AWS Managed Service Provider (MSP)

Partner Program
Validation Checklist
February 2019
Version 4.0

Amazon Confidential
 AWS Managed Service Provider Partner Program Validation Checklist

Table of Contents
Purpose of this Document ..........................................................................................................................................3
Program Prerequisites ................................................................................................................................................3
Expectations of Parties ...............................................................................................................................................3
Audit Process and Timing ...........................................................................................................................................4
Scoring Explained .......................................................................................................................................................6
Definitions ..................................................................................................................................................................7
AWS Managed Service Provider Partner Program Validation Checklist ....................................................................9
Business Practices ............................................................................................................................... 9
1.0 APN Partner Capabilities Overview............................................................................................... 9
2.0 Business Health ........................................................................................................................... 10
3.0 Business Management ................................................................................................................ 11
4.0 Customer Obsession ................................................................................................................... 13
MSP Practices .................................................................................................................................... 14
5.0 Solution Design Capability .......................................................................................................... 14
6.0 DevOps ........................................................................................................................................ 14
7.0 Infrastructure and Application Migration Capability .................................................................. 15
8.0 Security ....................................................................................................................................... 16
9.0 Next Generation Service Management ...................................................................................... 19
10.0 Service Level Agreement .......................................................................................................... 25
11.0 Optimization ............................................................................................................................. 26
12.0 AWS Billing and Cost Management .......................................................................................... 27
13.0 AWS Knowledge ........................................................................................................................ 29
Appendix A: Best Practice Guides and Reference Materials ................................................................................... 31
Summary of Changes ............................................................................................................................................... 32

Version 4.0 Amazon Confidential page 2

 AWS Managed Service Provider Partner Program Validation Checklist

Purpose of this Document

The AWS Managed Service Provider (“MSP”) Partner Program Validation Checklist (“Checklist”) is intended for
AWS Partner Network Partners (“APN Partner(s)”) who are interested in applying for the AWS Managed Service
Provider Partner Program (“MSP Program”). This Checklist provides the criteria necessary for an APN Partner to
achieve the MSP designation (and subsequently be referred to as an “MSP Partner”) and describes AWS’ view of
the capabilities that a “next generation managed service provider” should have to support customers through all
phases of the customer engagement lifecycle: plan, design, migrate/build, run, and optimize.

APN Partners must fill out this Checklist based on their assessment of their own capabilities. Such assessment
will serve as the basis for discussion during the Full Audit (defined below).

The goal of the MSP Program is to recognize APN Partners that provide the best AWS Cloud managed service
experience for their customers.

This document, as well as the MSP Program, may be modified by AWS from time to time.

Version 4.0, published in February 2019, will become the only recognized standard for the MSP Program for any
Full Audit occurring on or after April 1, 2019. Any Full Audit in progress or completed before April 1, 2019 will be
conducted in accordance with the prior version of this checklist.

Program Prerequisites
The following items must be met before scheduling the MSP Program Full Audit (defined below):
AWS Managed Service Provider Partner Program Prerequisites
APN Membership Advanced or Premier tier APN Consulting Partner (view requirements)
At least 4 AWS customer References, including at least 2 that are publicly
Customer References
referenceable.

Completed self-assessment using the Checklist.

Checklist Self-Assessment
Completed self-assessment must be mailed to aws-msp@amazon.com, using
the following convention for the email subject line: “[APN Partner Name]
Completed Self-Assessment.”
It is recommended for APN Partners to have their Solutions Architect, PDR or
PDM review their self-assessment before submitting to the MSP Program
team. The purpose of this is to ensure your AWS team is engaged and working
with you to provide recommendations prior to the audit and to help ensure a
positive audit experience.

Expectations of Parties
It is expected that APN Partners will review this document in detail before submitting an application for the MSP
Program, even if all of the pre-requisites are met. If items in this document are unclear and require further
explanation, contact your APN Partner Development Representative (PDR) or Partner Development Manager
(PDM). Your PDR/PDM will contact the MSP Program office if further assistance is required.

Version 4.0 Amazon Confidential page 3

 AWS Managed Service Provider Partner Program Validation Checklist

When ready to submit a MSP Program application, APN Partners must complete the Partner Self-Assessment
column of the Checklist set forth below. To submit your application:
 Log in to the APN Partner Central (https://partnercentral.awspartner.com/), as Alliance Lead
 Select “View My APN Account” from the left side of the page
 Scroll to “Program Details” section
 Select “Update” next to AWS Managed Service Program
 Fill out Program Application & Click “Submit”
 Email completed Self-Assessment to aws-msp@amazon.com
 If you have any questions regarding the above instructions, please contact your PDM or PDR.

AWS will review and respond back with any questions within 10 business days and provide information on how
to schedule a Full Audit (as defined below).

APN Partners will undergo a two-day audit of all items in the Checklist (“Full Audit”) of their capabilities upon
applying for entry into the MSP Program, and every 36 months thereafter. APN Partners should prepare for the
Full Audit by reading the Checklist, performing a self-assessment using the Checklist, and gathering and
organizing objective evidence to share with the auditor on the day of the audit. APN Partners should ensure that
they have the necessary consents to share any information provided in objective evidence or displayed in a
demonstration. AWS will leverage an objective, third-party auditing firm to facilitate the Full Audit which will
occur in the APN Partner’s preferred language and location, when feasible. Each Full Audit will result in costs
incurred to the Partner of a $3,000 USD fixed audit fee plus any related travel expenses at their actual cost,
which will be billed by the auditor and may require a separate agreement between an APN Partner and the
auditor. Every 12 months between Full Audits, MSP Partners will be assessed using the Annual Performance-
based Renewal Process detailed in the Audit Process and Timing section of this document.

AWS recommends that APN Partners have individuals who are able to speak in-depth to the requirements at the
Full Audit (remote or onsite). Best practice is for the APN Partner to have one or more highly technical AWS
engineers/architects, an operations manager who is responsible for the service desk and support elements (and
or managed service practice manager), and a business development executive to give the overview
presentation.

Program Participation and Benefits: AWS may revoke an APN Partner’s status as an MSP Partner if, at any time,
AWS determines in its sole discretion that such APN Partner does not meet the MSP Program requirements or
otherwise fails to represent the high standards expected of MSP Partners. If an APN Partner’s status as a MSP
Partner is revoked, such APN Partner will (i) no longer receive, and will immediately cease taking advantage of,
any MSP Program benefits, (ii) immediately cease use of all materials provided to it in connection with the MSP
Program and (iii) immediately cease to identify itself or hold itself out as an MSP Partner.

Audit Process and Timing

After the Full Audit occurs, the APN Partner should receive an audit summary (within 2 business days) from the
auditor detailing strengths, opportunities for improvement, and action items. A preliminary score from the
auditor will be provided with the audit summary.

Version 4.0 Amazon Confidential page 4

 AWS Managed Service Provider Partner Program Validation Checklist
APN Partners have 5 business days from receipt of the audit summary to respond to and address any identified
action items, which will be categorized as either Mandatory Action Items or as additional Score-Impacting Action
Items (each defined below).

Mandatory Action Items are items that must be closed out prior to approval of entry into the MSP Program. If
the APN Partner is not able to fully close a Mandatory Action Item in 5 business days, an action plan detailing
how and when the item will be closed must be provided to the MSP Program Manager.

Score-Impacting Action Items are items that negatively impact the overall score, but may be closed by providing
evidence of closure to the auditor within 5 business days. Any such items satisfactorily closed within the 5
business days, as determined by the auditor, will raise the APN Partner’s score, and the new score will become
the final score submitted to AWS with the final audit report. Any Score-Impacting Action Items not addressed, or
not fully closed within the 5 business days, will result in no change to the APN Partner’s score and will not be
included on the final audit report.

The auditor will submit the final audit report to AWS after the 5 business days allowed for an APN Partner to
address Mandatory and Score-Impacting Action Items has passed, and no later than 10 business days after the
audit.

The final determination of acceptance into the MSP Program will be made within 20 days after AWS receives the
final audit report.

Annual Performance-Based Renewal Process:

The MSP Program requires an annual performance-based renewal process (“Renewal Process”) to ensure high
quality and consistent customer experiences. MSP Partners are expected to continue to drive innovation and
excellent customer experiences, as well as grow and develop their practices. The requirements of the Renewal
Process include:
 Attestation by MSP Partner to AWS that they continue to meet previous audit requirements as well as any
new, mandatory requirements added or expanded in the current version of the Checklist, specifically 5.1.7;
 5 Launched Opportunities (as defined below) that include managed services in the 12 months immediately
prior to the annual renewal;
 MSP Partner remains in good standing at the Advanced or Premier tier, including the requirement to attain
Customer Satisfaction Responses (as defined below); and
 MSP Partner complies with the AWS Partner Network Terms and Conditions.

To participate in the Renewal Process starting in 2019 and until the next Full Audit, there are new requirements.
MSP Partners will need to take the following actions annually until their next Full Audit:
 Ensure compliance with APN Program tier (Advanced or Premier) by logging into APN Partner Central and
viewing Partner Scorecard Overview, with specific focus on the attainment of Customer Satisfaction
Responses;
 Submit attestation of meeting existing and new audit requirements to aws-msp@amazon.com at least 30
days, but no more than 60 days, prior to anniversary date.

AWS will review the MSP Partner’s performance against requirements and, if complete, will notify the MSP
Partner of successful renewal of MSP Program status prior to the MSP Partner’s anniversary date. If an MSP
Partner fails to meet the performance requirements, they may, at AWS’ sole discretion, be offered a brief

Version 4.0 Amazon Confidential page 5

 AWS Managed Service Provider Partner Program Validation Checklist
window of time to complete an action plan and achieve the requirements or will otherwise be immediately
removed from the MSP Program.

While an audit of requirements will not be reviewed during the annual renewal process, AWS expects continued
compliance to previously audited requirements and requires that MSP Partners disclose any material changes to
policies, processes, and tools that impact their managed services practice as soon as those changes are made.

Full Audit (conducted every 36 months):

The MSP Program also requires a Full Audit every 36 months, based on the MSP Partner’s original (or most
recent) Full Audit date. This Full Audit will be conducted using the current version of the Checklist, as of the date
the Full Audit is conducted.

Impact of Merger, Acquisition and Divestiture Activity:

The MSP Program incorporates the use of an audit to validate the APN Partner’s technical capabilities, as well as
its business and delivery models. These business and delivery models are often significantly impacted in the
process of mergers, acquisitions and divestitures. As a result, APN Partners may be required to reapply and
complete a new Full Audit. Please refer to the guidelines below.

Acquisition/Merger:
 MSP Partner acquires non-MSP Partner: No immediate action required. The MSP Partner must show any
impacts to its MSP practice during its next regularly scheduled Full Audit.
 Non-MSP Partner acquires MSP Partner: New application and Full Audit required for acquiring APN Partner
to be recognized as a MSP Partner. The new business and delivery models, as well as the integration of the
acquired technical capabilities, must be validated through the Full Audit process. We recommend that this
be done as soon as possible to ensure continued recognition in the MSP Program.
 MSP Partner acquires another MSP Partner: No immediate action required. The consolidated entity will be
assessed during the next regularly scheduled Full Audit of either of the original entities (whichever date is
soonest).

Divestiture:
If a MSP Partner divests a portion of its business related to its AWS MSP practice, the divesting business must
immediately disclose significant impacts to its MSP practice that would materially impact its standing as an MSP
Partner. Depending on the significance of the impact, the APN Partner will either be immediately removed from
the MSP Program or it will be required to highlight impacts to its business during its next regularly scheduled Full
Audit. The divested business will be required to apply to the MSP Program as a new APN Partner.

Scoring Explained
The scoring system is an essential piece of the APN Partner’s self-assessment and the Full Audit. Scoring allows
an objective and quantifiable means to assess the APN Partner’s capabilities and provides clarity and consistency
in expectations. The maximum possible score is 1,000 points, with 900 points or greater being required to
successfully attain MSP Program validation.

In the Checklist, there are two scoring related columns:

 The first column has a point value that is either neutral (zero) or negative. The negative scores will be
subtracted from the overall score for each section.

Version 4.0 Amazon Confidential page 6

 AWS Managed Service Provider Partner Program Validation Checklist
 The second column has a point value that is either positive or neutral (zero). These points will be added to
determine the overall score for each section.

The points in both columns are binary in nature, meaning that an APN Partner only receives one point value (the
negative/neutral value for not meeting the requirement, or the positive/neutral value for meeting the
requirement). Also, points are awarded in full; no partial score values are awarded.

Definitions
Case Study: A Case Study is a report detailing an individual customer solution and outcomes. It should include an
introduction to the customer, overview of the challenge, details about the solution implemented, and outcomes
realized by the customer. Individual AWS programs will provide details about specific requirements for Case
Studies. For the purpose of the MSP Program, all Case Studies used in the Full Audit must demonstrate that the
APN Partner and customer have been under agreement to provide managed services for a minimum of 6
months. Case Studies must be identified in writing to AWS as being either public (can be shared with public
audiences) or non-public (can only be shared with AWS and its third-party auditor for the purpose of the audit or
demonstrating to AWS that the APN Partner is meeting program requirements). The APN Partner is responsible
for clearly identifying any non-public Case Study and for gathering the necessary consents to share any Case
Study with AWS and the auditor.

Customer Satisfaction (CSAT) Responses: This requires APN Partners to obtain a specific number of customer
responses via the “Rate this Partner” function within their Partner Solutions Finder listing. Required minimums
vary by tier.

Final Partner Score: The Final Partner Score is the score provided by the auditor to AWS after adjusting the
score for any closed Score-Impacting Action Items.

Launched Opportunities: APN Partners submit opportunities through the APN Customer Engagements (ACE)
platform in APN Partner Central. After billing for the solution begins, APN Partners will update the status of the
opportunity to “Launched.”

Mandatory Action Items (MAIs): Mandatory Action Items (MAIs) are non-negotiable items that must be
addressed by the APN Partner to be accepted into the MSP Program and can be identified by their -200 score
impact in the Checklist.

Preliminary Partner Score: The Preliminary Partner Score is determined and disclosed in the audit summary.

Reference: A Reference is a positive story about delivery of services and solutions to an individual customer.
This can be presented in multiple formats: customer testimonial, summary statement, high level overview of the
solution, etc. All References must be new customers or new engagements with existing customers within the
last 18 months who are currently consuming the APN Partner’s AWS-based managed services, and must have
been running on those services for at least 6 months. References must be identified in writing to AWS as being
either public (can be shared with public audiences) or non-public (can only be shared with AWS and its third-
party auditor for the purpose of the audit or demonstrating to AWS that the APN Partner is meeting program
requirements). The APN Partner is responsible for clearly identifying any non-public Reference and for gathering
the necessary consents to share any Reference with AWS and the auditor.

Version 4.0 Amazon Confidential page 7

 AWS Managed Service Provider Partner Program Validation Checklist
Score-Impacting Action Items (SIAIs): Score-Impacting Action Items (SIAIs) are action items that arise from not
having sufficient evidence at the time of the audit for the APN Partner to receive a full score in that area. SIAI’s
are opportunities for APN Partners to increase their score within 5 business days after the audit. SIAIs need to be
closed out with the auditor directly after the audit in order for the score to be included in the APN Partner’s final
score. Any SIAIs not closed within 5 business days are treated as “not meeting requirements” and the final score
will reflect the corresponding point value.

Version 4.0 Amazon Confidential page 8

 AWS Managed Service Provider Partner Program Validation Checklist

AWS Managed Service Provider Partner Program Validation Checklist

In preparation for the validation process, APN Partners should become familiar with the items outlined in this document, and prepare
objective evidence, including but not limited to: prepared demonstration to show capabilities, process documentation, and/or actual
customer examples. APN Partners should ensure that they have the necessary consents to share with the auditor all information
contained within the objective evidence or any technology demonstration prior to scheduling a Full Audit.

Subtract if Add if Does APN Partner Auditor

Does Not Meet Self- Validation
Meet Capability Assessment
Capability
Business Practices
1.0 APN Partner Capabilities Overview
1.1 Company APN Partner has a company overview presentation to set the 0 +20
Overview stage for customer conversations as applicable to its MSP
practice, in addition to demonstration capabilities.

Presentation will contain information about next generation

cloud managed services; how managed services are different
in an AWS environment vs. traditional on premise or hosted
managed services with emphasis on automation enabled by
DevOps practices.

Overview presentations contain:

 Company history
 Office locations
 Number of employees
 Customer profile, including number and size of
customers, including industry
 Service differentiators
 AWS relationship overview/details, including APN
participation, monthly AWS billings, etc.
 For renewals, the focus should be on changes and
improvements since the previous audit.

Evidence must be a presentation delivered during the Full

Audit. Presentation should be limited to no more than 30
minutes.
1.2 Next APN Partner educates and evangelizes how managed 0 +40
Generation services are different in an AWS environment vs. traditional
Managed on premises or hosted managed services with emphasis on
Service automation enabled by DevOps practices.
Evangelism
Evidence must be in the form of at least 4 examples of public
facing materials (websites, blog posts, press articles, videos,
etc. [excluding product documentation]), published in the
past 12 months. These material will reflect thought
leadership on cloud concepts used in managed services
offerings such as DevOps, migrations, security, etc.
Section 1 Total:

Version 4.0 Amazon Confidential page 9

 AWS Managed Service Provider Partner Program Validation Checklist

2.0 Business Health

2.1 Financial APN Partner regularly assesses financial health of its -200 0
Health business through methods such as Altman's Z-Score, Dun
and Bradstreet (D&B) Paydex Score, D&B Rating, D&B
Financial Stress Score, D&B Supplier Evaluation Risk Rating,
or equivalent.

MSPs are trusted advisors to customers of all sizes, helping

companies make decisions based on their overall goals. In
undertaking customer engagements, MSPs take the lead in
ensuring customer data is protected and AWS best practices
are followed in all areas including the planning and design,
migration, and new solution development. The expectation
is that these solutions and workloads will be monitored and
maintained on an ongoing basis, with the AWS MSP
providing regular touch points with the customer with
continual recommendations on ways to increase efficiencies.
Due to the importance of the role of the MSP Partner, APN
Partner must also show that they have viable businesses to
earn and maintain customer trust.

Acceptable evidence may include D&B Company Credit

Reports (or equivalent for APN Partner’s region) or proof
that APN Partner is assessing and creating plans when risks
are identified. Public securities filings for the most recent
period are sufficient evidence for publicly traded companies.

Articles in the press about the company, analyst reports,

and/or statements made by the company on their website
will not be considered sufficient evidence to meet this
requirement.

Any recent or publicly announced mergers, acquisitions, or

divestitures that materially impact a company’s ability to
deliver AWS managed services must be disclosed at the time
of the audit.
2.2 Financial APN Partner has processes in place for financial planning, -200 0
Planning and including forecasting, budgeting, and review of financial
Reporting metrics and reports.

Evidence must be in the form of proof of policies and

processes related to financial planning and review of
financial metrics. Public securities filings for the most recent
period are sufficient evidence for publicly traded companies.
2.3 Risk and Areas of business risk including the AWS practice are -200 0
Mitigation Plans outlined with documented mitigation plans. This may
include financial risks, age and maturity of business, planning
for rapid growth, assumption or loss of large
deals/customers, etc.

Evidence must be in the form of a documented risk analysis

process and associated mitigation plan(s) relevant to the
APN Partner’s AWS managed service practice.
2.4 Succession APN Partner has a succession plan in place to address loss of 0 +20
Planning key leadership personnel related to its AWS MSP practice.

Version 4.0 Amazon Confidential page 10

 AWS Managed Service Provider Partner Program Validation Checklist
Evidence must be in the form of a documented succession
plan scoped to the APN Partner’s AWS managed service
practice.
2.5 Employee APN Partner has the ability to objectively capture employee 0 +20
Satisfaction satisfaction data. This is done via formal survey process on at
least an annual basis.

Evidence must be in the form of a demonstration of how

feedback is collected, and an overview of how action is taken
on feedback received.
2.6 Validation of APN Partner has ≥ 4 AWS Customer References including at -200 0
Customer least 2 that are publicly referenceable.
References
APN Partner must provide evidence of References; these
must be new customers or new engagements with existing
customers within the last 18 months, and who are currently
consuming the APN Partner’s AWS-based managed services.
These customers must be running and actively consuming
services for at least 6 months. Evidence can be in the form of
documented References, Case Studies, whitepapers, or
internal briefings.
Section 2 Total:

3.0 Business Management

3.1 Resource/ APN Partner determines and provides resources needed for 0 +20
Capacity business demand, including resources related to personnel
Planning and infrastructure scoped to the APN Partner’s AWS
managed service practice.

Evidence must be in the form of resource planning processes

detailing how APN Partner ensures that appropriate
resources are available to meet business demand, scoped to
the APN Partner’s AWS managed service practice. This may
include, for example, ensuring that there are sufficient AWS
Certified Solutions Architecture Professionals available
based on the number of customers.
3.2 Job Roles/ 3.2.1 APN Partner has an overview of the job roles within its 0 +10
Staffing company, supporting the AWS business.

Evidence must be in the form of a document or spreadsheet

that describes the role, job title, % of time on AWS business,
any AWS trainings or certifications required for that role,
and any other industry relevant trainings/certifications.
3.2.2 APN Partner has defined processes and checklists for 0 +10
on--boarding of personnel relevant to the APN Partner’s
AWS managed service practice.

Evidence must be in the form of completed on-boarding

records scoped to the APN Partner’s AWS managed service
practice; examples may include completed checklists,
training plans, or other records.
3.2.3 APN Partner has defined termination processes and 0 +10
checklists for off-boarding of personnel relevant to the APN
Partner’s AWS managed service practice.

Evidence must be in the form of completed off-boarding

records scoped to the APN Partner’s AWS managed service

Version 4.0 Amazon Confidential page 11

 AWS Managed Service Provider Partner Program Validation Checklist
practice; examples must include termination of personnel
access to APN Partner and customer systems. Records may
also be in the form of current industry certification related
to information security (e.g., ISO 27001, SOC2) that are
scoped to include the APN Partner’s AWS MSP practice.
3.2.4 APN Partner has at least one person at a leadership 0 +10
position certified to ITIL Foundation or above.

Evidence must be in the form of a current ITIL Foundation

certificate.
3.2.5 APN Partner sales teams, marketing teams, and/or 0 +20
applicable business units supporting the AWS MSP practice
have all completed the AWS Business Professional or AWS
Technical Professional accreditations.

Evidence must be in the form of records of the appropriate

accreditations.
3.2.6 APN Partner has at least one person at a leadership 0 +20
position certified with an AWS Associate level certification.

Evidence must be in the form of records of AWS Associate

level certification.
3.3 Customer 3.3.1 APN Partner has signed contracts with customers -200 0
Contracts scoped to the APN Partner’s AWS managed service practice.

Evidence must be in the form of 3 records of signed

customer contracts, executed within the last 18 months.
Contracts for a proof of concept will not service as sufficient
evidence for this criteria.
3.3.2 Customer contracts define the specific legal ownership 0 +40
of data, including arrangements for handling of customer
data upon termination of the contract by either party,
including:
 Time commitment as to when data/account is handed to
customer
 Format and method for transfer of data/account
credentials
 If applicable, the process for removal of non-customer
IAM accounts, groups, roles, and federation

Evidence must be in the form of a contract template scoped

to the APN Partner’s AWS managed service practice
addressing the above requirements.
3.4 Supplier 3.4.1 APN Partner has defined processes for selection and 0 +20
Management evaluation of suppliers (e.g., SaaS vendors or any other third
parties to whom activities or services are subcontracted).

Evidence must be in the form of records of supplier selection

and evaluation. Evidence of proper supplier management
procedures may also be in the form of current industry
certification related to information security (e.g., ISO 27001,
SOC2).
3.4.2 Where APN Partner uses SaaS solutions for systems 0 +20
that contain customer information or have access to AWS
resources, APN Partner must show that due diligence has
been carried out to assess the security compliance of these
solutions with a focus on customer privacy and security.

Version 4.0 Amazon Confidential page 12

 AWS Managed Service Provider Partner Program Validation Checklist

Evidence must be in the form of records of supplier selection

and evaluation. As evidence of assessment of security
compliance, APN Partner must show overview of the
following: SaaS providers’ security documentation,
authentication and authorization validation, MFA
capabilities, availability characteristics, data backup plan,
and disaster recovery plan.
3.5 AWS All AWS accounts in which APN Partner is managing -200 0
Support Plan customer resources have Developer, Business, or Enterprise
level of AWS Support.

Evidence must be in the form of a list of AWS accounts

managed by APN Partner and each account’s corresponding
support level. For situations where APN Partner does not
own root account credentials, evidence must be in the form
of a documented policy that explains APN Partner SLAs and
dependency on corresponding AWS Support level to deliver
on these SLAs.
Section 3 Total:

4.0 Customer Obsession

4.1 Customer 4.1.1 APN Partner has the ability to objectively capture -200 0
Satisfaction customer satisfaction data. This is done via formal survey
process, contact-based surveys (after customer case is
closed) or as part of customer review meetings.

Evidence must be in the form of a demonstration of how

feedback is collected.
4.1.2 APN Partner has a process for following up on low- -200 0
scores or customer dissatisfaction, and documents the
resolution.

Evidence must be in the form of a low-score follow up

process, and a customer example showing where this
process was used.
4.2 Customer 4.2.1 APN Partner has regular customer review meetings to -200 0
Review discuss the performance of its services/SLAs and to share
reports with the customer. The purpose is to ensure
customers understand the value of a managed solution;
particularly since proactive services that work well may
appear unnecessary to an end customer.

Evidence must be in the form of documentation from a

customer review meeting (may be the same example used
above), complete with recommendations and reports
provided to customer.
4.2.2 APN Partner regularly assesses customer infrastructure -200 0
cost and highlights opportunities to optimize these costs to
its customers through reporting.

Evidence must be in the form of documentation from a

customer review meeting (may be the same example used
above), including evidence that recommendations for
infrastructure cost optimization were provided, e.g., using
the Cost and Usage Report.

Version 4.0 Amazon Confidential page 13

 AWS Managed Service Provider Partner Program Validation Checklist
Section 4 Total:

MSP Practices
5.0 Solution Design Capability
5.1 Solution APN Partner demonstrates that during customer engagements, a complete detailed
Capabilities design document is delivered such that customers and APN Partners are both assured
that due diligence, capacity planning, Well-Architected reviews and long term
operational process have been assessed for the customer engagement.

Evidence must be in the form of 3 implemented customer system detailed design

documents produced within the last 18 months that contain the following components.
5.1.1 Documentation of customer requirements. -200 0
5.1.2 Architectural details of the proposed design. -200 0
5.1.3 Details of the system performance, capacity 0 +20
management and availability measurement systems to be
put in place to measure success of proposed design.
5.1.4 Assessment of customer’s security requirements and 0 +20
procedures with gap identification.
5.1.5 Detailed design that shows customer infrastructure is -200
well-architected as per AWS Well-Architected Framework as
outlined in https://aws.amazon.com/architecture/well-
architected/ .
5.1.6 Assessment of customer’s architectural status (for each 0 +10
customer engagement) by maintaining the AWS Basic
Operations Checklist and Enterprise Operations Checklist
(where applicable) contained in
https://d0.awsstatic.com/whitepapers/aws-operational-
checklists.pdf.
5.1.7 The name of the resources who hold a current AWS -200 0
Solution Architect certification who reviewed and approved
the design, and provided the final deliverable.

APN Partner must also provide a policy requiring that AWS

Solutions Architect-Associate certified individuals are
involved in reviewing the design and implementation of
projects. This policy will also include specific guidance for
when a design requires review by a Professional level AWS
Solution Architect resource.
Section 5 Total:

6.0 DevOps
APN Partners who hold the AWS DevOps Competency for AWS Consulting Partners will automatically be granted all points in
this section.
6.1 DevOps represents a culture shift to encourage collaboration -200 0
DevOps to deliver software more quickly with greater degrees of
Transformation reliability.
and Support
APN Partners engage with customers to support their
DevOps business and technology transformations and/or
support customers’ current DevOps practice.

APN Partners should consider the following cloud

integration points to support DevOps on AWS:
 How does your practice enable self-service or managed
CI/CD pipelines?

Version 4.0 Amazon Confidential page 14

 AWS Managed Service Provider Partner Program Validation Checklist
 What software release and deployment process or
methodology will the customer leverage?
 How does the customer keep code and applications safe
including access credential management?
 How often do you discuss KPIs of your application with
customers?

Evidence must be in the form of a demonstration of how

APN Partner enables customer application deployment and
release management, as either a self-service continuous
integration and continuous deployment pipeline endpoint,
or a managed function, and 1 customer example.
6.2 DevOps APN Partner has infrastructure release and deployment -200 0
Infrastructure management processes. Infrastructure release and
Practices deployment should utilize a highly configurable, reusable,
repeatable and scalable mechanism for defining,
customizing, provisioning and updating customer operating
environment and infrastructure stacks.
 How do you template infrastructure for repeatable
deployments?
 How do you ensure your code and applications work
properly before provisioning production environments?
 How do you support environment update strategies
such as in-place, blue-green, or canary deployment?

Evidence must be in the form of a demonstration that shows

how APN Partner performs infrastructure deployment and
release management with a repeatable and reusable
mechanism. This will ensure repeatable and scalable delivery
of accurate deployment for designed operating
environments and infrastructure stacks, and one customer
example must be provided. APN Partner should also
demonstrate how updates to existing operating
environments and infrastructure stacks are performed
through the infrastructure and deployment management
process.
Section 6 Total:

7.0 Infrastructure and Application Migration Capability

APN Partners who hold the AWS Competencies for either Migration Consulting Partners or Migration Delivery Partners will
automatically be granted all points in this section.
7.1 AWS customers seeking migration consulting or delivery -200 0
Infrastructure services view AWS Migration Competency Partners as the
Migration go-to experts in the field. Potential customers often ask for
Capabilities examples of solutions built for other customers when
Leveraging AWS choosing a APN Partner and want confidence that
Best Practices consultants are up to date on AWS migration services, with
specific domains of expertise (ex: Big Data) as relevant to the
workload to be migrated.

APN Partner provides customers with an infrastructure

architecture that is aligned with AWS Well-Architected
Framework’s best practices and reference architectures.
Well-Architected workloads, unlike historical hardware-
based architectures, should be fault tolerant by nature, by

Version 4.0 Amazon Confidential page 15

 AWS Managed Service Provider Partner Program Validation Checklist
default, further allowing MSPs to focus their resources and
provide value to customers in new ways in a proactive
manner.

Evidence must be in the format of AWS architecture design

and diagrams for two implemented customer projects,
including a reason for any portion of the design that is not
Well-Architected. This architecture information must cover
all the AWS components and services deployed, as well as
design requirements, assumptions, and functional
components and their interaction mechanisms.

At least one example must include refactoring or

replatforming, as described in:
https://aws.amazon.com/blogs/enterprise-strategy/6-
strategies-for-migrating-applications-to-the-cloud/
7.2 Application APN Partner has documented and demonstrated application -200 0
Migration migration capabilities. The APN Partner supports the ability
Capabilities to integrate with the Continuous Integration / Continuous
Deployment (CI/CD) methodologies of the customer.

APN Partner also may have their own CI/CD methodology

that they can offer the customer to use. This CI/CD
methodology is a highly automated deployment capability
that takes advantage of elastic, highly available
infrastructure in a pay-as-you-go model.

APN Partner provides tooling or a deployment architecture

that transparently abstracts application deployment from
infrastructure deployment. This allows customers to -
independently or in conjunction with the managed service -
deploy and configure their applications.

Evidence must be in the form of one implemented customer

architectures and corresponding recommendations, with
specific explanation of the customer scenario for which it
was developed.
Section 7 Total:

8.0 Security
For items in this Section 8.0, the APN Partner should be using a test or “sandbox” environment to the maximum extent
possible.
8.1 Security 8.1.1 APN Partner has established security policies and -200 0
Management procedures to protect its own systems from attacks and
these policies have been reviewed and approved by APN
Partner management.

Evidence of security policies and procedures may also be in

the form of current industry certification related to
information security (e.g., ISO 27001, SOC2) or proof of
infrastructure security and information management
processes and associated approvals.
8.1.2 APN Partner has a system that provides access to -200 0
customer resources to its engineers based on the principle
of least privilege. A process for defining and maintaining the
appropriate level of access is in place. Access to critical or
sensitive data (as defined by the customer) is further

Version 4.0 Amazon Confidential page 16

 AWS Managed Service Provider Partner Program Validation Checklist
controlled by multi-factor or quorum authentication with
access-based alerts.

Evidence must be in the form of a live demonstration of

internal capabilities and processes for maintaining least
privilege access policies scoped to the APN Partner’s AWS
managed service practice.
8.1.3 APN Partner has security policies and procedures to -200 0
protect its customers’ systems from unauthorized access
from authenticated users.

Evidence may be in the form of industry certification related

to information security management (e.g., ISO 27001)
specifically scoped to customer environments, or
documentation of APN Partner’s policies and procedures.
8.1.4 APN Partner does not access AWS accounts by use of -200 0
root account credentials.

Evidence must be in the form of a technology demonstration

and documentation of applicable policies.
8.1.5 APN Partner has a documented Access Management -200 0
Strategy, including but not limited to: AWS Identity and
Access Management (IAM) users, federated roles, AWS
Security Token Service (AWS STS) credentials, access keys,
console passwords, and hardware or virtual multi-factor
authentication (MFA) devices.

Evidence must be in the form of a technology

demonstration, and a process documentation that addresses
the above, and one customer example scoped to the APN
Partner’s AWS managed service practice.
8.1.6 APN Partner accesses AWS accounts through the use of -200 0
federated roles in order to access AWS Console or issue
temporary credentials, as opposed to provisioning individual
IAM users and groups.

Evidence must be in the form of a technology

demonstration.
8.1.7 APN Partner makes use of multi factor authentication 0 +20
(MFA) to protect customer accounts for all methods of
accessing those customer accounts by interactive users, by
default.
8.1.8 APN Partner provides encryption at rest services for -200 0
AWS infrastructure as outlined in
https://aws.amazon.com/whitepapers/encrypting-data-at-
rest/.

Evidence must be in the form of design documentation

specifying the use of encryption at rest services.
8.1.9 APN Partner ensures customers understand AWS -200 0
security processes and technologies as outlined in
https://aws.amazon.com/whitepapers/aws-security-best-
practices/.

Evidence must be in the form of onboarding and educational

documents provided to customers that specifically cover
customer security considerations in the APN Partner’s
environment.

Version 4.0 Amazon Confidential page 17

 AWS Managed Service Provider Partner Program Validation Checklist
8.1.10 APN Partner ensures that multi-factor authentication -200 0
is activated on all APN Partner and customer AWS root
accounts.

APN Partner must show technology as evidence that it

regularly audits accounts for MFA activation and activation
of MFA on new AWS root accounts
8.1.11 APN Partner performs secret shopper testing on -200 0
vectors vulnerable for social engineering attacks, including
call, chat and email systems. User validation must not utilize
confidential data like social security numbers, or personal
security questions.

Evidence must be in the form of records of last 2 tests,

documented lessons learned, and follow up actions. (For
initial audits, a single record within the last 6 months is
acceptable.) Personally identifiable information may be
redacted from test records included in evidence.
8.1.12 Customer personally identifiable information is 0 +40
encrypted at rest on all APN Partner systems including APN
Partner, billing, and ticketing systems.

Evidence must be in the form of documentation of customer

information storing systems with proof of encryption.
8.2 Security 8.2.1 Security events are stored in a log for regulatory and -200 0
Event Logging analysis purposes. Use of technologies as specified in
and Retention https://aws.amazon.com/whitepapers/security-at-scale-
logging-in-aws/ is recommended.

Evidence must be in the form of an example of a customer

Security Event Log scoped to the APN Partner’s AWS
managed service practice.
8.2.2 APN Partner can show that customer-agreed retention 0 +20
periods for logs are honored and systems exist to support
and maintain these logs.

Evidence must be in the form of an example of a Security

Event Log that has been maintained for at least the
retention period identified in the template contract from
Section 3.3.2. APN Partner must explain how they are able to
meet customer-specific retention periods that may be
different to the retention period in the template contract.
APN Partner must explain how they can support a customer
who maintains their own logs.
8.2.3 APN Partner has AWS CloudTrail enabled on all -200 0
managed accounts and a process is in place to maintain log
integrity.

Evidence must be in the form of a technology

demonstration, in the absence of which, documented
policies and processes must be in place to ensure that
CloudTrail is enabled on all existing and new accounts may
be presented.
8.3 Service APN Partner has the ability to monitor its own internal +0 +20
Continuity systems to ensure that customers’ services are not
compromised by internal failures, and that there are
reasonable and tested processes to respond to internal
outages and failures. This should cover depth of failure and

Version 4.0 Amazon Confidential page 18

 AWS Managed Service Provider Partner Program Validation Checklist
include disaster management for complete data and
infrastructure loss or compromise.

Evidence must be in the form of process documentation that

addresses the above, as well as results of a business
continuity test performed within the last 12 months.
Additional evidence may be in the form of industry
certification related to business continuity management
(e.g., ISO 22301).
Section 8 Total:

9.0 Next Generation Service Management

9.1 Customer APN Partner provides 24x7 customer service available over -200 0
Service multiple communication means; may be a staffed 24x7 call
Availability center or 8x5 service with after-hours support (e.g.,
pager/alert support after-hours on a rotational basis).

APN Partner must explain or show how customer service is

provided; if APN Partner does not maintain a staffed call
center on a 24-hour basis, there must be documented
procedures for after hours, weekend, and holiday support.
Evidence may be in the form of current industry certification
related to ITSM (ITSM) (e.g., ISO 20000) scoped to the APN
Partner’s AWS managed service practice.
9.2 Service Desk Support priority and severity levels are defined, 0 +20
Operations documented, and conveyed to customers.

APN Partner must provide documentation defining support

priority and severity levels, and must explain or show how
this information is communicated to customers.
Alternatively, evidence may be in the form of current
industry certification related to ITSM (e.g., ISO 20000)
scoped to the APN Partner’s AWS managed service practice.
9.3 Ticketing APN Partner has an ITSM ticketing system capable of the following:
System 9.3.1 Event/Incident ticket creation and escalation. -200 0

APN Partner must show how event/incident tickets are

created and escalated.
9.3.2 Immediate logging and time stamping of tickets. -200 0

APN Partner must provide evidence of immediate logging

and time stamping of tickets.
9.3.3 Documented escalation process for escalating to AWS 0 +20
Support, including flowchart of process, timeframes for
escalating to AWS, definition of the types of cases that get
escalated with defined criteria, and closed loop process to
ensure smooth handoff and ticket resolution.

APN Partner must provide a documented escalation process

addressing the above requirements.
9.3.4 Escalation process provides automated escalation 0 +20
alerts.

APN Partner must demonstrate how automated escalations

occur.

Version 4.0 Amazon Confidential page 19

 AWS Managed Service Provider Partner Program Validation Checklist
9.3.5 Ticketing system has automated integration with AWS 0 +40
Support Center. Valid examples include direct Support API
integration, parsing of e-mail responses, or other
documented and tested methods which ensure automated
SLA and escalation requirements are met.

APN Partner must demonstrate technology integration of its

ticketing system with AWS Support Center or must provide
evidence of documentation and testing of an equivalent
method.
9.3.6 Verification by customer that the case has been closed 0 +20
satisfactorily.

APN Partner must provide evidence of customer verification

of case closure, e.g., by providing examples of closed cases
that have been customer approved.
9.4 AWS-Specific APN Partner tracks cases escalated to AWS Support, and 0 +40
Support Metrics provides regular reviews with their own team to share
lessons learned, leveraging information obtained from those
meetings for improving APN Partner’s internal knowledge
base.
9.5 Proactive APN Partner has systems, tools, or applications capable of -200 0
Monitoring and monitoring the performance of all AWS services that are
Alerting part of the customer’s managed service agreement.

Proactive monitoring looks for patterns of events to predict

possible future failures. (ITIL Service Operation)

The monitoring and alerting functionality must also be

accompanied by corresponding service desk functionality to
take action on events/alerts according to SLAs/contractual
obligations.

APN Partners should show their capabilities within the

following categories:

Infrastructure monitoring, some examples include:

 Amazon CloudWatch out-of-the-box metrics for AWS
monitoring, alerting, and automated provisioning
 Amazon CloudWatch custom metrics for application
monitoring, alerting, and automated provisioning
 Other 3rd party AWS infrastructure monitoring tools

Service monitoring, some examples include:

 Operating system monitoring tools for OS-level
monitoring
 Application monitoring tools for application-level
monitoring
 Simulated transaction monitoring tools for end-to-end
system monitoring

Evidence must be in the form of a technology demonstration

of tooling used to carry out proactive monitoring and
alerting for customer resources in AWS.
9.6 Next 9.6.1 APN Partner must implement service intelligence -200 0
Generation monitoring capabilities that gather intelligence from
heterogeneous monitoring and logging sources.

Version 4.0 Amazon Confidential page 20

 AWS Managed Service Provider Partner Program Validation Checklist
Monitoring
Capabilities One of the values a next-generation MSP brings to
customers is its ability to manage AWS workloads that, if
designed correctly, are dynamic, highly automated
environments that can scale up down according to demand.
To be effective, next gen MSPs must use new technologies
that give visibility into the full environment. Furthermore,
given the dynamic and highly automated nature of AWS
workloads, MSPs should leverage monitoring tools that scale
instantly to adjust to changes in workloads being monitored.

Evidence should be in the form of a technology

demonstration with a current customer Case Study of a
solution which has been in production for at least 6 months.
9.6.2 The monitoring solutions used by APN Partner should -200 0
have the ability to use statistical analysis algorithms to
identify outliers or anomalies in metrics to generate alerts
rather than defined thresholds. These can identify patterns
in a single metric over time, or compare a metric for a single
member of a cluster against other member nodes to identify
unhealthy resources for replacement before an incident
occurs.

Evidence should be in the form of a technology

demonstration and 2 current customer Case Studies of
solutions which have been in production for at least 6
months.
9.6.3 The solutions should apply machine learning 0 +40
capabilities to heterogeneous monitoring and log data.
Monitoring machine learning solutions can be used in a
predictive fashion, identifying trends in data to trigger
actions prior to an anomaly or threshold breach being
detected. In logging, machine learning solutions can provide
suggestions to operators investigating root cause of an
incident by surfacing related log events from across an
application landscape, while accepting feedback from the
operator on the relevance of the data.

Evidence should be in the form of a technology

demonstration and 2 current customer Case Studies of
solutions which have been in production for at least 6
months.
9.7 Service APN Partner provides customers with dashboard and -200 0
Intelligence advanced reporting capabilities that showcase a service-
Reporting and intelligence approach to monitoring, as opposed to more
Dashboards for traditional threshold-based monitoring and handling of
Customers events and incidents.

Dashboards should provide comprehensive full-stack

visibility in real-time, while also offering historical analysis
and trending.

Evidence must be in the form of dashboards and reporting

for current or past customers.
9.8 Continuous 9.8.1 Next generation MSPs adopt a continuous approach to 0 +40
Compliance managing and monitoring compliance, both as it relates to
new policies, audit requirements, and non-compliant
changes within the environment.

Version 4.0 Amazon Confidential page 21

 AWS Managed Service Provider Partner Program Validation Checklist

APN Partner provides continuous compliance solutions to its

customers that apply to AWS managed resources. Examples
include use of AWS CloudTrail or AWS Config to monitor
changes to network configuration, access by IAM principals,
or Amazon EBS encryption settings to ensure the system
remains within policy.

Evidence must be in the form of customer Case Studies that

highlight shortened time to remediation and audit reduction
time as well as a demonstration of continuous compliance
tools and processes with documented outcomes.
9.8.2 APN Partner provides continuous compliance solutions 0 +40
to its customers to ensure compliance of resource level
controls. Examples include ensuring CIS hardened instances
remain hardened after deployment and maintaining log and
configuration file integrity.

Evidence must be in the form of customer Case Studies that

highlight shortened time to remediation and audit reduction
time as well as a demonstration of continuous compliance
tools and processes with documented outcomes.
9.9 Event 9.9.1 APN Partner has a process for detecting, categorizing, 0 +20
Management and taking action on all events.

Events are generally:

 Informational in nature (and should be logged)
 Related to warnings (and should create alerts)
 Exception-based; dealing with something acting out of
normal pattern (and should trigger an incident)

An event is defined as a change of state that has significance

for the management of an IT service or other configuration
item. The term is also used to mean an alert or notification
created by any IT service, configuration item or monitoring
tool. Events typically require IT operations personnel to take
actions, and often lead to incidents being logged. Event
management is the process responsible for managing events
throughout their lifecycle. (ITIL Service Operation)

Evidence must be in the form of a demonstration as to how

events are handled through the appropriate processes with
process documentation if applicable. Alternatively, evidence
may be in the form of current industry certification related
to ITSM (e.g., ISO 20000) scoped to the APN Partner’s AWS
managed service practice.
9.9.2 APN Partner can demonstrate the ability to 0 +20
programmatically add value to customers’ operations by
differentiating between monitoring events that require
customer engagement and those that don’t.

Evidence must be in the form of examples of filtering and

sending event information to customers.
9.10 Incident 9.10.1 APN Partner has documented incident management -200 0
Management processes, including:
 How incidents are identified
 How incidents are logged

Version 4.0 Amazon Confidential page 22

 AWS Managed Service Provider Partner Program Validation Checklist
 How incidents are categorized
 How incidents are prioritized
 How incidents are investigated and diagnosed
 How incidents are resolved
 How incidents are closed

An incident is an unplanned interruption to an IT service or

reduction in the quality of an IT service. Failure of a
configuration item that has not yet affected service is also an
incident – for example, failure of one disk from a mirror set.
Incident management is the process responsible for
managing the lifecycle of all incidents. Incident management
ensures that normal service operation is restored as quickly
as possible and the business impact is minimized.

APN Partner must provide evidence of a documented

incident management process that addresses the above
requirements; an example must be provided. Alternatively,
evidence may be in the form of current industry certification
related to ITSM (e.g., ISO 20000) scoped to the APN
Partner’s AWS managed service practice.
9.10.2 APN Partner has a defined process to communicate -200 0
updates. Communication methods, frequency, and medium
are based upon predefined SLAs, overarching impact to the
business and/or incident severity.

APN Partner has a process for customers to update open

incidents, with the ability for APN Partner personnel to
respond according to procedures.

Evidence must be in the form of process documentation and

a customer sample. Alternatively, evidence may be in the
form of current industry certification related to ITSM (e.g.,
ISO 20000) scoped to the APN Partner’s AWS managed
service practice.
9.11 Problem 9.11.1 APN Partner has a documented process for problem 0 +20
Management management encompassing incidents with no known or
available resolution or those that are proactively identified
based on performance trending or monitoring.

A problem is defined as a cause of one or more incidents.

The cause is not usually known at the time a problem record
is created, and the problem management process is
responsible for further investigation. Problem management
is the process responsible for managing the lifecycle of all
problems. Problem management proactively prevents
incidents from happening and minimizes the impact of
incidents that cannot be prevented. (ITIL Service Operation)

Evidence must be in the form of examples where incidents

were handed off or were proactively identified based on
performance trending/monitoring/pattern analysis.
Alternatively, evidence may be in the form of current
industry certification related to ITSM (e.g., ISO 20000)
scoped to the APN Partner’s AWS managed service practice.

Version 4.0 Amazon Confidential page 23

 AWS Managed Service Provider Partner Program Validation Checklist
9.11.2 APN Partner has the ability to identify and document 0 +10
root causes, and store in a Known Error Database (KEDB)
that is searchable by appropriate support personnel.

A KEDB is a database containing all known error records. This

database is created by problem management and used by
incident and problem management. The KEDB may be part
of the configuration management system, or may be stored
elsewhere in the service knowledge management system.
(ITIL Service Operation)

Evidence must be in the form of problems that were

identified, logged, analyzed, and subsequently entered into
the KEDB. APN Partner must demonstrate that the database
is searchable. Alternatively, evidence may be in the form of
current industry certification related to ITSM (e.g., ISO
20000) scoped to the APN Partner’s AWS managed service
practice.
9.12 Asset APN Partner has a strategy for tracking and managing its 0 +20
Management AWS deployed assets.

An asset is defined as any resource or capability that could

contribute to the delivery of a service. A generic activity or
process responsible for tracking and reporting the value and
ownership of assets throughout their lifecycle. (ITIL Service
Strategy/Service Transition)

 APN Partner’s asset management strategy answers the

following questions:
 Is your organization leveraging AWS provided instance
and service-specific metadata as part of its asset
management strategy?
 Is your organization leveraging custom resource tags to
track and identify AWS resources?
 Does your organization have a resource tagging
strategy?
 How will AWS assets be integrated with internal asset
management systems?

More details specific to these questions can be found at:

https://d0.awsstatic.com/whitepapers/aws-operational-
checklists.pdf.

Evidence must be in the form of a technology

demonstration.
9.13 9.13.1 APN Partner has configuration and change -200 0
Configuration management processes. Processes address the following
and Change questions specific to the AWS business:
Management How will your organization manage server images (e.g.,
Amazon Machine Images (AMIs))?
Will instances be automatically configured at launch or
manually configured later?
How will patches and upgrades be applied?
Will applications be managed as homogeneous fleets?
How will your organization manage changes to OS hardening
baselines, configure security groups or OS firewalls, and

Version 4.0 Amazon Confidential page 24

 AWS Managed Service Provider Partner Program Validation Checklist
monitor their instances for intrusions or unauthorized
changes?

More details specific to these questions can be found at:

https://d0.awsstatic.com/whitepapers/aws-operational-
checklists.pdf.

Evidence must be in the form of a technology demonstration

of a change against a test or pseudo-production
environment and a review of policy or process documents.
9.13.2 The change management process includes a change 0 +20
rollback process.

Evidence must be in the form of a technology demonstration

of a change rollback against a test or pseudo-production
environment and documented change management process
that addresses change rollback; an example must be
provided.
9.13.3 APN Partner has a Configuration Management 0 +20
Database (CMDB).

A Configuration Management Database is a database used

to store configuration records throughout their lifecycle.
(ITIL Service Transition)

Evidence must be in the form of a demonstrable

Configuration Management Database.
9.14 Customer APN Partner provides web accessible customer reports. 0 +40
Reports Reports should allow customers to self-select parameters
such as devices and thresholds. Examples of reports
provided are:
 Incident management
 Non-service affecting incidents
 Performance analysis
 Assets/resources
 Exceptions

Evidence must be in the form of a demonstration of

customer accessible web portal or other repository.
Section 9 Total:

10.0 Service Level Agreement

10.1 APN Partner has foundational SLAs. Foundational SLAs are -200 0
Foundational those that relate to response times, actions, and
SLAs notifications by APN Partner to its customers.

SLAs may include response times when customer opens

ticket/initiates request, time from event or incident trigger
to remediation, and turnaround time for customer-initiated
changes/requests.

Evidence must be in the form of SLA documentation and

supporting processes and metrics scoped to the APN
Partner’s AWS managed service practice.

Version 4.0 Amazon Confidential page 25

 AWS Managed Service Provider Partner Program Validation Checklist
10.2 Workload APN Partner has SLAs based on the customer workloads 0 +20
or Solution- operating in the AWS cloud, such as infrastructure SLAs
Specific SLAs beyond AWS service SLAs as well as SLAs driven by business
outcomes.

Evidence must be in the form of SLA documentation and

supporting processes and metrics scoped to the APN
Partner’s AWS managed service practice.
10.3 SLA APN Partner takes actions to continually improve 0 +20
Optimization performance to objectives. Evidence of continual
improvement includes records of actions taken to improve
performance, particularly when established objectives are
not being met.

Evidence must be in the form of explanation and any

examples where improvements were identified and
implemented within the last 12 months scoped to the APN
Partner’s AWS managed service practice.
Section 10 Total:

11.0 Optimization
11.1 Internal APN Partner has established a regular cadence to review 0 +20
Process internal performance, and provide recommendations for
Optimization improvement. Internal optimization involves looking for
efficiencies within the APN Partner’s AWS managed services
operations that result in financial efficiencies, process
efficiencies, and/or greater customer satisfaction.

Evidence must be in the form of explanation of internal

review cadence scoped to the APN Partner’s AWS managed
service practice, and any efficiencies implemented as part of
the process within the last 12 months (e.g., billing alerts,
etc.).
11.2 Automation APN Partner has a process for tracking automated vs manual 0 +20
Optimization activities and regularly reviews these for opportunities to
Process reduce manual processes in its AWS managed services.

Evidence must be in the form of explanation of internal

review cadence scoped to the APN Partner’s AWS managed
service practice, and any efficiencies implemented as part of
the process within the last 12 months (e.g., new automated
resolution practices, etc.).
Section 11 Total:

Version 4.0 Amazon Confidential page 26

 AWS Managed Service Provider Partner Program Validation Checklist

12.0 AWS Billing and Cost Management

APN Partners who participate in the Solution Provider Programs must complete all requirements in this section. APN Partners
who don’t participate in the Solution Provider Programs will be automatically granted all points for this section. APN Partners
who didn’t successfully migrate to the new Solution Provider Program from the Channel Reseller Program will need to
complete a migration to the Solution Provider Program prior to conducting this audit.
12.1 AWS Billing APN Partner uses AWS Billing and Cost Management service. -200 0
and Cost
Management AWS Billing and Cost Management is the service that APN
Console Partners use to pay their AWS bill, monitor usage, and
budget costs.

Evidence must be in the form of demonstration of the AWS

Billing and Cost Management console, including
demonstration of the following capabilities:
 Ability to download PDF Invoices from the Billing and
Cost Management Console
 Ability to enable Billing Reports
 Ability to enable Billing Alerts
 Ability to manage Cost Allocation Tags
 Ability to explain the benefits of Cost Explorer
 Ability to manage tax exemptions (when applicable)
12.2 AWS APN Partner leverages the AWS Account Settings page to -200 0
Account manage up to date contact and security information for both
Settings the payer and/or linked account(s) that APN Partner
manages.

Evidence must be in the form of demonstration of the

Accounts Settings page, including demonstration of the
following capabilities:
 Ability to update the address information for an AWS
Account
 Ability to describe and set alternate contacts
 Ability to set Security Challenge Questions
 Ability to describe how to close an AWS Account
 Ability to manage cancellation of services (e.g., Support)
12.3 Solution APN Partner leverages third-party ISV or APN Partner- 0 +20
Provider Billing developed solutions for billing management and cost
Solutions optimization to strengthen APN Partner’s ability to provide
proactive recommendations to customers.

Evidence must be in the form of demonstration of the

solutions with examples of how they expand on native AWS
capabilities.
12.4 Solution APN Partners have the following account management -200 0
Provider capabilities:
Account  Ability to create a new account and enable Consolidated
Management Billing
Capabilities  Ability to link or remove an account from a Consolidated
Billing Payer Account, for example using AWS
Organizations
 Ability to sign up for AWS Support
 Ability to enable AWS Identity and Access Management
(IAM) for role-based account management
 Ability to provision account access
 Ability to make reserved capacity purchases

Version 4.0 Amazon Confidential page 27

 AWS Managed Service Provider Partner Program Validation Checklist

Evidence must be in the form of APN Partner demonstration

of the above abilities.
12.5 Solution APN Partners have the following rebilling capabilities: -200 0
Provider  Ability to explain the difference between a blended and
Rebilling unblended rate/cost
Capabilities  Ability to explain why rebilling with a blended rate is not
advised
 Ability to describe the nuances of the Cost and Usage
Report, including:
- Ability to explain key column names
- Ability to show where to find reservation purchases
- Ability to show where to find credit allocation
- Ability to make billing suggestions based on the
report results
 Ability to explain how credit benefit is allocated to a
consolidated bill
 Ability to explain how Reserved Instance benefit is
allocated to a consolidated bill

Evidence must be in the form of APN Partner demonstration

of the above abilities.
12.6 Solution APN Partner uses appropriate Account Controls based on the 0 +20
Provider Account Ownership model leveraged. including at least one
Account of the following:
Controls  Block spend data
 Block access to cost explorer
 Prevent account unlinking

Evidence may be in the form of demonstration of the above

controls or other evidence of application of these controls.
12.7 End User APN Partners are required to provide End User Reporting to -200 0
Reporting AWS. APN Partner must share how information is collected,
maintained, and reported back to AWS.

APN Partner must show at least 90% compliance rate over

the previous 6 months prior to the audit.

More information can be found on APN Partner Central here

(must be logged in):
https://partnercentral.awspartner.com/SolutionProviderEnd
UserReporting?sfdc.tabName=01rE0000000AAzJ
Section 12 Total:

Version 4.0 Amazon Confidential page 28

 AWS Managed Service Provider Partner Program Validation Checklist

13.0 AWS Knowledge

13.1 AWS Customers moving to the cloud are interested in working -200 0
Services and with consulting companies who are able to provide expertise
Features and guidance on how to best leverage all of the unique
services and features that AWS provides.

The traditional roles and responsibilities of MSPs have

changed to include the ability for MSPs to provide those
consulting services which are required to build operationally
sustainable workloads and solutions for the customer.

For at least TWO of the following categories of AWS

Services, APN Partner provides the following:
 Examples of customer solutions leveraging each service.
or
 Example of how the service is used by the APN Partner
in providing managed services to the APN Partner’s
customer base.

Notes:
- In order to receive points for a section, APN Partner
must demonstrate each service marked as
required, and a sufficient number of services for
that section as designated in the “Required”
column.
- APN Service Delivery Program designation for a
service is sufficient evidence for the individual
service in this section, where applicable.
- APN Competency Program designations are not
sufficient evidence for groups of services, as those
program requirements those may be met with non-
AWS services.
- Solution designs from Section 6 may be used as
evidence of meeting this control for implemented
services.
- Unlike previous Checklist versions (v3.3 and
before), hypothetical use cases are not accepted
for this version of the Checklist.
Category Service Required Met Not Met
Amazon Relational Database
Service (Amazon RDS)
Amazon Database Migration Yes
Service (AWS DMS)
Databases
Amazon Aurora
Amazon DynamoDB
Amazon Redshift 1 of 3
Amazon ElastiCache
Amazon Simple Storage
Service (Amazon S3)
Yes
Amazon Elastic Block Store
(Amazon EBS)
Storage Amazon Simple Storage
Service Glacier (Amazon S3
Glacier) 1 of 3
Amazon Elastic File System
(Amazon EFS)

Version 4.0 Amazon Confidential page 29

 AWS Managed Service Provider Partner Program Validation Checklist
AWS Storage Gateway
AWS Identity and Access
Yes
Management (IAM)
Amazon GuardDuty
Amazon Macie
AWS Key Management
Service (AWS KMS) or AWS
CloudHSM
Security Amazon Cognito
AWS Secrets Manager or 7 of 11
AWS Systems Manager
Parameter Store
AWS Single Sign-On
AWS Certificate Manager
(ACM)
AWS WAF or AWS Shield
AWS CloudFormation
AWS CloudTrail
Yes
Amazon CloudWatch
Cloud
AWS Systems Manager
Management
AWS Trusted Advisor
Tools
AWS Config
2 of 4
AWS Service Catalog
AWS Managed Services
AWS CodeBuild
AWS CodeDeploy Yes
AWS CodePipeline
DevOps AWS CodeStar
AWS CodeCommit
2 of 4
AWS X-Ray
AWS Cloud9
Amazon Elastic Container
Service for Kubernetes
(Amazon EKS)
Containers 2 of 3
Amazon Elastic Container
Service (Amazon ECS)
AWS Fargate
Amazon Athena
Amazon EMR
Amazon ElasticSearch
Big Data /
Service 4 of 6
Analytics
Amazon Kinesis
AWS Glue
Amazon QuickSight
AWS IoT Core
IoT AWS IoT Greengrass 2 of 3
Amazon FreeRTOS
Section 13 Total:

TOTAL APN PARTNER SCORE:

Version 4.0 Amazon Confidential page 30

 AWS Managed Service Provider Partner Program Validation Checklist

Appendix A: Best Practice Guides and Reference Materials

Always check the whitepapers URL for the latest versions

Amazon Web Services Whitepapers:

http://aws.amazon.com/whitepapers/

Basic Operational Checklist and Enterprise Operational Checklist: https://d0.awsstatic.com/whitepapers/aws-operational-

checklists.pdf

AWS Security Center:

http://aws.amazon.com/security/

Introduction to AWS Security Whitepaper:

https://aws.amazon.com/whitepapers/aws-security-best-practices/

AWS Security Best Practices Whitepaper:

https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf

AWS Compliance:
https://aws.amazon.com/compliance/

Introduction to Auditing the Use of AWS Whitepaper and Checklist:

https://d0.awsstatic.com/whitepapers/compliance/AWS_Auditing_Security_Checklist.pdf

Introduction to AWS Security Credentials:

http://docs.aws.amazon.com/general/latest/gr/aws-security-credentials.html

Getting Started: Amazon Identity and Access Management: http://docs.aws.amazon.com/IAM/latest/UserGuide/getting-

started.html

IAM Best Practices:

http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html

Making Secure Requests to Amazon Web Services:

http://aws.amazon.com/articles/1928?_encoding=UTF8&andjiveRedirect=1

Building Fault Tolerant Applications on AWS:

http://d36cz9buwru1tt.cloudfront.net/AWS_Building_Fault_Tolerant_Applications.pdf

Version 4.0 Amazon Confidential page 31

 AWS Managed Service Provider Partner Program Validation Checklist

Summary of Changes
The following changes resulted in the version changes from 3.3 to 4.0.
1. Updated the annual renewal audit process to performance-based renewal process.
2. Add Full Audit process every three years.
3. Updated definition Case Study and added new definition for Launched Opportunities. (See Definitions)
4. Reordered the sections on the checklist to be categorized under Business Practices and MSP Practices.
5. Updated 2.6 in v4.0 Customer References must have been running on APN Partner’s managed services for at least
6 months.
6. Updated 13.1 in v4.0 AWS Services and Features to include new services and new requirements for evidence.
7. Added 8.1.7 in v4.0 APN Partner makes use of multi factor authentication (MFA) to protect customer accounts for
all methods of accessing those customer accounts by interactive users, by default.
8. Added 5.1.7 in v4.0 AWS certified resources to review design of solution.
9. Removed 5.7, 6.1.6, 8.2.3, 12.1.3 from v3.3.
10. Updated 4.2.2 from v3.3 to become two separate controls and updated score, new controls numbered 3.2.2 and
3.2.3 in v4.0.
11. Updated description (control language) for 8.1.3, 8.1.4, and 6.1.6 from v3.3, numbered as 8.1.3, 8.1.4 and 5.1.6 in
v4.0
12. Updated score for 6.1.5, 8.1.6, 9.6.3 from v3.3, numbered as 5.1.5, 8.1.6 and 9.6.3 in v4.0.
13. Updated requirement for 8.0, 10.0 and 12.0 section from v3.3, numbered as 8.0, 6.0 and 4.0 in v4.0.
14. Updated evidence requirement for 9.6.1, 9.6.2, 9.6.3, 13.1 and 13.2 from v3.3, numbered as 9.6.1, 9.6.2, 9.6.3,
11.1 and 11.2 in v4.0.

V3.3 V4.0
Business Health 1.0 2.0
APN Partner Capabilities Overview 2.0 1.0
AWS Knowledge 3.0 13.0
Business Management 4.0 3.0
AWS Billing and Cost Management 5.0 12.0
Solution Design Capability 6.0 5.0
Infrastructure and Application Migration Capabilities 7.0 7.0
Security 8.0 8.0
Service Desk Operations and Customer Support 9.0 9.0
DevOps 10.0 6.0
Service Level Agreements 11.0 10.0
Customer Obsession 12.0 4.0
Optimization 13.0 11.0

Version 4.0 Amazon Confidential page 32