Cyber Essentials for AWS: configuration guide

Cyber Essentials for AWS: configuration guide

Cyber Essentials v3.3 treats AWS accounts you administer as in-scope cloud services. Assessors require MFA on every IAM user and the root account, no permanent administrative access keys, Security Hub with the AWS Foundational Security Best Practices standard enabled, restrictive Security Groups, and customer-operated EC2 instances patched within 14 days.

What's in scope

Under the shared responsibility model AWS is responsible for the cloud itself; you are responsible for what you put in it. Cyber Essentials assesses your portion:

• All IAM users, groups, roles, and the root account
• Every AWS account under your control (Organizations, member accounts)
• EC2 and ECS/EKS workloads you operate at the OS or container level
• Security Groups, NACLs, and any customer-configured network boundary
• Data stores you configure - RDS firewall rules, S3 bucket policies

1. Identity (Control: User Access Control + Secure Configuration)

• Root account: MFA enforced with a hardware key, access keys deleted, used only for the handful of tasks that require it (billing, closing the account). Assessors will ask to see the IAM credential report confirming "Root account last used" is rare.
• Every IAM user: MFA enabled. Programmatic-only users with long-lived access keys are flagged - prefer IAM Identity Center (SSO) or IAM Roles Anywhere / short-lived STS tokens.
• No wildcard admin policies attached to users. Use groups, and attach narrow permissions-boundary policies.
• Password policy: minimum length 14 characters in AWS (IAM only enforces its own portal; federated identities inherit from the IdP).

Evidence: IAM credential report CSV, screenshot of the account password policy, SCP documents if using Organizations.

2. Service Control Policies (Organizations)

If you use AWS Organizations, SCPs are your strongest secure-configuration control:

• Deny root user actions except for break-glass paths.
• Deny creation of users in non-approved regions.
• Deny public S3 bucket policies unless in an allow-listed account.

SCPs are the cleanest evidence an assessor can read - deterministic guardrails rather than detective controls.

3. Security Hub baseline

Turn on AWS Security Hub with the AWS Foundational Security Best Practices standard in every active region. This standard's failing-control list maps almost 1:1 to Cyber Essentials secure-configuration gaps:

• Default security groups open
• Publicly accessible RDS / Redshift / ElastiCache
• Unencrypted EBS volumes
• S3 block-public-access not enforced account-wide

Aim for ≥90% pass on Foundational Security Best Practices before assessment.

4. Firewall / boundary

• Security Groups: explicit allow, deny-by-default. No 0.0.0.0/0 on 22 (SSH), 3389 (RDP), 1433/3306/5432 (databases).
• Prefer AWS Systems Manager Session Manager over opening SSH at all - no inbound ports, IAM-gated access, full session recording.
• Default VPC: either delete it or harden it. Default VPCs ship with an open default security group.

5. Patching (customer-operated compute)

• Systems Manager Patch Manager scanning all EC2 instances with Patch Groups aligned to maintenance windows.
• 14-day SLA for high/critical CVEs per Cyber Essentials v3.3. SSM's default baseline targets 7 days for critical on Windows - aligned.
• AMIs regularly refreshed - golden images older than 90 days raise a flag.

6. Logging and supporting evidence

Not strictly mandated by Cyber Essentials but strongly supportive:

• CloudTrail enabled in all regions with log file integrity validation.
• Config Recorder on for every region you use.
• GuardDuty catches the detective-control questions assessors sometimes ask about malware and credential exfiltration.

7. Common failure points

1. Root access keys exist. Instant fail. Delete them.

2. Long-lived IAM access keys on developer accounts. Rotate, or (better) replace with IAM Identity Center.

3. Security Group allows 0.0.0.0/0 on 22 or 3389 on at least one production instance. Usually legacy bastion hosts - replace with Session Manager.

4. End-of-support AMIs. Amazon Linux 1, Ubuntu 18.04 - fail the supported-OS clause.

What Fig checks

Our CE readiness scan reviews IAM credential reports, Security Hub standards compliance, and Organization SCPs before you submit. AWS-heavy environments that complete our pre-assessment scan pass at >95% first-time.

Start Cyber Essentials - from £299.99 + VAT | Full pricing | Small business CE Plus