Cyber Essentials Plus on AWS - What It Actually Takes for Cloud-Native Applications

Jerzy Kopaczewski 14 June 2026 11 min read
Contents
Cyber Essentials Plus is increasingly a prerequisite for UK startups - not just for government contracts, but for enterprise sales, investment rounds, and regulated sector partnerships. If your infrastructure runs on AWS, you are in a strong position to pass. But the certification body does not care about your architecture diagrams. They care about what they can observe during a hands-on technical audit.

We have guided multiple UK startups through Cyber Essentials Plus certification on AWS - from an EdTech platform serving 7,500 schools to a healthcare company integrated with NHS systems, and a fintech pursuing a banking licence. This post covers what the scheme actually demands from cloud infrastructure, where AWS managed services make compliance easier, and what trips teams up during the assessment.

 

What Cyber Essentials Plus is (and is not)

Cyber Essentials is a UK government-backed certification scheme with two levels. The basic level (Cyber Essentials) is a self-assessment questionnaire. You answer questions about your security controls, a certification body reviews the answers, and you get a certificate.

Cyber Essentials Plus adds a hands-on technical audit. An assessor connects to your systems and actively tests them - port scanning internet-facing services, verifying patch levels, testing access controls, checking configuration. They are not looking at your documentation. They are looking at your live infrastructure.

The five controls assessed are:

  • Firewalls and internet gateways - restricting inbound traffic to only what is necessary
  • Secure configuration - no default credentials, no unnecessary services running
  • User access control - least privilege, MFA, proper account lifecycle management
  • Malware protection - endpoint security across all devices in scope
  • Patch management - critical patches applied within 14 days of release

The scheme is maintained by the National Cyber Security Centre (NCSC) and administered through certification bodies like IASME. The current assessment costs between £1,500 and £4,500 depending on organisation size and assessor.

Why UK startups need it now

Three years ago, Cyber Essentials Plus was primarily a requirement for government suppliers. Today it has become a de facto expectation in much broader contexts:

  • NHS Digital partnerships - any company integrating with NHS systems is expected to hold CE+ as a minimum. The Data Security and Protection Toolkit (DSPT) references it directly.
  • Enterprise sales - UK corporate procurement teams increasingly require it during vendor onboarding, especially for companies handling sensitive data or holding privileged access.
  • Insurance - cyber insurance providers offer significantly better terms (or will only underwrite at all) for CE+ certified organisations.
  • Investment due diligence - institutional investors and VCs in regulated sectors check for it as part of technical due diligence.
  • Supply chain requirements - under the upcoming Cyber Security and Resilience Bill, more organisations will need to demonstrate supply chain security, and CE+ is the baseline.

If you are a UK startup selling into enterprise, healthcare, financial services, or government - you will need this certification. The question is whether your infrastructure is ready for it.

How AWS managed services reduce your CE+ scope

Here is the good news: if your infrastructure runs on AWS managed services, a significant portion of the CE+ requirements are handled by AWS rather than by you.

What AWS handles (shared responsibility model)

When you use services like ECS Fargate, RDS, Lambda, or managed Kubernetes (EKS with Fargate profiles), AWS is responsible for:

  • Patching the underlying operating systems and hypervisors
  • Physical security of data centres
  • Network infrastructure hardening
  • Host-level malware protection

This means the assessor cannot test these layers - they are out of your scope. Your CE+ assessment focuses on what you control: your application configuration, your IAM policies, your security groups, your user access management, and any endpoints (laptops, phones) that your team uses to access those systems.

The practical difference: EC2 vs Fargate

If you run workloads on EC2 instances, you own the OS. The assessor will check that you have:

  • Automated OS patching (with evidence of patches applied within 14 days)
  • No unnecessary ports open on the instance
  • No default credentials on any services running on the instance
  • Endpoint protection installed and active

If you run the same workloads on ECS Fargate, there is no OS to patch. The container image is your responsibility (keep base images updated), but the underlying host is AWS’s problem. This materially reduces the surface area the assessor needs to examine.

We moved a Scottish EdTech platform from EC2 to ECS Fargate specifically because it simplified their CE+ scope. Three controls (patch management, secure configuration, malware protection) went from complex evidence-gathering exercises to straightforward architectural statements.

The five controls mapped to AWS

1. Firewalls and internet gateways

What the assessor checks: That inbound traffic from the internet is restricted to only necessary ports and services.

AWS implementation:

  • Security groups configured to allow only required inbound ports (typically 443 for HTTPS, nothing else)
  • Network ACLs as a secondary layer
  • ALB or CloudFront as the only internet-facing component
  • VPC architecture with private subnets for compute and data layers
  • No public IP addresses on ECS tasks, RDS instances, or other backend services

What trips teams up: Legacy security groups with 0.0.0.0/0 on port 22 (SSH). Even if nobody uses it, if the assessor finds it, it is a finding. Clean up before the assessment.

Evidence required: Security group configurations showing restrictive inbound rules. A network diagram showing traffic flow. The assessor will port-scan your internet-facing services.

2. Secure configuration

What the assessor checks: No default passwords, no unnecessary services running, configuration hardened to manufacturer (in this case, AWS) recommendations.

AWS implementation:

  • No default credentials anywhere - all passwords, tokens, and keys managed through AWS Secrets Manager with automatic rotation
  • Only necessary services deployed - no leftover resources from testing or previous architectures
  • AWS Config rules monitoring for configuration drift against best-practice baselines
  • Container images based on minimal base images (Alpine, distroless) with no unnecessary packages

What trips teams up: Forgotten EC2 instances running development tools. Unused Elasticsearch clusters left open. Default admin panels exposed on non-standard ports. The assessor will find them.

3. User access control

What the assessor checks: That user accounts follow least privilege, that MFA is enforced, and that leavers have been removed.

AWS implementation:

  • IAM Identity Center (SSO) with MFA enforced for all users
  • No long-lived IAM access keys - use OIDC federation for CI/CD, instance roles for workloads
  • Permission sets mapped to job functions (developer, operations, billing)
  • Session expiry configured (maximum 8-12 hours)
  • Documented joiners/movers/leavers process
  • CloudTrail logging all API activity

What trips teams up: That one shared IAM user from 2019 that “we’ll clean up later.” Service accounts with AdministratorAccess. Personal AWS access keys checked into git history (even if rotated since).

For a UK fintech pursuing a banking licence, we replaced scattered IAM users with centralised SSO through IAM Identity Center. Every user authenticates through a single identity provider with enforced MFA. Permission sets map to job functions. No exceptions.

4. Malware protection

What the assessor checks: That all devices in scope have malware protection installed and active.

AWS implementation:

  • For the infrastructure itself: Amazon GuardDuty monitors for malicious activity, Amazon Inspector scans container images for vulnerabilities
  • For team endpoints (laptops): this is about your team’s devices, not your servers. Everyone with access to AWS or production systems needs endpoint protection (CrowdStrike, SentinelOne, Microsoft Defender - whatever your company uses)
  • For serverless/container workloads: no traditional antivirus needed, but container image scanning at the ECR level ensures no known vulnerabilities are deployed

What trips teams up: The assessor tests your team’s laptops, not your servers. If your developers access production via SSH from a MacBook without endpoint protection, that is a finding. This catches people off guard because they focus on server-side security and forget that CE+ includes the devices used to manage those servers.

5. Patch management

What the assessor checks: That critical and high-severity patches are applied within 14 days of release.

AWS implementation:

  • Managed services (RDS, Fargate, Lambda): AWS patches the underlying platform. You are responsible for your application code and dependencies.
  • Container images: rebuild and redeploy with updated base images regularly. Automate this through CI/CD - trigger rebuilds when base images update.
  • Application dependencies: Dependabot, Renovate, or Snyk to detect and auto-patch vulnerable libraries.
  • Amazon Inspector continuous scanning catches known CVEs in running containers.

What trips teams up: That one container image built six months ago and never rebuilt. Even if it works fine, if it contains a known critical vulnerability, it fails the patch management control. Automate your image rebuilds.

In our NHS-integrated healthcare platform project, we implemented Amazon Inspector for continuous container scanning. Critical findings now block deployment automatically - the team cannot ship a vulnerable image even if they try.

Infrastructure as Code is your compliance documentation

Here is the insight that makes CE+ significantly easier on AWS: if your infrastructure is defined in Terraform, your security controls are version-controlled, auditable, and reproducible.

When the assessor asks “show me your firewall configuration,” you point them at a Terraform module. When they ask “how do you ensure no default credentials,” you show them the Secrets Manager configuration in code. When they ask about access control, you show them the IAM Identity Center permission sets defined in HCL.

Infrastructure as Code turns a documentation exercise into a code review. Every control is:

  • Defined explicitly (no undocumented manual changes)
  • Version-controlled (complete history of who changed what and when)
  • Testable (you can validate controls in CI before they reach production)
  • Reproducible (if the assessor wants to see a clean environment, you can rebuild one)

This is the approach we used across all our UK CE+ projects. The certification body gets clean evidence, the assessment moves faster, and ongoing recertification (CE+ is annual) becomes a straightforward review rather than a scramble.

Common mistakes that fail assessments

Based on our experience guiding UK startups through CE+ on AWS:

  1. Forgetting scope includes endpoints. CE+ assesses the devices your team uses to access systems, not just the systems themselves. Make sure all laptops and phones are covered.

  2. Shadow IT and forgotten resources. That dev environment someone spun up six months ago. That test RDS instance with a default password. The assessor scans everything internet-facing on your account.

  3. Over-scoping. You can limit the assessment scope to specific systems. If your marketing website runs on Netlify and has nothing to do with your core platform, exclude it from scope. Work with your assessor to define a sensible boundary.

  4. No evidence of process. The assessor does not just check current state - they want to see that you have a process for maintaining it. Joiners/leavers documentation, patching cadence records, vulnerability management workflow.

  5. Last-minute scramble. CE+ is not hard if your infrastructure is well-managed. It is extremely stressful if you try to fix everything in the two weeks before assessment. Start preparation 2-3 months ahead.

Timeline: from zero to certified

For a typical UK startup running on AWS with reasonable infrastructure hygiene:

Phase Duration Activities
Gap assessment 1-2 weeks Audit current state against CE+ controls, identify gaps
Remediation 2-6 weeks Fix identified gaps - security groups, IAM, patching, endpoint protection
Evidence preparation 1 week Document controls, prepare for assessor questions
Assessment 1-2 days Assessor performs technical testing
Certification 1 week Results processed, certificate issued

Total: 5-10 weeks from decision to certification, depending on how much remediation is needed.

If your infrastructure is already well-managed with IaC, the remediation phase shrinks to days. If you are starting from a manual, ad-hoc setup, budget for the full timeline.

What it costs

Item Cost
CE+ assessment (organisation size dependent) £1,500–£4,500
Infrastructure remediation (if needed) Variable - depends on current state
Annual recertification Same as initial assessment

The certification itself is not expensive. The work is in getting your infrastructure to the point where it passes. If your AWS environment is already built with security in mind - Terraform, proper IAM, managed services, automated patching - you may need minimal remediation. If not, that is the real investment.

Getting started

If you are a UK startup running on AWS and need Cyber Essentials Plus - whether for an enterprise contract, NHS integration, insurance, or investor requirements - we can help you get there efficiently.

We have been through this process with EdTech platforms, NHS-integrated healthcare companies, and fintechs pursuing banking licences. We know what the assessors look for and how to structure your AWS environment so that passing is a formality rather than a scramble.

Book a free consultation and we will tell you honestly how ready you are and what needs to change.

Cyber Essentials AWS UK compliance security cloud infrastructure

Read also:

Previous post Next post