How we passed the AWS FTR in weeks — a technical deep dive from Skematic’s build team

A new platform purpose-built to simplify and scale cloud partnerships

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

The FTR as a launchpad, not a roadblock

For most SaaS startups building on AWS, the Foundational Technical Review (FTR) feels like a late-stage technical audit, a box to check when you're ready to co-sell. But at Skematic, we flipped the script.

We treated the FTR as a core part of our co-build phase, not a final hurdle. That decision helped us clear over 100 AWS security controls in under a month, avoid technical debt, and lay the foundation for ISV Accelerate before our first co-sell motion.

This post breaks down the tools, processes, and architectural choices we used to make that happen—so you can do the same.

What AWS is actually checking in the FTR

The FTR is based on the AWS Foundations Benchmark 3.0 and includes over 100 best-practice controls across these domains:

Identity and Access Management (IAM): Role-based access, least privilege policies, MFA
Data Protection: S3 bucket policies, KMS encryption, key rotation
Logging and Monitoring: CloudWatch, AWS Config, centralized logging, alerting
Infrastructure Resilience: Backups, recovery plans, multi-AZ deployments
Operational Excellence: Documentation, architecture diagrams, incident response plans

Step-by-step: How Skematic cleared the FTR in weeks

1. Early move to production-ready architecture

We didn't wait to "harden" the environment until after MVP. Instead:

Moved staging workloads to a production-grade VPC with security controls in place
Ensured all services (Lambda, API Gateway, ECS) ran inside private subnets
Used VPC endpoints for S3, RDS DB, and Secrets Manager to eliminate public access

2. IAM: Role separation and least privilege

Replaced any broad AdministratorAccess roles with fine-grained policies using managed and inline policies
Created separate roles for development, deployment, and runtime services
Enforced IAM conditions to restrict actions by source IP, MFA, or tagging

3. Centralized logging with CloudWatch and AWS Config

Set up CloudWatch Log Groups for every service and enforced retention policies
Enabled AWS Config for tracking resource drift and config compliance
Integrated with Security Hub to view critical findings in one place

4. Encryption everywhere

Used customer-managed KMS keys (CMKs) for S3, RDS, Secrets Manager, and EBS
Implemented automatic key rotation
Verified encryption in transit using TLS 1.2+ across all endpoints

5. JSON is your friend

The FTR report output is JSON, not just checkboxes in a UI
Will Black (VP of AWS Partner Engineering) dug directly into the raw JSON to resolve ambiguous failures quickly
Pro tip: Validate each section by parsing the output locally before submission

The big misconception: The FTR Is not security theater

Many founders assume the FTR is bureaucratic overhead. In reality, it’s a streamlined audit of what you should be doing anyway if you’re running production-grade workloads on AWS.

"Think of the FTR as a forced opportunity to bake in security and resilience before you scale," says Will. "It’s cheaper to do now than retrofit later."

Skematic’s FTR lessons learned

Start early: Begin during co-build, not after you're in production.
Automate IAM validation: Use tools like IAM Access Analyzer and CloudFormation drift detection.
Centralize logs from day one: Don’t rely on default log groups or loose retention settings.
Use AWS Config and Security Hub: These services catch what human checklists won’t.
Print the guide if you have to: Will literally printed and highlighted the FTR PDF—it helped.
‍

Tools We Used

Tool/Service	Purpose
AWS CloudFormation	Declarative environment setup
AWS Config	Drift detection, compliance checks
AWS Security Hub	Aggregate alerts across services
AWS IAM Access Analyzer	Detect over-permissive roles
VPC Endpoints	Secure service access without public IPs
AWS KMS	Key management and encryption policies
CloudWatch Logs & Metrics	Observability and alerting
S3 Bucket Policies	Access control and encryption enforcement

‍

How the AWS Partner Skematic helps justify completing the FTR

Skematic helps ISVs determine if they are well-aligned with AWS and prepares them for the justification process to invest time and resources in completing the FTR.

The AWS Partnership Skematic helps you:

Automatically assess a company’s AWS partnership readiness.
Make sure your ISV is aligned with an AWS customer, seller and/or industry
Deliver your partnership strategy
Provide an initial “better together” story as a starting point to help justify the FTR resource investment

Final advice: Make FTR your first move, not your last

FTR readiness is your first proof point that your SaaS is secure, scalable, and aligned with AWS best practices. Skipping it creates technical debt. Delaying it limits your access to AWS funding, programs, and Marketplace.

Run a Free AWS Readiness Skematic

Want to see if your company is ready to partner with AWS? Get your Partnership Skematic here to see your path to ISV Accelerate. Start here.