CREST-Certified AWS Cloud Security Review for UK Businesses
AWS penetration testing and cloud security review aligned to the CIS AWS Foundations Benchmark and the AWS Well-Architected Framework. Manual exploitation across IAM, S3, VPC, EC2, Lambda, EKS, KMS, Secrets Manager, and CloudTrail. AWS security audits supported across multi-account organisations.
What is an AWS cloud security review?
An AWS cloud security review is a CREST-certified assessment that combines the CIS AWS Foundations Benchmark with manual exploitation across IAM, S3, networking, compute and encryption. Unlike automated CSPM, which only flags misconfigurations, it proves which weaknesses an attacker could actually reach and maps every fix to your frameworks.
Also known as an AWS security review or AWS configuration review, it goes a step beyond a vulnerability scan: where a scan lists findings, this review confirms what an attacker could actually reach and prioritises the fixes that close real attack paths.
Why an AWS Cloud Security Review Is Essential
AWS runs a shared responsibility model: AWS secures the underlying infrastructure, but you own the security of your IAM policies, S3 buckets, security groups and data. In fast-moving accounts, configuration drift opens exploitable gaps that automated scanners miss. A manual review confirms what an attacker could reach and gives auditors the evidence they expect for SOC 2, ISO 27001 and Cyber Essentials.
Who Needs an AWS Cloud Security Review
Any UK organisation running production workloads on AWS, especially fintech, SaaS, healthcare, insurance, law and public-sector teams handling regulated data. It is most valuable before or after a major AWS migration, ahead of a SOC 2 or ISO 27001 audit, or when a customer security questionnaire asks for independent assurance.
“Sensitive information was handled securely; operational requirements were always respected throughout.”
– IT Director, International Property Group
CSPM tells you what’s misconfigured. We tell you what’s exploitable.
A cloud security posture management tool can flag a permissive S3 bucket policy. It cannot tell you whether the bucket actually contains sensitive data, whether the IAM role attached to your Lambda function can be assumed cross-account, or whether your EKS pod can read instance metadata via IMDSv1.
Our AWS penetration testing and cloud security review combines automated CIS Benchmark scanning with manual exploitation across IAM, S3, EKS, Lambda, KMS, and the data plane. Reports satisfy ISO 27001 Annex A.13.1, SOC 2 CC6.6, PCI DSS Req 11.3, and align with NCSC cloud security principles, without translation work.
12 AWS SERVICES AUDITED
What an AWS Security Review Covers
Aligned to the CIS AWS Foundations Benchmark v3.0 and the AWS Well-Architected Framework. Multi-account organisations supported via AWS Organizations.
Identity & Access Management
Role trust policies, AssumeRole abuse, privilege escalation paths, MFA enforcement, root account hardening, cross-account boundary review.
Object Storage
Public buckets, ACL misconfigs, encryption at rest (KMS / SSE-S3), bucket policy abuse, signed URL leakage, cross-account access vectors.
Compute & Instance Metadata
IMDSv1 vs v2 enforcement, AMI permissions, security group exposure, public AMIs leaking secrets, SSM session manager scrutiny.
Networking
Security group misconfigurations, NACL gaps, VPC peering, public subnets, transit gateway hops, data perimeter exposure.
Serverless
Function policy abuse, environment variable leakage, dead-letter-queue exposure, layer-package supply chain, function URL exposure.
Kubernetes
Pod security, RBAC scrutiny, control-plane exposure, node IAM trust, IRSA boundary, container image registry security.
Encryption Keys
Key policy review, automatic rotation, cross-account access, multi-region key replication, grant abuse, deletion protection.
Secrets & Parameters
Rotation enforcement, cross-account access, automatic-rotation Lambda IAM, access pattern audit, version history exposure.
API Gateway
Authorizer enforcement, custom domain TLS, throttling configuration, schema validation, resource policy gaps, IAM auth misconfig.
Logging & Audit
Multi-region coverage, log file integrity validation, S3 destination security, retention policies, GuardDuty integration.
Managed Databases
Snapshot exposure, public accessibility, encryption at rest, performance insights, IAM database authentication, backup retention.
CDN & Edge
Origin Access Identity, cache poisoning, signed cookies / URLs, WAF integration, Lambda@Edge function security, geo-restriction posture.
FOUR-PHASE METHODOLOGY
AWS Cloud Security Review: From Asset Inventory to Hardening Plan
Read-only by default. Manual exploitation only with explicit written approval per resource type.
Account Discovery
CIS Benchmark Audit
Manual Exploitation
Report & Hardening
COMPLIANCE READY
AWS Reports Mapped to Every Framework
Findings tagged to CIS Benchmark control IDs and your specific compliance framework. Audit teams submit directly without translation.
CIS AWS Foundations v3.0
Control-by-control compliance score and remediation evidence accepted by enterprise audit teams.
AWS Well-Architected
Security pillar review across the five sub-categories: IAM, detection, infrastructure, data, and incident response.
ISO 27001 (Annex A)
A.13 network security, A.14 secure development, A.18 compliance, cloud-control evidence in the format ISO auditors accept.
SOC 2 Type I & II
CC6.6 logical access, CC7.1 vulnerability identification, CC7.2 monitoring evidence accepted by SOC 2 auditors.
PCI DSS
Req 1, 2, 7, 8, 11.3 control evidence for AWS-hosted PCI scope, including segmentation and encryption attestation.
NCSC Cloud Security Principles
14 principles assessed including data in transit, supply chain, identity, separation, and audit information.
TRANSPARENT PRICING
Transparent AWS Cloud Security Review Pricing
All tiers include the same depth of testing. Price varies by AWS estate complexity: account count, service breadth, resource volume, and data-perimeter scope. Testing AWS plus Azure or GCP? See our multi-cloud penetration testing hub. Running workloads beyond AWS? See our Azure cloud security review and GCP cloud security review.
Depends on AWS estate size
Single AWS account, ≤10 services in use, ≤50 resources, basic IAM. Typically 4-5 day engagement.
Depends on AWS estate size
AWS Organizations (3-10 accounts), 10-20 services, 50-200 resources, EKS or Lambda, CI/CD via OIDC. Typically 7-10 day engagement.
Depends on AWS estate size
Landing zone (10+ accounts), 20+ services, 200+ resources, multi-region, EKS + data perimeter, regulated workloads. Typically 10-15 day engagement.
AWS Cloud Security Review for Your Sector
AWS deployment patterns and cloud penetration testing requirements vary by sector. We test the controls your regulators specifically require.
Fintech
FCA Operational Resilience, payment APIs in AWS, KMS for cardholder data, IAM boundary for production access.
SaaS
Multi-tenant data isolation in AWS, EKS pod security, customer-data perimeter, SOC 2 evidence pack.
Healthcare
NHS DSPT cloud evidence, EHR data on AWS, telehealth Lambda functions, KMS for patient PII.
Insurance
FCA / PRA Operational Resilience, claims data on AWS, broker-portal segmentation, audit-log integrity.
Law
Privileged-data S3 buckets, partner-tier IAM scrutiny, SRA Cyber Standard alignment, KMS rotation evidence.
Public Sector
CCS / G-Cloud evidence, NCSC cloud security principles, citizen-data IAM, SC-cleared testers available.
What You Actually Get
Five things that distinguish our AWS review from CSPM tools and one-off configuration audits.
What You Get From AWS Cloud Security Review
CIS Benchmark + Manual Combination
Read-Only by Default
Terraform / CloudFormation Patches
UK CREST + IASME + ISO 27001 + ISO 9001
A point-in-time review is the start. For continuous coverage between tests, see our penetration testing as a service model.
Frequently Asked
How long does an AWS cloud security review take?
A single-account review (≤10 services, ≤50 resources) typically takes 4-5 working days. Mid-market AWS Organizations (3-10 accounts, EKS or Lambda) takes 7-10 days. Enterprise landing zones (10+ accounts, multi-region, data perimeter) take 10-15 days. Test duration is determined during scoping based on account count and service breadth.
How much does an AWS cloud security review cost in the UK?
AWS penetration testing engagements at single-account scale range from £6,000 to £10,000. Mid-market (most commonly commissioned) £10,000 to £18,000. Enterprise £18,000 to £28,000. All quotes are fixed-price after scoping with no day-rate surprises.
Do you follow the CIS AWS Foundations Benchmark?
Yes. Every AWS engagement includes a control-by-control CIS AWS Foundations Benchmark v3.0 assessment. Findings are tagged to specific CIS control IDs (e.g., 1.2: root account hardware MFA) so your audit team can submit evidence directly. We also reference the AWS Well-Architected Framework security pillar where applicable.
What AWS services do you cover?
Core AWS services: AWS IAM, AWS S3, AWS EC2, AWS VPC, AWS Lambda, AWS EKS, AWS KMS, Secrets Manager, API Gateway, CloudTrail, RDS, CloudFront. Extended scope on request: ECS, Fargate, Step Functions, EventBridge, SNS, SQS, AppSync, WAF, GuardDuty, Security Hub, AWS Config, Organizations / Control Tower / Landing Zone.
Is testing read-only or do you make changes?
Read-only by default. We use the AWS-managed SecurityAudit IAM role for the discovery and CIS audit phases. Manual exploitation phases (IAM privilege escalation, IMDS attacks, EKS escape attempts) only run with explicit written authorisation per resource type, in agreed maintenance windows, with full audit-log capture.
Do you test EKS / Kubernetes pod security?
Yes. EKS reviews include control-plane configuration, RBAC scrutiny, IAM Roles for Service Accounts (IRSA), pod security standards (PSS), node IAM trust, container image registry security, network policies, and pod-to-node escape paths via IMDSv1 abuse, hostPath mounts, or privileged containers.
Does AWS allow penetration testing?
Yes. AWS permits customer-led penetration testing of most services, including EC2, RDS, Lambda and API Gateway, without prior approval under its customer support policy. A few activities, such as DNS or DDoS-style simulation, still need authorisation. We scope every engagement to stay within AWS testing rules and your change controls.
How secure is the AWS cloud?
AWS secures the infrastructure, but under the shared responsibility model you secure your IAM, S3, networking and data configuration, and that is where most breaches start. An AWS cloud security review checks the customer side against the CIS AWS Foundations Benchmark and proves which weaknesses are actually exploitable.
What about multi-account AWS Organizations?
Multi-account testing is fully supported. We map the entire Organizations structure, evaluate Service Control Policies (SCPs), audit cross-account trust relationships, review AWS Control Tower / Landing Zone deployments, and test data perimeter enforcement (RCPs in preview, plus existing identity / service / resource perimeters).
Do you test infrastructure-as-code (Terraform / CloudFormation / CDK)?
Yes. Pre-deployment IaC review is offered as a separate engagement or bundled with cloud testing. We review Terraform / OpenTofu, CloudFormation, AWS CDK, and Pulumi for misconfigurations, secret leakage, and policy violations before the resources hit your AWS account.
Can you provide remediation guidance?
Yes. Every finding ships with prioritised remediation guidance and where applicable, example Terraform / CloudFormation patches. For high-severity findings we include direct engineer access via our portal so your platform team can ask follow-up questions during remediation.
Do you test for IMDSv1 / IMDSv2 issues?
Yes. IMDSv2 enforcement is one of the most common AWS findings; IMDSv1 allows server-side request forgery (SSRF) to retrieve EC2 instance metadata including IAM credentials. We test every EC2 instance, Lambda, and ECS task to verify IMDSv2 is enforced and IMDSv1 is disabled.
Are your testers UK-based and what certifications do they hold?
All AWS testers are vetted UK or international engineers. Relevant certifications across the team include CREST CRT and CCT INF, AWS Certified Security: Specialty, OSCP, OSCE, and platform-specific specialisms (e.g., Kubernetes CKS, eMAPT). SC-cleared testers are available for public-sector and regulated-financial engagements.
Do you sign NDAs?
Yes. Standard NDA before any technical detail is shared, and we operate under a project-specific master agreement that includes data handling, deliverable IP, and breach notification clauses. Custom MSAs and AUP terms are accepted for enterprise and public-sector clients.
Is an AWS security review the same as an AWS cloud security review?
Yes. AWS security review, AWS cloud security review and AWS configuration review all describe the same engagement: a CREST-certified assessment of your AWS account against the CIS Foundations Benchmark, combined with manual exploitation across IAM, S3, networking and compute. The name varies by buyer; the methodology does not.
Is AWS more secure than Azure?
Both are secure when configured correctly; most incidents come from customer-side misconfiguration, not the platform. If you run workloads on both, we test each against its own CIS Foundations Benchmark. See our Azure cloud security review for the equivalent assessment.
20+ CREST-certified testing services in one place
Web, mobile, API, cloud, AI, infrastructure, red team. Pick the test that fits your environment.
Book an AWS Security Review Scoping Call
30 minutes with a CREST-certified cloud security specialist. Fixed-price quote within 24 hours. No sales pipeline.
