NHS DSP Toolkit AWS: The 24 Checks We Run Before June 2026

If your team supplies digital products to the NHS, processes patient data, or runs a Cambridge biotech with research data on AWS, you have a deadline. The NHS DSP Toolkit v8 (2025-26) annual submission closes on 30 June 2026, and for IT suppliers above the audit threshold, that submission needs an independent audit attached.

The bad news: most UK security consultancies are quoting between £5,000 and £15,000 for a “DSPT AWS readiness review” that, when you open the PDF, is a Prowler output with a Union Jack on the cover.

The good news: the technical AWS half of the DSPT submission can be evidenced with 24 specific configuration checks, all of which you can run yourself, and most of which we have automated into a free tool (Cambrian) that runs in 90 seconds on your laptop.

This post walks through all 24, explains how each one maps to the NHS DSP Toolkit NDG standards and UK GDPR Article 32, and tells you what your DSPT assessor is actually going to ask about. It assumes you are a CTO, Head of Security, DPO, or platform engineer at a UK healthtech, biotech, NHS supplier, or clinical-research SaaS team. By the end you will know exactly which AWS configurations are likely to fail your DSPT v8 submission, and what to do about it before June.

What the NHS DSP Toolkit Actually Is in 2026

The NHS Data Security and Protection Toolkit is an online self-assessment hosted at dsptoolkit.nhs.uk. It is the annual data-security declaration NHS England requires from any organisation handling NHS patient data or providing IT services to NHS bodies.

Version 8 (2025-26) is the current edition, aligned to NCSC CAF version 3.4, and structured around the 10 National Data Guardian (NDG) Data Security Standards:

NDG Standard	Focus area
1	Personal confidential data, encryption, exposure
2	Staff responsibilities
3	Training
4	Managing data access, MFA, least privilege
5	Process reviews
6	Responding to incidents, monitoring
7	Continuity, backup, recovery
8	Unsupported systems
9	IT protection, logging, patching
10	Accountable suppliers, supply chain

For IT suppliers, the v8 deadline is 30 June 2026, and you need an independent audit if your organisation has 50 or more employees and £10 million or more in global annual revenue and processes NHS data or provides services to NHS organisations. Below those thresholds, you still submit the DSPT but you do not need the formal independent audit.

Even small Cambridge biotechs working with NHS Digital, NHS Research Authority, or NIHR-funded studies are increasingly being asked for a DSPT submission as part of supplier due diligence, regardless of whether they hit the audit threshold. So the submission is rarely truly optional.

For the full official picture, see the DSP Toolkit Independent Assessment Guides 25-26 v8 for IT Suppliers.

Why AWS Configuration Carries Half the DSPT Burden

The DSPT is mostly a governance questionnaire. Policies, training records, business continuity plans, the digital asset register. But for any team running on AWS, a meaningful share of the technical evidence behind NDG Standards 1, 4, 6, 7, 9, and the Information Governance geography requirement comes directly from how your AWS account is configured.

UK GDPR Article 32 sits underneath all of this. Article 32(1) requires “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”, with explicit examples covering encryption, ongoing confidentiality and integrity, the ability to restore data, and a process for regularly testing the effectiveness of those measures. The ICO’s Article 32 guidance is the canonical UK reading.

Article 32 does not name AWS services. But for a team running patient data on AWS, the article translates almost one-to-one into specific settings: encryption at rest (KMS), MFA on console access (IAM), backups (RDS automated backups), audit logging (CloudTrail), monitoring (GuardDuty + CloudWatch).

So in practice, your DSPT v8 evidence pack for the technical NDG standards comes mostly from running checks against your AWS account. The 24 below are the ones we have found, across dozens of NHS-adjacent AWS environments, to most reliably show up in DSPT readiness conversations.

The 24 AWS Checks You Need to Pass Before 30 June 2026

We group them by AWS service. For each check we list what is verified, the UK GDPR Article 32 reference, and the NHS DSPT NDG standard the evidence supports. Assertion numbers vary slightly by organisation type, so confirm against the official Assertions and Evidence spreadsheet for your category before submission.

Identity and Access Management (IAM): 6 checks

IAM misconfigurations are the single largest source of DSPT findings we see. Of the four to six issues a typical Cambridge healthtech AWS account fails on the first scan, three usually live in IAM.

1. Root account has MFA enabled. Without root MFA, a password compromise gives an attacker full administrative control. Art 32(1)(b) - Confidentiality. NDG Std 4 - Strong authentication.
2. Root account has no active access keys. Root access keys are a discouraged pattern with no legitimate use case in 2026. Art 32(1)(b). NDG Std 4 - Managing data access.
3. IAM users with console access have MFA. This is the classic finding. Most AWS accounts have at least one human user with console access and no MFA. Art 32(1)(b). NDG Std 4 - assertion 4.5.
4. IAM password policy meets baseline requirements. Twelve characters minimum, complexity rules, expiry, reuse prevention. Art 32(1)(b). NDG Std 4 - assertion 4.5.
5. IAM access keys rotated within 90 days. A keypair older than a year sitting on a developer laptop is a DSPT failure waiting to be found. Art 32(1)(b). NDG Std 4 - least privilege and credential hygiene.
6. Customer-managed policies avoid Action:* on Resource:*. The wildcard-everything policy is the second-most-common finding after missing MFA. Art 32(1)(b). NDG Std 4 - least privilege.

Amazon S3: 4 checks

S3 misconfigurations are the headline-grabbing data breaches you read about. For NHS-adjacent data, every one of these is non-negotiable.

7. S3 account-level public access block fully enabled. All four block-public-access settings on, applied at the account level. Art 32(1)(b). NDG Std 1 - data not exposed to unauthorised parties.
8. S3 buckets have default encryption enabled. SSE-KMS with keys in eu-west-2. Server-side encryption with S3-managed keys is acceptable but KMS is preferred for auditability. Art 32(1)(a) - Encryption at rest. NDG Std 1.
9. S3 buckets have versioning enabled. Versioning is your protection against accidental deletion and ransomware. Art 32(1)(c) - ability to restore data. NDG Std 7 - backup and recovery.
10. S3 buckets have server access logging enabled. Without bucket access logs, you cannot evidence the “who accessed what” question. Art 5(2) / Art 32 - accountability. NDG Std 9 - audit logging.

Amazon EC2: 4 checks

11. No security groups allow unrestricted inbound access on admin or database ports. 0.0.0.0/0 on SSH, RDP, or database ports is a DSPT failure. Use a bastion or AWS Systems Manager Session Manager. Art 32(1)(b). NDG Std 9 - IT protection, boundary.
12. EBS encryption by default is enabled. Account-wide setting that ensures every new EBS volume is encrypted. Art 32(1)(a). NDG Std 1.
13. EC2 instances require IMDSv2. The metadata service v1 has been exploited to steal IAM role credentials. Forcing IMDSv2 closes that path. Art 32(1)(b). NDG Std 9.
14. EBS snapshots are not publicly shared. A surprisingly common misconfiguration. A single public snapshot of a patient-data volume is a notifiable breach. Art 32(1)(b). NDG Std 1.

Amazon RDS: 4 checks

15. RDS instances are not publicly accessible. Public RDS endpoints are almost always a misconfiguration. Art 32(1)(b). NDG Std 1.
16. RDS instances have storage encryption enabled. Encryption at rest for the entire database, including backups. Art 32(1)(a). NDG Std 1.
17. RDS automated backups retained for 7 days or more. Backup retention shorter than seven days fails the “restore access to data” requirement. Art 32(1)(c). NDG Std 7 - backup and recovery.
18. RDS instances have deletion protection enabled. A single terraform destroy against a production database without deletion protection is a worst-case scenario you want closed. Art 32(1)(c) - availability. NDG Std 7.

CloudTrail, CloudWatch, KMS, VPC, GuardDuty: 5 checks

19. A multi-region CloudTrail is active with log file validation. No CloudTrail, no audit log. No log file validation, no proof your audit log was not tampered with. Art 5(2) / Art 32 - accountability. NDG Std 9.
20. CloudWatch alarm exists for root account usage. Any successful root sign-in should page someone. Art 5(2) / Art 32. NDG Std 6 - responding to incidents.
21. Customer-managed KMS keys have rotation enabled. Annual KMS key rotation is a one-click setting too many teams forget. Art 32(1)(a). NDG Std 1.
22. VPC flow logs are enabled. Network-level audit trail. Required for any meaningful incident investigation. Art 5(2) / Art 32. NDG Std 9.
23. GuardDuty threat detection is enabled. Threat detection for AWS is cheap and one-click. There is no defensible reason to leave it off. Art 32(1)(b) - integrity. NDG Std 6.

Global: 1 check

24. Resources run in a UK region (eu-west-2). For UK personal and NHS data, preferring eu-west-2 (London) is the cleanest answer to the data residency assertion. Resources outside the UK need to be assessed against your Chapter V transfer position. UK GDPR Chapter V. DSPT Information Governance - data held within agreed geography.

These 24 checks are the technical floor. They do not replace the questionnaire, the policies, or the training records, but they are the AWS evidence pack you should be able to attach to your DSPT submission the moment your assessor asks.

NDG Standard to AWS Service Mapping

If you want to think about it the other way around (NDG-first instead of AWS-first), here is how the five technical-heavy NDG standards map to our 24 checks:

NDG Standard	Focus	Cambrian checks
NDG Std 1	Data not exposed; encryption at rest	Checks 7, 8, 12, 14, 15, 16, 21
NDG Std 4	Strong authentication, least privilege	Checks 1, 2, 3, 4, 5, 6
NDG Std 6	Responding to incidents, monitoring	Checks 20, 23
NDG Std 7	Continuity, backup, recovery	Checks 9, 17, 18
NDG Std 9	IT protection, audit logging	Checks 10, 11, 13, 19, 22
IG geography	Data residency	Check 24

This mapping is the one your assessor will draw on a whiteboard if you let them. Better to draw it yourself first.

The Two Paths to These 24 Checks: £15,000 and £0

The traditional path is a UK security consultancy. You pay £5,000 to £15,000 for a multi-week engagement, they run a CIS-AWS-style scanner against your environment, hand you a 40-page report with an executive summary, and add £500 per finding for any remediation help.

The DIY path is open-source tools. Prowler is excellent and covers most of these checks against the CIS AWS Foundations benchmark. The catch: Prowler outputs are framework-agnostic. You still have to map each finding to the right UK GDPR article and the right NDG standard yourself, in writing, for the DSPT assessor. That mapping is the time-consuming bit.

The third path is using a tool that already knows the UK GDPR + DSPT mapping. That is why we built Cambrian. It runs all 24 of the checks above against your AWS account in about 90 seconds, locally on your laptop, with no SaaS upload, and every finding cites the exact UK GDPR article reference and DSPT NDG standard. The tool is free, distributed as a signed binary or Docker image on request, and is built specifically for UK healthcare, biotech, and NHS supplier teams.

For most Cambridge healthtech CTOs we work with, the realistic time saving is about 2-3 days of senior engineer effort over a do-it-yourself Prowler run, plus avoidance of the £5k-£15k consultancy bill.

Three Things Even Mature AWS Teams Miss on the DSPT

Most experienced AWS teams pass 18-20 of the 24 checks on the first scan. The four to six that consistently slip are the same ones, regardless of team maturity:

IMDSv2 enforcement is the sneaky one. Most teams enable IMDSv2 but never set the metadata options to require it. A DSPT assessor will look at the actual instance metadata options, not your runbook intent.

CloudTrail log file validation is often missing. Teams enable CloudTrail, deliver to S3, and consider it done. Without log file validation, you cannot prove your audit trail has not been tampered with after the fact. Article 5(2) accountability fails without it.

eu-west-2 data residency is a “signal,” not a proof. Running in eu-west-2 alone is not a UK data residency guarantee. KMS keys, S3 replication targets, RDS cross-region snapshots, and CloudFront edge caches all need to be in agreed regions too. This is the most common finding for Cambridge biotech teams who started on us-east-1 because their MLOps tooling defaulted there.

For deeper UK-specific platform engineering guidance, our DevOps consulting in the UK team handles these specific gaps as fixed-scope remediation engagements after a readiness scan.

What About AWS’s Own DSPT Certification?

AWS itself has a DSPT certification, valid through 30 June 2026, downloadable from AWS Artifact and listed on the NHS DSPT website. This is sometimes misread as “we use AWS, therefore we are DSPT-compliant.”

That is not what the AWS DSPT certification means.

The AWS DSPT certification covers AWS’s own internal data security practices as the infrastructure provider. It tells you AWS, the company, meets the DSPT for how AWS-the-business handles data. It says nothing about how your account is configured, who has access to your resources, or whether your S3 buckets are public. That part is your responsibility, under AWS’s shared responsibility model.

So AWS being DSPT-certified is a useful supply-chain assurance for NDG Standard 10 (accountable suppliers). It is not evidence for any of the other technical NDG standards covering your AWS configuration.

Cambridge Healthtech and Biotech Specifics

A few things matter more for Cambridge healthtech teams than the generic AWS-on-DSPT advice:

eu-west-2 by default. Cambridge biotechs working with NIHR-funded studies, Wellcome Trust grants, or NHS Digital data contracts almost always have UK residency clauses. The cleanest answer is to default the entire stack to eu-west-2 (London), then assess any exceptions against the transfer position you have agreed with your sponsor.

Genomics workloads have specific residency edges. Tools like AWS HealthOmics, Nextflow on AWS Batch, and the various commercial pipelines (DNAnexus, Seven Bridges) sometimes default to us-east-1 for cost or feature reasons. This needs a deliberate residency assessment. For teams running Nextflow on AWS specifically, our Nextflow managed services team has handled this exact mapping for UK genomics clients.

DTAC overlap. The NHS Digital Technology Assessment Criteria (DTAC) is a separate framework, often required by NHS Trusts on top of DSPT for clinical software procurement. DTAC’s technical security section reuses most of the same controls. Passing the 24 Cambrian checks gets you most of the way through DTAC’s security section too.

What This Checklist Does NOT Cover

Be honest with yourself and with your assessor about scope.

These 24 checks are a technical configuration assessment. They do not, by themselves, satisfy any of the following:

• Your DSPT governance assertions (NDG Standards 2, 3, 5, 8, 10)
• Staff training records and information governance policies
• Business continuity plans, incident response runbooks, the digital asset register
• Supplier assurance for non-AWS providers
• A formal UK GDPR compliance determination, which sits with your DPO and supervisory authority
• The independent DSPT audit itself, where you are above the threshold

Use the technical check pass as part of your evidence, then engage a qualified assessor for formal submission.

How to Run All 24 Checks in 90 Seconds

The fastest way to know where you stand against the DSPT v8 technical assertions on AWS is to run the 24 checks above against your account. You can do this manually with the AWS CLI (we estimate about a day for a senior engineer who has not done it before), or you can run Cambrian, which is the free CLI we built to do exactly this for UK healthcare clients.

Cambrian is read-only, runs locally on your laptop using your existing AWS profile, defaults to eu-west-2, and produces a local HTML readiness report with every finding mapped to its UK GDPR article and NDG standard. Nothing uploads, nothing phones home. We send it as a signed binary or Docker image on request, with a one-page mapping PDF you can attach to your DSPT evidence pack.

If you need help interpreting findings or building the written DPIA / DSPT evidence text around them, our UK cybersecurity services team runs paid scan sessions starting at £495 (one-off) or a £395/month care plan for continuous monthly scans.

FAQ

Q: Is the NHS DSP Toolkit mandatory for all suppliers, or only large ones? The formal independent audit is mandatory for IT suppliers with 50 or more employees and £10 million or more in annual revenue who process NHS data or provide services to NHS organisations. Below those thresholds the DSPT submission itself is still expected by many NHS bodies as part of procurement due diligence, but the formal audit is not required.

Q: Does running the 24 AWS checks mean we pass the DSPT? No. The 24 checks are the AWS configuration evidence for the technical NDG standards. The DSPT also covers governance, training, business continuity, the digital asset register, and supplier assurance. The checks give you a defensible technical baseline that significantly shortens the AWS portion of your readiness work.

Q: Can we use AWS’s own DSPT certification instead of doing our own? No. AWS’s DSPT certification covers AWS’s own internal practices as an infrastructure provider. Your DSPT submission needs to cover your AWS configuration. AWS’s certification supports your supplier-assurance assertion (NDG Std 10) but does not replace evidence for any of the technical assertions about your own account.

Q: We are already running Prowler. Do we need anything else? Prowler is excellent and covers most of these technical checks against the CIS AWS Foundations benchmark. The gap, for UK teams, is that Prowler is framework-agnostic. You will need to map each finding to the corresponding UK GDPR article and the right NDG standard yourself, in writing, before your DSPT assessor will accept it. Cambrian does that mapping by default.

Q: When does DSPT v8 actually open and close? v8 (2025-26) is open now. The annual submission deadline for the 2025-26 publication is 30 June 2026. For IT suppliers above the audit threshold, your independent audit needs to be complete in time for that submission. Working back from 30 June, most teams need to start the readiness work no later than March 2026.

Q: Do we still need a UK consultancy if we run Cambrian? For the technical AWS evidence, often not. For the governance, training, business continuity, and policy work, yes. Cambrian addresses about half of the DSPT, and exactly the half that is hardest to evidence without expert tooling.

Next steps

If you want the 24-check Cambrian binary plus the UK GDPR / DSPT mapping PDF, request access on the product page. We send the signed binary or Docker image within one UK working day. If you would rather we ran the scan with you and walked through the findings on a 60-minute call, the £495 scan-as-a-service tier covers exactly that.

For deeper engagements covering policy work, NHS supplier audit support, or AWS managed services for ongoing NHS-adjacent workloads, get in touch with our UK team via the contact page.

The 30 June 2026 deadline is closer than it looks. The 24 checks above are the technical floor. Start there.

---

Ready to scan your AWS account against UK GDPR and the NHS DSP Toolkit?

The NHS DSP Toolkit v8 deadline is 30 June 2026, and the AWS configuration evidence is the part most UK healthcare and biotech teams underestimate. We built Cambrian so you can run the 24 technical checks in 90 seconds, locally, with every finding pre-mapped to UK GDPR Article 32 and the relevant NDG standard.

Our team provides comprehensive UK GDPR and NHS DSP Toolkit AWS readiness services to help UK healthcare, biotech, and NHS supplier teams:

• Run the 24 technical checks in 90 seconds with the free Cambrian CLI, mapped to UK GDPR Article 32 and NDG standards 1, 4, 6, 7, and 9
• Skip the £5,000-£15,000 consultancy PowerPoint and go straight to the actual findings
• Hit the 30 June 2026 DSPT deadline with the AWS evidence pack already gathered, prioritised, and DPIA-ready

Built specifically for Cambridge healthtech, biotech, and NHS IT suppliers facing the v8 deadline.

Request the free Cambrian binary →