AWS Partner Network (APN) Blog

How to Ace the AWS MSP Partner Program Validation Audit with CloudHealth by VMware

By Amber Gregorio, Sr. Product Marketing Manager at CloudHealth by VMware
By Adrian SanMiguel, Principal Architect, AWS MSP Partner Program
By Shashiraj Jeripotula, Sr. Partner Solutions Architect at AWS

Connect with CloudHealth-2

The cloud market continues to evolve rapidly, and Managed Service Providers (MSPs) must go beyond reselling to provide the next generation of cloud managed services.

Customers no longer want individual tools for each cloud provider; they expect MSPs to provide value by delivering cloud-agnostic tools for each step of their cloud journey—plan and design > build and migrate > run and operate > optimize.

In addition to delivering value-adding products and services, next-generation MSPs are increasingly expected to provide validation that they can meet all of your cloud needs. According to an IDC Worldwide Managed CloudView survey, 60 percent of businesses are willing to pay a premium for managed cloud services that are certified by the cloud provider.

This means there is great upside for MSPs who achieve certification as an Amazon Web Services (AWS) MSP Partner. In this post, we will detail how using CloudHealth by VMware can help MSPs meet many of the requirements to become an AWS MSP Partner.

CloudHealth by VMware is an AWS Advanced Technology Partner with AWS Competencies in Cloud Management Tools, Security, Migration, and Education.

CloudHealth makes it possible for enterprises to control and analyze the costs, compliance, and performance of their computing environments across their own data centers and public clouds.

CloudHealth by VMware is available on AWS Marketplace >>

Benefits of Becoming an AWS MSP Partner

The AWS MSP Partner Program recognizes and rewards MSP Partners who embrace and embody the concept of the next-generation Managed Service Provider. This validation gives customers confidence in the MSP they choose to team up with.

As an AWS MSP Partner, you will:

  • Transform your AWS-based business: Evolve your offering to align with the concept of next-gen managed service practices.
  • Earn industry and analyst recognition: Give customers confidence in your ability to guide them as a member of the industry-leading AWS MSP Partner Program.
  • Increase visibility with customers: Your logo and company information will be highlighted on the AWS Partner Network (APN) website, and you’ll receive a badge to display your expertise to customers.
  • Gain go-to-market support: Co-funded activities such as marketing campaigns and AWS-hosted events drive brand recognition and new business.

How to Get Started on Your AWS MSP Journey

The process to achieve AWS MSP Partner status is rigorous. Becoming a certified AWS MSP Partner requires an in-depth audit of your capabilities, but there are several prerequisites you must meet before scheduling an MSP Program Full Audit.

Program Prerequisites

  • APN membership: MSP Partners must first become an Advanced or Premier Tier AWS Consulting Partner, which comes with a $2,500 USD annual fee and a list of its own requirements.
  • Customer references: Have at least four (4) AWS customer references, with at least two (2) that are publicly referenceable.
  • Self-Assessment: MSP Partners must complete a Checklist Self-Assessment and email it to AWS.
  • *NEW* Pre-Assessment: After AWS reviews the Self-Assessment (which takes up to 10 business days), they will connect you with a third-party auditing firm to conduct the Pre-Assessment remotely. The Pre-Assessment typically takes 6-8 hours and costs $2,000 USD.

Full Audit

After completing all of the prerequisites, AWS will schedule a two-day Full Audit of all the items in the checklist. The audit can be held remotely or on-site, and costs $3,000 USD (plus applicable travel fees). Make sure to have experts from your organization attend who can speak in-depth about the requirements.

After you pass the audit, you’re all set for 12 months until it’s time for your annual performance-based renewal. The renewal process is simpler than the Full Audit, which only has to be done every 36 months.

How MSP Audit Scoring Works

MSP Partners sitting for a Full Audit start at a score of 0 points, and must finish with 900 total points to pass. Mandatory capabilities are denoted as -200 points. This means that if an MSP fails to demonstrate a mandatory capability, they lose 200 points, effectively resulting in a failed audit as the final score will be at maximum 800 points.

Other non-mandatory items on the checklist are considered “score impacting items,” and an MSP will gain +10, +20, or +40 points for demonstrating each respective audit control’s evidence throughout the checklist.


Figure 1 – Sample AWS MSP audit checklist version 4.1.

Demonstrate Audit Requirements with CloudHealth

With the CloudHealth MSP Platform, organizations can easily demonstrate multiple mandatory and non-mandatory capabilities on the AWS MSP Partner Program Validation Checklist.

MSPs using CloudHealth save hours of time and money preparing for the audit, and can help ensure that numerous mandatory controls can be met.

Dozens of leading cloud MSPs—such as Smartronix, AC3, and AllCloud—have already partnered with CloudHealth by VMware to bring their MSP offerings to the next generation on AWS.

“With CloudHealth, we’re empowered with the insights we need to drive business outcomes for our customers,” says Claudia Couzi, General Manager of Operational Services at AC3. “Over the past 12 months, CloudHealth has enabled us to save over $2.5 million for our customers.”

Read the CloudHealth & AC3 case study >>

Without further ado, let’s dive into some of the line items in the AWS MSP audit that CloudHealth can help you with.

Audit Section 4: Customer Obsession

4.2.2 Customer Review (-200 points)Partner regularly assesses customer infrastructure cost and highlights opportunities to optimize these costs to its customers through reporting.

You can gain visibility into and report on infrastructure costs with CloudHealth’s Cost History reports.


Figure 2 – CloudHealth Cost History reports.

CloudHealth also highlights opportunities to optimize costs in the Health Check Pulse report.

In this report, you will find a summary of savings to be had by terminating unused Amazon Elastic Block Store (Amazon EBS) volumes, by rightsizing resources, and by optimizing reservations. Links bring users to more detailed reports where the recommended action can be taken.


Figure 3 – CloudHealth Health Check Pulse report.

You can also receive industry-leading rightsizing recommendations for compute and storage resources via rightsizing reports. Users can dive deeper into each recommendation and compare options side by side.


Figure 4 – CloudHealth rightsizing recommendations.

4.2.3 Cloud Center of Excellence (+20 points)Partner maintains a Cloud Center of Excellence (CCoE).

CloudHealth strongly encourages businesses to establish a Cloud Center of Excellence (CCoE), and trains all of the MSPs it works with how to build and operate a CCoE team.

Over the last decade working with thousands of cloud users, CloudHealth has built a cloud maturity framework for the CCoE team to improve cloud financial management, operations and governance, and security and compliance.


Figure 5 – CloudHealth cloud maturity framework.

Audit Section 5: Solution Design Capability

5.1.3 Solution Capabilities (-200 points)Details of the system performance, capacity management, and availability measurement systems to be put in place to measure success of proposed design.

CloudHealth provides detailed usage and performance reports for numerous assets that can be used in a design document to illustrate the measured success of the proposed design.

CloudHealth reports reveal the usage and performance of various AWS resources, including compute, storage, containers, and database resources in addition to Elasticsearch and Amazon Redshift, as well as Reserved Instance (RI) usage.


Figure 6 – CloudHealth Usage report.

5.1.4 Solution Capabilities (+20 points)Assessment of customer’s security requirements and procedures with gap identification.

CloudHealth compares your infrastructure against AWS and Center for Internet Security (CIS) Best Practices to identify gaps and recommend remediations. The CloudHealth Security Recommendations report also organizes security violations by severity so users can prioritize remediation.


Figure 7 – CloudHealth Security Recommendations report.

Audit Section 7: Infrastructure and Application Migration Capability

7.0 Migration CompetencyAWS Partners who hold AWS Competencies for either Migration Consulting Partners or Migration Delivery Partners will automatically be granted all points in this section.

CloudHealth has an active AWS Migration Competency and can assist MSPs with gaining their own certification as a Migration Consulting Partner or Migration Delivery Partner. While using the CloudHealth product is not a path toward achieving Migration Consulting or Delivery certifications, the CloudHealth team can share their expertise and experience to help guide you along that journey.

However, even if you decide that a Migration Consulting or Migration Delivery certification is not appropriate for you, you can still meet the following mandatory requirement in Section 7 of the checklist using CloudHealth.

7.2 Application Migration Capabilities (-200 points)Partner has documented and demonstrated application migration capabilities.

CloudHealth’s Migration Assessment for AWS makes recommendations for moving workloads from a data center to AWS based on asset types, regions, reservations, and associated projected costs. This allows you to compare the total cost of ownership (TCO) and make intelligent migration decisions.

CloudHealth’s migration assessment tools can be a strong complement to a prospective MSP Partner’s application migration capabilities.


Figure 8 – CloudHealth Migration Recommendations report.

Audit Section 8: Security

8.1.4 Security Management (-200 points)Partner does not administrate AWS accounts by use of root account credentials.

CloudHealth governance policies look for accounts that use root account credentials and sends a notification when out of compliance.


Figure 9 – CloudHealth root account configuration.

8.1.10 Security Management (-200 points)Partner ensures MFA is activated on all Partner and customer AWS root accounts.

CloudHealth governance policies look for root accounts that don’t have multi-factor authentication (MFA) enabled and sends a notification when out of compliance.


Figure 10 – CloudHealth MFA configuration.

8.2.1 Security Event Logging and Retention (-200 points)Security events are stored in a log for regulatory and analysis purposes.

CloudHealth stores and reports on all security events in two places. A Security Risk Exposure summary can be found in the Health Check Pulse report. Clicking a link brings users to the detailed list of security violations where recommended actions can be taken (see Figure 7).


Figure 11 – CloudHealth security event logging.

8.2.3 Security Event Logging and Retention (-200 points)Partner has AWS CloudTrail enabled on all managed accounts and a process is in place to maintain log integrity.

CloudHealth policies identify accounts without AWS CloudTrail enabled for all regions; without CloudTrail logging data in an Amazon Simple Storage Service (Amazon S3) bucket; CloudTrail Logs that don’t have file validation enabled; and accounts lacking CloudTrail Log Encryption.


Figure 12 – CloudHealth’s AWS CloudTrail configuration.

Audit Section 9: Next-Generation Service Management

9.8.2 Continuous Compliance (+40 points)Partner provides continuous compliance solutions to their customers to ensure compliance of resource level controls.

CloudHealth has policies that monitor compliance with AWS and CIS best practices, including automated actions that will notify and take action when a server falls out of compliance.


Figure 13 – AWS and CIS best practices violation report in CloudHealth.

9.9.1 Event Management (+20 points)Partner has a process for detecting, categorizing, and taking action on all events.

CloudHealth Activity Feed tracks all events in real-time, categorizes them by added, deleted, or changed resources, and provides details of each change so action can be taken if necessary.


Figure 14 – CloudHealth Activity Feed.

9.12 Asset Management (+20 points)Partner has a strategy for tracking and managing its AWS deployed assets.

CloudHealth pulls and reports on all AWS assets within an account, including tagging information and the ability to group assets in reports. Policies enforce tagging requirements and notify MSPs when an asset is out of compliance. Corrective actions can be automated under Governance.


Figure 15 – CloudHealth AWS assets.

9.14 Customer Reports (+20 points)Partner provides web accessible customer reports. Reports should allow customers to self-select parameters such as devices and thresholds.

CloudHealth keeps 13 months of historical data across all tracked assets, and provides performance and usage-related information over the historical time period using OLAP (Online Analytical Processing) reports.

CloudHealth is a web-based platform and MSPs can provide controlled access to their customers. In Figure 16, you can see one example of a web-accessible report from CloudHealth. This example shows Amazon Relational Database Service (Amazon RDS) instance usage over time for each type of RDS instance running in your environment.


Figure 16 – CloudHealth’s web accessible reports.

Audit Section 12: AWS Billing and Cost Management

12.3 Solution Provider Billing Solutions (+20 points)Partner leverages third-party ISV or Partner-developed solutions for billing management and cost optimization to strengthen their ability to provide proactive recommendations to customers.

CloudHealth gives MSPs instant visibility, optimized cloud resources, and policies to facilitate governance of their customers’ cloud environments. The platform provides actionable insights to improve cost, usage, performance, and security across the cloud.

The CloudHealth platform also offers a critical tool for MSPs to generate separate invoices for each of their underlying customers from a consolidated account bill.


Figure 17 – CloudHealth Partner Billing.

12.7 End User Reporting (-200 points)Partners are required to provide End User Reporting to AWS as terms of their Agreement.

MSPs can share CloudHealth reports with AWS to satisfy their terms of agreement for end user reporting.


Figure 18 – CloudHealth end user reporting.


In this post, we demonstrated how CloudHealth by VMware can help Managed Service Providers (MSPs) work to ensure that numerous mandatory controls, and some non-mandatory controls, can be met in the Full Audit.

It’s important to note that missing a single mandatory control item is sufficient to fail the AWS MSP Partner Validation Audit Checklist, where a score of 900 out of a maximum of 1,000 points is required.

This checklist demonstrates to the market, and to your prospective customers, that you keep security, end user reporting, and billing at top of mind—and that your AWS MSP practice can meet the demands of the market and customers.

We’ve also discussed how the use of CloudHealth can help you on your journey to becoming a validated AWS MSP Partner, and specifically, which capabilities of CloudHealth can meet these controls.

To get started, download the CloudHealth Kit for the AWS MSP Audit for a handy checklist of each item covered above and a slide deck detailing each capability.

To learn more about how the CloudHealth Partner Platform can help your customers accelerate their cloud journeys, book a demo or try it for free.


CloudHealth by VMware – AWS Partner Spotlight

CloudHealth by VMware is an AWS Advanced Technology Partner and trusted software platform for accelerating global business transformation in the cloud.

Contact CloudHealth | Partner Overview | AWS Marketplace

*Already worked with CloudHealth? Rate the Partner

*To review an AWS Partner, you must be a customer that has worked with them directly on a project.