AWS Security Blog

Using AWS in the Context of CESG UK’s Cloud Security Principles

Last year, CESG UK published the Cloud Security Guidance documents for public sector organizations that are considering the use of cloud services for handling information classified as OFFICIAL. The guidance aims to help public sector organizations make informed decisions about cloud services and choose a cloud service that balances business benefits and security risks. In relation to this, the legacy Impact Level accreditation scheme has been phased out and is no longer the mechanism used to describe the security properties of cloud services.

In order to provide you with guidance regarding the Cloud Security Principles and to make an informed decision when performing risk assessments, we have published a whitepaper called Using AWS in the Context of CESG UK’s Cloud Security Principles

This whitepaper provides insights into implementation and assurance approaches within AWS based on the published guidance for each of the 14 Cloud Security Principles and Subprinciples. If you are a Senior Information Risk Officer or a CESG-Listed Advisor Scheme consultant supporting a decision-making process for selecting a cloud service at a UK public sector organization, the whitepaper provides an in-depth view into the AWS implementation approach in relation to the Cloud Security Principles. Based on this information, UK public sector organizations and their information security functions can conduct informed risk assessments and select the appropriate AWS services for their cloud environment.

AWS currently provides the following 11 services on the UK Government Digital Marketplace:

  1. Amazon CloudWatchDigital Marketplace link
  2. Amazon Elastic Block Store (Amazon EBS) – Digital Marketplace link
  3. Amazon Elastic Compute Cloud (Amazon EC2) – Digital Marketplace link
  4. Amazon GlacierDigital Marketplace link
  5. Amazon Relational Database Service (Amazon RDS) – Digital Marketplace link
  6. Amazon Simple Storage Service (Amazon S3) – Digital Marketplace link
  7. Amazon Virtual Private Cloud (Amazon VPC) – Digital Marketplace link
  8. Auto ScalingDigital Marketplace link
  9. AWS Direct ConnectDigital Marketplace link
  10. AWS Identity and Access Management (AWS IAM) – Digital Marketplace link
  11. Elastic Load BalancingDigital Marketplace link

We look forward to hearing how you are using the whitepaper and the ways we can improve it. Please contact us for questions about meeting your compliance requirements in the cloud.

Please refer to these related links for more information:

– Chad Woolf, Director, AWS Risk and Compliance

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.


Chad Woolf

Chad joined Amazon in 2010 and built the AWS compliance functions from the ground up, including audit and certifications, privacy, contract compliance, control automation engineering and security process monitoring. Chad’s work also includes enabling public sector and regulated industry adoption of the AWS cloud, compliance with complex privacy regulations such as GDPR and operating a trade and product compliance team in conjunction with global region expansion. Prior to joining AWS, Chad spent 12 years with Ernst & Young as a Senior Manager working directly with Fortune 100 companies consulting on IT process, security, risk, and vendor management advisory work, as well as designing and deploying global security and assurance software solutions. Chad holds a Masters of Information Systems Management and a Bachelors of Accounting from Brigham Young University, Utah. Follow Chad on Twitter.