Cyber Essentials Plus for AWS

Cyber Essentials Plus is the baseline security certification for UK businesses selling into enterprise, healthcare, government, or regulated sectors. If your infrastructure runs on AWS, you are well-positioned to pass - but the technical audit tests what the assessor can observe, not what you intend to implement.

We have guided UK startups through Cyber Essentials Plus on AWS across healthcare (NHS integrations), fintech (banking licence applications), and EdTech (children's data protection). We know what the assessors check and how to structure your cloud environment so that passing is straightforward.

What We Deliver

Gap assessment

Gap assessment

Audit your current AWS infrastructure against all five CE+ controls. Clear report showing what passes today, what needs remediation, and a prioritised plan to close gaps. Typically 1-2 weeks.

Remediation in Terraform

Remediation in Terraform

We fix the gaps - defined in code, version-controlled, repeatable. Security groups, IAM Identity Center, Secrets Manager, automated patching. Typically 2-6 weeks depending on current state.

Assessment support

Assessment support

Evidence preparation, team briefing on what the assessor will ask, and availability during the assessment to answer infrastructure questions. If findings arise, we remediate and support re-assessment.

Ongoing compliance

Ongoing compliance

CE+ is annual. We maintain your compliance posture as infrastructure evolves - monitoring for drift, applying patches, managing access changes, and preparing for recertification.

Why Managed Services Make CE+ Easier

ECS Fargate eliminates OS patching

Move from EC2 to Fargate and the underlying OS patching obligation shifts to AWS. Three CE+ controls become architectural statements rather than evidence-gathering exercises.

RDS handles database security

Encryption at rest and in transit by default, automated patching, point-in-time recovery. Multiple CE+ requirements addressed by a single architectural decision.

Infrastructure as Code is your evidence

When every resource is defined in Terraform, security controls are version-controlled and auditable. The assessor reviews code, not screenshots.

IAM Identity Center replaces scattered access

Centralised SSO with enforced MFA, role-based permission sets, session expiry. Clean evidence for the user access control requirement.

Service scope

Security group lockdown and network architecture review
IAM Identity Center setup with SSO and MFA enforcement
Secrets management migration to AWS Secrets Manager
Container image scanning (Amazon Inspector)
Automated patching pipeline for dependencies
Endpoint compliance guidance for team devices
Evidence documentation for assessment
Post-certification monitoring and annual recertification support

See how it works in practice

Please enter your full name.
Please provide a valid email address.
Please enter your message.
You must agree before submitting.

We inform you that the administrator of your personal data provided in the contact form is Devopsity sp. z o.o (al. Zwycięstwa 96/98, 81-451 Gdynia). Personal data ... Read more

Frequently asked questions

Typically 5-10 weeks from decision to certification. If your infrastructure is already well-managed with IaC, the remediation phase shrinks to days. If you are starting from a manual setup, budget for the full timeline.

The assessment itself costs between 1,500 and 4,500 GBP depending on organisation size, paid directly to the IASME-accredited certification body. Our fees for gap assessment and remediation are separate and depend on the current state of your infrastructure.

Both. The assessor tests your internet-facing infrastructure (security groups, patching, access controls) and your team endpoints (laptops, phones with access to production systems). Many teams focus only on servers and get caught out by endpoint requirements.

They are complementary. ISO 27001 is a management system standard (policies, processes, risk management). CE+ is a hands-on technical audit of specific controls. Many UK organisations hold both. For NHS and government suppliers, CE+ is specifically required regardless of other certifications.

Yes. The CE+ controls are cloud-agnostic. The implementation details differ (Azure Security Center vs AWS Security Hub, etc.) but the principles and our approach are the same.