project
o UI/UX engineer – Implements platform and creates customizations,
involved with phase 2 implementation
o Digital Experience SME – Understand client needs and guide UI/UX
engineers, involved during phase 1 and phase 2
o Analyst – Communicate with the project team and customer, involved
throughout the project

Unacceptable/Insufficient Information

Over-simplified answer is not acceptable as it lacks key information about project

implementation processes, this offer is not packaged for consistent customer on-
boarding. For example,

• XXX discuss with customer for custom YYY operation sizing considering budget
constraints.
• XXX implements the following process

7
 => Define customer requirement
=> Set up YYY application and optimize with resource management
=> Hand over to customer when project is completed

TECH-001 - Identify relevant AWS technical

expertise for the service offering

Requirement

You should have a process to identify the right AWS expertise and ensure that there
are sufficient trained personnel to effectively support customers. Provide written
descriptions on:

• Details of AWS expertise needed for the specific service offering (for example
AWS service names, domain knowledge or industry use cases)
• Required credentials, certifications and trainings for customer facing
consultant

Criteria for Passing

• Describe all 3 components – technical expertise, credentials and training

related with the specific offer.

Why is this important?

To ensure Partner possess right AWS expertise and has sufficient trained personnel to
effectively support the customers.

How can you implement this?

You can first identify the AWS services expertise and industry domain knowledge
required for the offer. Next, you can develop onboarding and training plans for your
consultants for consistent customer engagement.

For building well-architected workloads with AWS services, you can incorporate AWS
Well-Architected Labs. Additionally, AWS Partner Training and Certification provides
some free training through self-paced digital courses on AWS fundamentals. You can
also register for instructor-led training to further support the development of your
teams’ AWS skills.

8
Additional Resources

• AWS Getting Started Resource Center

• AWS Blogs
• AWS Online Tech Talks
• AWS Events and Webinars

Good Example Response

The offer is based on AWS Data & Analytics Competency in the Media industry. The
solution requires AWS Data & Analytics services expertise combined with industry
know-how.

• Technical Expertise
o AWS Services Expertise: S3, Amplify, Quicksight, IAM, DynamoDB, EMR,
Kinesis, Lambda, API Gateway, Personalize, SageMaker
o Domain/Industry Expertise: Media & Entertainment; Advertising &
Marketing Technologies, AWS Data & Analytics Competency;
• Required Credentials: AWS Data & Analytics- Specialty Certifications, AWS
Solutions Architect – Professional
• Trainings: AdTech Domain training, a training path include minimum of X
courses from different learning platforms like AWS, Cloudguru and
Cloudacademy within Y months.

Unacceptable/Insufficient Information

• Simply states credentials or certs are required without listing any details
• No AWS Specialist certifications listed for the relevant offer (for example, no
AWS security specialty certification for offer related with AWS security
assessment)

RISK-004 - Identify and mitigate risks associated

with the service offering

Requirement

9
You must have a process to identify and mitigate potential risk exposure to
customers. For example, you can use AWS Well Architecture framework to review and
identify risks on your AWS workload. You must provide written descriptions on:

• Identified high risk areas (compliance, technical limitations, 3rd party

resources) related to AWS service offering
• Mitigation considerations for each identified risk

Criteria for Passing

Provide risk identification and mitigation descriptions details.

Why is this important?

Established risk mitigation procedures helps to minimize risks and reduce the impact
to customers.

How can you implement this?

You can use AWS Well Architecture framework to review and identify risks on AWS
workloads.

For customer industry workload with compliance requirements such as NIST, PCI DSS,
HIPAA, consider building risk management, and Compliance capabilities such as
tagging, log storage, data de-Identification, audits and others.

Good Example Response

• AnyCompany’s Digital Platform uses AWS's Well-Architected framework

guidelines and best practices, we conduct the architecture review every X to Y
months depending on client requirements along with red-teaming exercises.
• AnyCompany has also developed Zero Trust governance model to assess the
security readiness of AWS estate that covers the gaps around Users, Data,
Network, Identity, and Applications and SOC functions.

Unacceptable/Insufficient Information

• XXX component used AWS Managed Service and fully Open Source packages.
And Customer will bring own 3rd Party ISV Solution for XXX such as Siemens,
Ansys, Dassult, Altair.
• N/A is not an acceptable response.

10
SEC-001 - Secure AWS accounts governance

Requirement

Your internal Security Standard Operation Procedure (SOP) must include secure AWS
accounts governance. If you create AWS accounts on behalf of customers, you must
enable MFA on root, set accounts contact information using company information,
create cloud watch alerts. Pease provide the following evidence:

• Description of process used to create AWS accounts on behalf of customers

Criteria for Passing

• Description details must follow best practices listed in AWS Startup Security
Baseline.
• Partners who do not create an account for their customer must still incorporate
a standard set of security controls into Security account governance SOP.

Why is this important?

Not every one of your customer engagements will require creating AWS accounts, but
we need our Partners to be equipped with this knowledge and have a consistent way
to onboard both consultants and customers. Consequences of not doing this right can
be very detrimental. We have had Partners create accounts for customers using their
personal email account and when they left the company, customers were stuck not
being able to perform any root user activities, and also were exposed to a huge security
risk.

How can you implement this?

• From the AWS Prescriptive Guidance page, follow the specific topics below to
Secure Your Account
o ACCT.01 – Set account-level contacts to valid email distribution lists
o ACCT.02 – Restrict use of the root user (also addresses setting up MFA
for root user)
o ACCT.07 – Deliver CloudTrail logs to a protected S3 bucket

Additional Resources

• Setting S3 Bucket Policy for Multiple accounts

11
 • Turn on Cloudtrail in Additional Accounts
• CloudTrail Log Files from Multiple Accounts

Good Example Response

• AnyCompany ensures proper company email address and accounts are used in
their client’s AWS account. AnyCompany validates the customer is not using root
access for any and MFA is set up for the root account. Root user is only used for
tasks that require it (example - XX). We have CloudTrail enabled in all AWS
regions and the logs are sent to a dedicated S3 bucket that has MFA delete set
up to protect against accidental deletion. The bucket is only accessible by X
individuals within the company and is restricted by IAM policies. We have
attached to the application a PDF of our Security Engagement SOP that
discusses these standard best practices. This is the standard document we use to
onboard customers and ensure customer awareness.

Unacceptable/Insufficient Information

Answering “yes”, “N/A”, or “We did not perform this as part of this engagement, this
was the customer’s responsibility” to the questions without further explanation, or
omitting any of the above information.

SEC-002 - Secure access to customer-owned AWS

accounts
Requirement:
You must have a standard approach to access customer-owned accounts using
temporary credentials such as IAM roles. If you maintain access to a customer-owned
AWS account to provide ongoing operational support, that access must be provided
through a cross-account IAM role. Customers may not provide IAM user credentials to
the AWS Partner for long term access. Please provide the following evidence:

• Description of the process used to access customer-owned AWS accounts. This

should include both AWS Management Console access and programmatic access
using the AWS Command Line Interface or other custom tools.

Criteria for Passing

12
 • Description details must follow best practices listed in Security best practices in
IAM
Why is this important?

Having a default, standard recommendation for accessing customer account is critical

to earn customer trust. As customers’ trusted advisor, you should educate and help
customers implement AWS IAM security best practices. With these standard IAM best
practices in place, you can quickly onboard new customers and consultants.

How can you implement this?

The first & foremost important principles is to avoid using static credentials such as
long-term access keys in IAM. Instead, you can work with your customers to create
across-account IAM roles and generate temporary security credentials to access their
AWS resources. You can leverage external IDs when accessing customer accounts using
IAM roles. For machine identities, such as EC2 instances or Lambda functions, require
the use of IAM roles instead of IAM users with long term access keys. For workforce
identities, use AWS SSO, or federation with IAM, to access AWS accounts. Specifically,
we recommend Partners use federation with an identity provider for human user to
access customer AWS account using temporary credentials. Below is an example
diagram.

When setting permissions with IAM policies, you should grant only the permissions
required to perform a task. You do this by defining least-privilege permissions. You can
leverage IAM Access Analyzer to generate least-privilege policies based on access
activity.

Additional Resources

• Require identities to dynamically acquire temporary credentials

• Regularly review IAM permissions.
• See IAM Access Analyzer policy validation.
• Security best practices in IAM

13
Good Example Response
AnyCompany adopts Security best practices in IAM. Specifically, we use IAM roles with
temporary security credentials to access to customer accounts. Every developer user
signs-in using their own Active Directory credential, which is integrated with AWS using
SAML to assume a role defined by the client’s security team. AnyCompany provides
customers with CloudFormation templates (see attached example section related to
role and policy creation) to create roles with Least privilege and ensure that customers
have a process to remove roles once project is done.

Unacceptable/Insufficient Information

• Anything making a reference to use of long-term credential usage or shared

credentials
• “N/A” or any answer similar to: “We did not perform this as part of this
engagement”

SAAS-001 - SaaS components pass a software

AWS Foundational Technical Review (FTR).
Requirement

Any components of the offering that are operated by the AWS Partner in a software-
as-a-service delivery model must pass an AWS software foundational Technical Review
(FTR).

Criteria for Passing

• The FTR status must be approved for components of the offering that are
operated by the AWS Partner in a software-as-a-service delivery.
• Partners can answer this as N/A if their service offering does not include a SaaS
component.

Why is this important?

Enables Partners to identify and remediate risks in their software components or

solutions as part of their service offering. Whether the software is delivered as a SaaS
solution or deployed by customers, the FTR helps to identify AWS Well-Architected best
practices specific to your software or solution.

How can you implement this?

14
You can follow this application guide to get your Saas Component evaluated. In
addition, you can use this technical enablement series (skill builder link) to identify and
remediate gaps.

Good Example Response

Saas component of the offer (list details) has been approved with APN SFDC link for
the software product offer).

Unacceptable/Insufficient Information

Not listing the SaaS component or providing approved status for it.

CUS-001- Implement a process to collect

customer feedback
Requirement

You must implement a customer feedback collection mechanism including milestone-

defined checkpoints, engagement outcome assessment such as customer
reaction/satisfaction, business impacts, etc.

Criteria for Passing

Define post customer feedback channels and processes that track milestones, Voice of
the Customers and enables escalation.

Why is this important?

Customer feedback fosters positive change fast. You can use customer feedback to
continuously improve the offering and customer satisfaction.

How can you implement this?

Define a post-interact process that can collect, process, and report feedback, rather
than a one-time feedback collection.

Good Example Response

15
AnyCompany designates a project manager to each account to be the Customer’s
Advocate for the governance program. The governance program is based on the service
offerings and consists of multiple customer touch points, including bi-weekly meetings,
which allow customers to provide direct feedback. Additionally, we have a survey
mechanism (partners attach links/snapshots) where customer feedback including
customer satisfaction score are incorporated into our feedback system. Project
Manager will work with the customer and internal teams to address the feedback. The
results and action items based on customer feedback are reviewed at the senior
leadership level.

Unacceptable/Insufficient Information

Simply stating a way of collecting feedback without details on how it is used for
iterations and improvement of continued customer engagement.

Resources
• Visit Application Guide , Demo Video for application process
• Review Service Offering FTR announcement in APN Blog
• Conduct self-assessment with Service offering FTR Checklist

Notices
Partners are responsible for making their own independent assessment of the
information in this document. This document: (a) is for informational purposes only, (b)
represents current AWS product offerings and practices, which are subject to change
without notice, and (c) does not create any commitments or assurances from AWS and
its affiliates, suppliers or licensors. AWS products or services are provided “as is”
without warranties, representations, or conditions of any kind, whether express or
implied. The responsibilities and liabilities of AWS to its customers and partners are
controlled by AWS agreements, and this document is not part of, nor does it modify,
any agreement between AWS and its customers/partners.

16
Appendix A- Project Plan Template Example

[Customer] – [Partner] – [Date]

17
Project Overview

executive summary
[Use this section of the document to provide a high-level overview of the project. Briefly
describe the customer’s business and technical objectives. Briefly summarize the partner’s
professional services to be delivered to meet the customer’s objectives.]

Project Sponsor(s) / Stakeholder(s) / Project Team

Partner Executive Sponsor

Name Title Description Email / Contact Info

Project Stakeholders
Name Title Stakeholder for Email / Contact Info

Partner Project Team

Name Title Role Email / Contact Info

Project Escalation Contacts

Name Title Role Email / Contact Info

PROJECT SUCCESS CRITERIA

[Provide a bulleted list of items that are important to address for the success of the project.
Describe the important business and technical objectives of the project in a way that is
quantitative and measurable, i.e., how success would be defined and measured for this project.]

ASSUMPTIONS

Scope of work - technical project plan

Provide a list of items and activities as scope of the work expected to be accomplished by the
APN Partner.

Solution Architecture Diagram

[Provide a description of the proposed high-level technical architecture, to address common

architectural aspects such as: network infrastructure; data/process flows; software

18
services/components; integration/messaging/middleware; security; deployment models;
operations/support models. (As appropriate, based on the type of project).
Proposed Architecture should follow well architected best practices. For details, please visit
https://aws.amazon.com/architecture/well-architected/

Also provide architectural diagram(s) that illustrate the proposed solution architecture. As an
APN Partner, you are permitted by AWS to use AWS Icons to create architecture diagrams. For
details, please visit https://aws.amazon.com/architecture/icons/.]

Summary of milestones, roles & deliverables

[Provide project milestones with timeline and respective deliverables, corresponding to the items
and activities described in the Scope of Work / Technical Project Plan section.]

Est. Completion
Project Phase Roles & Deliverables
Date
• item 1
Click to Select Date
• item 1
Click to Select Date
• item 1
Click to Select Date
• item 1
Click to Select Date

Click to Select Date • item 1

Acceptance and Handover

[To conclude a project, define acceptance process here. For example:

19
Appendix B- Project Plan Template Autoverse
Example

20
21
22
23
24
25
26
27
28
29
30
31