CREST-Certified AWS Cloud Security Review for UK Businesses
A CREST-certified assessment that combines the CIS AWS Foundations Benchmark with manual exploitation across IAM, S3, networking, compute and encryption. Unlike automated CSPM, which only flags misconfigurations, it proves which weaknesses an attacker could actually reach and maps every fix to your frameworks. Live findings during testing, free retests after remediation, fixed-price scope within 24 hours.
- Unlimited retesting
- Unlimited pre-retesting
- No hidden fees
“I would highly recommend EJN Labs to any organisation seeking reliable, detailed, and well-managed penetration testing services, particularly for government or enterprise-level projects.”
“There wasn’t another company we could find that could deliver what we needed in the timeframe we needed. The client loved it, and we got instant ROI from the engagement.”
of organisations have a cloud workload that is publicly exposed, critically vulnerable and over-privileged at once. Each flaw looks minor alone; chained, they are a direct path in.
AWS CSPM tells you what is misconfigured. We tell you what is exploitable.
AWS runs a shared responsibility model: AWS secures the underlying infrastructure, but you own the security of your IAM policies, S3 buckets, security groups and data. In fast-moving accounts, configuration drift opens exploitable gaps that automated scanners miss. A manual review confirms what an attacker could reach and gives auditors the evidence they expect for SOC 2, ISO 27001 and Cyber Essentials.
A cloud security posture management tool can flag a permissive S3 bucket policy. It cannot tell you whether the bucket actually contains sensitive data, whether the IAM role attached to your Lambda function can be assumed cross-account, or whether your EKS pod can read instance metadata via IMDSv1.
Our AWS penetration testing and cloud security review combines automated CIS Benchmark scanning with manual exploitation across IAM, S3, EKS, Lambda, KMS, and the data plane. Reports satisfy ISO 27001 Annex A.13.1, SOC 2 CC6.6, PCI DSS Req 11.3, and align with NCSC cloud security principles, without translation work.
12 AWS SERVICES AUDITED
What an AWS Security Review Covers
Aligned to the CIS AWS Foundations Benchmark v3.0; multi-account environments supported.
Identity & Access Management (IAM/STS)
Role trust policies, AssumeRole abuse, privilege escalation paths, MFA enforcement, root account hardening, cross-account boundary review.
Object Storage (S3)
Public buckets, ACL misconfigs, encryption at rest (KMS / SSE-S3), bucket policy abuse, signed URL leakage, cross-account access vectors.
Compute & Instance Metadata (EC2)
IMDSv1 vs v2 enforcement, AMI permissions, security group exposure, public AMIs leaking secrets, SSM session manager scrutiny.
Networking (VPC)
Security group misconfigurations, NACL gaps, VPC peering, public subnets, transit gateway hops, data perimeter exposure.
Serverless (Lambda)
Function policy abuse, environment variable leakage, dead-letter-queue exposure, layer-package supply chain, function URL exposure.
Kubernetes (EKS)
Pod security, RBAC scrutiny, control-plane exposure, node IAM trust, IRSA boundary, container image registry security.
Encryption Keys (KMS)
Key policy review, automatic rotation, cross-account access, multi-region key replication, grant abuse, deletion protection.
Secrets & Parameters (Secrets Manager)
Rotation enforcement, cross-account access, automatic-rotation Lambda IAM, access pattern audit, version history exposure.
API Gateway
Authorizer enforcement, custom domain TLS, throttling configuration, schema validation, resource policy gaps, IAM auth misconfig.
Logging & Audit (CloudTrail)
Multi-region coverage, log file integrity validation, S3 destination security, retention policies, GuardDuty integration.
Managed Databases (RDS)
Snapshot exposure, public accessibility, encryption at rest, performance insights, IAM database authentication, backup retention.
CDN & Edge (CloudFront)
Origin Access Identity, cache poisoning, signed cookies / URLs, WAF integration, Lambda@Edge function security, geo-restriction posture.
FOUR-PHASE METHODOLOGY
AWS Cloud Security Review: From Asset Inventory to Hardening Plan
Read-only by default. Manual exploitation only with explicit written approval per resource type.
Account Discovery
CloudFormation / Terraform / CDK review. AWS Organizations mapping. Asset inventory across services. IAM policy graph extraction. Read-only access via SecurityAudit role.
CIS Benchmark Audit
CIS AWS Foundations v3.0 control-by-control assessment. AWS Well-Architected pillars review. Compliance score baseline established before manual phase.
Manual Exploitation
AWS IAM privilege-escalation chains, AWS S3 enumeration, AWS EC2 IMDS attacks, Lambda execution-role abuse, EKS pod-to-node escape, KMS key policy abuse, all with written authorisation.
Report & Hardening
CIS-mapped findings, prioritised remediation plan, Terraform / CloudFormation patch examples, executive + technical reports. Free retest within 30 days.
CREDENTIALS
Verified Accreditations Auditors Accept
Every credential below is independently verifiable. UK procurement teams, FCA supervisors, ISO 27001 / SOC 2 auditors, and cyber insurance underwriters all recognise these standards.
GET YOUR QUOTE
Get a fixed AWS Cloud Security Review quote in 24 hours
A fixed-price quote back in one business day, from a named CREST assessor. No sales pipeline, no chasing.
- CREST and IASME accredited. Testing your auditors and clients already recognise.
- Fast-track testing within 24 hours where required. Free retest of every fix included.
- Live findings via your client portal, not a four-week PDF.
- Fixed price from £3,500 for a single-role, single-app scope, agreed up front. Most engagements run £5,000 and up. No day-rate surprises.
Under NDA Further named references available on a scoping call.
- We reply within one business day with a fixed-price quote from a named CREST assessor.
- You approve the scope and we book a start date, usually within 24 hours.
- Live findings land in your client portal as we test, with a free retest of every fix.
Get your fixed AWS Cloud Security Review quote in 24 hours
Quote request received
We will reply within one business day with your fixed-price quote from a named CREST assessor.
Your data stays with us. No newsletter signup.
or book a 20-min scoping call first
We reply within one business day. Your data stays with us. No newsletter signup.
COMPLIANCE READY
AWS Reports Mapped to Every Framework
Findings tagged to CIS Benchmark control IDs and your specific compliance framework. Audit teams submit directly without translation.
CIS AWS Foundations v3.0
Control-by-control compliance score and remediation evidence accepted by enterprise audit teams.
AWS Well-Architected
Security pillar review across the five sub-categories: IAM, detection, infrastructure, data, and incident response.
ISO 27001 (Annex A)
A.13 network security, A.14 secure development, A.18 compliance, cloud-control evidence in the format ISO auditors accept.
SOC 2 Type I & II
CC6.6 logical access, CC7.1 vulnerability identification, CC7.2 monitoring evidence accepted by SOC 2 auditors.
PCI DSS
Req 1, 2, 7, 8, 11.3 control evidence for AWS-hosted PCI scope, including segmentation and encryption attestation.
NCSC Cloud Security Principles
14 principles assessed including data in transit, supply chain, identity, separation, and audit information.
PRICING
Transparent AWS Cloud Security Review Pricing
All tiers include the same depth of testing. Price varies by AWS estate complexity: account count, service breadth, resource volume, and data-perimeter scope.
Depends on app complexity
Single AWS account, ≤10 services in use, ≤50 resources, basic IAM. Typically 4-5 day engagement.
Get a fixed quoteDepends on app complexity
AWS Organizations (3-10 accounts), 10-20 services, 50-200 resources, EKS or Lambda, CI/CD via OIDC. Typically 7-10 day engagement.
Get a fixed quoteDepends on app complexity
Landing zone (10+ accounts), 20+ services, 200+ resources, multi-region, EKS + data perimeter, regulated workloads. Typically 10-15 day engagement.
Get a fixed quoteBY SECTOR
AWS Cloud Security Review for Your Sector
AWS deployment patterns and cloud penetration testing requirements vary by sector. We test the controls your regulators specifically require.
Fintech & FCA-Regulated
FCA Operational Resilience, payment APIs in AWS, KMS for cardholder data, IAM boundary for production access.
Fintech sector pageSaaS Companies
Multi-tenant data isolation in AWS, EKS pod security, customer-data perimeter, SOC 2 evidence pack.
SaaS sector pageLaw Firms
Privileged-data S3 buckets, partner-tier IAM scrutiny, SRA Cyber Standard alignment, KMS rotation evidence.
Law firm sector pageHealthcare
NHS DSPT cloud evidence, EHR data on AWS, telehealth Lambda functions, KMS for patient PII.
Healthcare sector pageInsurance
FCA / PRA Operational Resilience, claims data on AWS, broker-portal segmentation, audit-log integrity.
Insurance sector pagePublic Sector
CCS / G-Cloud evidence, NCSC cloud security principles, citizen-data IAM, SC-cleared testers available.
Public sector pageWHY EJN LABS
What You Actually Get
What distinguishes our AWS review from CSPM tools and one-off configuration audits.
What You Get From AWS Cloud Security Review
AWS penetration testing as a read-only audit across IAM, S3, EKS, Lambda, KMS, and 7 more services, with manual exploitation chains and a CIS-mapped hardening plan.
CIS Benchmark + Manual Combination
Automated CIS scan establishes the baseline. Manual exploitation tests what scanners cannot: IAM privilege escalation chains, IMDS attacks, EKS pod escapes.
Read-Only by Default
We start with the AWS-managed SecurityAudit role. No write access required. Manual exploitation only with explicit written approval per resource.
Terraform / CloudFormation Patches
Every finding ships with example IaC remediation: Terraform module diffs, CloudFormation patches, CDK constructs. Engineers fix faster.
Free Retests, No Time Limit
Verify remediation of every fixed finding before close-out. Letter of attestation for audit submission included, with no per-retest charge.
UK CREST + IASME + ISO 27001 + ISO 9001
Independently accredited. Verifiable on the CREST marketplace. Reports accepted by FCA, NCSC, NHS, ICO, SOC 2 auditors, and cyber insurers.
FAQ
Frequently Asked
How long does an AWS cloud security review take?
A single-account review (≤10 services, ≤50 resources) typically takes 4-5 working days. Mid-market AWS Organizations (3-10 accounts, EKS or Lambda) takes 7-10 days. Enterprise landing zones (10+ accounts, multi-region, data perimeter) take 10-15 days. Test duration is determined during scoping based on account count and service breadth.
How much does an AWS cloud security review cost in the UK?
AWS penetration testing engagements at single-account scale range from £4,500 to £8,000. Mid-market (most commonly commissioned) £8,000 to £14,000. Enterprise £14,000 to £22,000. All quotes are fixed-price after scoping with no day-rate surprises. The day rate for CREST-certified testers is £1,100–£1,400 per day.
Do you follow the CIS AWS Foundations Benchmark?
Yes. Every AWS engagement includes a control-by-control CIS AWS Foundations Benchmark v3.0 assessment. Findings are tagged to specific CIS control IDs (e.g., 1.2: root account hardware MFA) so your audit team can submit evidence directly. We also reference the AWS Well-Architected Framework security pillar where applicable.
What AWS services do you cover?
Core AWS services: AWS IAM, AWS S3, AWS EC2, AWS VPC, AWS Lambda, AWS EKS, AWS KMS, Secrets Manager, API Gateway, CloudTrail, RDS, CloudFront. Extended scope on request: ECS, Fargate, Step Functions, EventBridge, SNS, SQS, AppSync, WAF, GuardDuty, Security Hub, AWS Config, Organizations / Control Tower / Landing Zone.
Is testing read-only or do you make changes?
Read-only by default. We use the AWS-managed SecurityAudit IAM role for the discovery and CIS audit phases. Manual exploitation phases (IAM privilege escalation, IMDS attacks, EKS escape attempts) only run with explicit written authorisation per resource type, in agreed maintenance windows, with full audit-log capture.
Do you test EKS / Kubernetes pod security?
Yes. EKS reviews include control-plane configuration, RBAC scrutiny, IAM Roles for Service Accounts (IRSA), pod security standards (PSS), node IAM trust, container image registry security, network policies, and pod-to-node escape paths via IMDSv1 abuse, hostPath mounts, or privileged containers.
Does AWS allow penetration testing?
Yes. AWS permits customer-led penetration testing of most services, including EC2, RDS, Lambda and API Gateway, without prior approval under its customer support policy. A few activities, such as DNS or DDoS-style simulation, still need authorisation. We scope every engagement to stay within AWS testing rules and your change controls.
How secure is the AWS cloud?
AWS secures the infrastructure, but under the shared responsibility model you secure your IAM, S3, networking and data configuration, and that is where most breaches start. An AWS cloud security review checks the customer side against the CIS AWS Foundations Benchmark and proves which weaknesses are actually exploitable.
What about multi-account AWS Organizations?
Multi-account testing is fully supported. We map the entire Organizations structure, evaluate Service Control Policies (SCPs), audit cross-account trust relationships, review AWS Control Tower / Landing Zone deployments, and test data perimeter enforcement (RCPs in preview, plus existing identity / service / resource perimeters).
Do you test infrastructure-as-code (Terraform / CloudFormation / CDK)?
Yes. Pre-deployment IaC review is offered as a separate engagement or bundled with cloud testing. We review Terraform / OpenTofu, CloudFormation, AWS CDK, and Pulumi for misconfigurations, secret leakage, and policy violations before the resources hit your AWS account.
Can you provide remediation guidance?
Yes. Every finding ships with prioritised remediation guidance and where applicable, example Terraform / CloudFormation patches. For high-severity findings we include direct engineer access via our portal so your platform team can ask follow-up questions during remediation.
Do you test for IMDSv1 / IMDSv2 issues?
Yes. IMDSv2 enforcement is one of the most common AWS findings; IMDSv1 allows server-side request forgery (SSRF) to retrieve EC2 instance metadata including IAM credentials. We test every EC2 instance, Lambda, and ECS task to verify IMDSv2 is enforced and IMDSv1 is disabled.
Are your testers UK-based and what certifications do they hold?
All AWS testers are vetted UK or international engineers. Relevant certifications across the team include CREST CRT and CCT INF, AWS Certified Security: Specialty, OSCP, OSCE, and platform-specific specialisms (e.g., Kubernetes CKS, eMAPT). SC-cleared testers are available for public-sector and regulated-financial engagements.
Do you sign NDAs?
Yes. Standard NDA before any technical detail is shared, and we operate under a project-specific master agreement that includes data handling, deliverable IP, and breach notification clauses. Custom MSAs and AUP terms are accepted for enterprise and public-sector clients.
Is an AWS security review the same as an AWS cloud security review?
Yes. AWS security review, AWS cloud security review and AWS configuration review all describe the same engagement: a CREST-certified assessment of your AWS account against the CIS Foundations Benchmark, combined with manual exploitation across IAM, S3, networking and compute. The name varies by buyer; the methodology does not.
Is AWS more secure than Azure?
Both are secure when configured correctly; most incidents come from customer-side misconfiguration, not the platform. If you run workloads on both, we test each against its own CIS Foundations Benchmark. See our Azure cloud security review for the equivalent assessment.
20+ CREST-certified testing services in one place
Web, mobile, API, cloud, AI, infrastructure, red team. Pick the test that fits your environment.
Book an AWS Security Review Scoping Call
30 minutes with a CREST-certified cloud security specialist. Fixed-price quote within 24 hours. No sales pipeline.



