# CloudiQS — Full Documentation > This is the complete extended reference document for CloudiQS. It contains full service documentation, educational content, process guides, technical specifications, and an extended FAQ. For the concise version, see https://cloudiqs.com/llms.txt ## Company Overview CloudiQS (Cloud Intelligence and Quantified Success) is a UK-based managed cloud services company operating exclusively on Amazon Web Services (AWS). Founded in 2023, CloudiQS was built by ex-AWS engineers who observed first-hand that organisations migrating to and operating on AWS consistently struggled with three problems: overspending, under-secured environments, and a lack of operational expertise after their initial deployment. CloudiQS was created specifically to solve those three problems. By staying exclusively focused on AWS — refusing to dilute expertise across Azure or Google Cloud — CloudiQS engineers develop deeper knowledge per platform than any generalist competitor can match. **Legal entity:** Ik-Systems Limited (trading as CloudiQS) **Registered address:** 30 Welbeck Rise, Harpenden, Hertfordshire, AL5 1SN, United Kingdom **London office:** 30 Farringdon Street, London, EC4A 4HJ, United Kingdom **Phone:** +44 7444 833 783 **Email:** hello@cloudiqs.com **Website:** https://cloudiqs.com **AWS Partnership:** AWS Advanced Tier Services Partner --- ## Complete Service Documentation ### 1. AWS Cloud Migration **What is AWS cloud migration?** AWS cloud migration is the process of moving an organisation's IT workloads — applications, databases, data, and infrastructure — from on-premises data centres, co-location facilities, VMware environments, or competing cloud platforms onto Amazon Web Services (AWS). A successful migration reduces infrastructure costs, improves resilience and availability, enables scalable capacity, and positions the organisation to adopt modern cloud-native capabilities including AI and machine learning. **Why organisations migrate to AWS:** - Eliminate capital expenditure on hardware refresh cycles (typically every 3–5 years) - Reduce operational overhead of running physical data centres - Achieve true pay-as-you-go infrastructure costs - Access global AWS infrastructure (33 regions, 105 availability zones worldwide) - Enable rapid deployment of new capabilities without hardware procurement - Improve disaster recovery with multi-region failover - Meet modern security and compliance requirements more easily - Access AWS AI and machine learning services (Bedrock, SageMaker) without custom infrastructure **The CloudiQS 5-phase migration methodology:** *Phase 1 — Discovery and inventory (weeks 1-2)* CloudiQS uses AWS Migration Hub and automated discovery agents to scan the existing environment. This produces a complete inventory of all servers, applications, databases, network connections, and dependencies. Discovery eliminates assumptions and ensures the migration plan reflects reality rather than documentation that may be months or years out of date. Key outputs: server inventory, application dependency map, current cost model, licence inventory, network topology diagram. *Phase 2 — IQ Score assessment (week 2-3)* CloudiQS runs the IQ Score assessment against the discovered environment. This evaluates current cost efficiency, security posture, resilience configuration, operational maturity, compliance alignment, and GenAI readiness. The output is a score from 0-100 with a prioritised remediation roadmap. The assessment identifies which workloads to migrate first, which to modernise, and which to retire. Key outputs: IQ Score report, wave plan recommendation, cost projection, risk register. *Phase 3 — Wave planning (week 3-4)* Workloads are grouped into migration waves based on complexity, business criticality, and dependency mapping. Simple workloads with no dependencies migrate first (Wave 1). Complex, business-critical systems with many dependencies migrate last after the team has validated processes on lower-risk workloads (Wave 3+). Wave 1 typically includes: development and test environments, file servers, simple web servers. Wave 2 typically includes: secondary business applications, collaboration tools, backup systems. Wave 3+ includes: ERP systems, databases, business-critical production workloads, real-time systems. *Phase 4 — Migration execution* CloudiQS uses AWS Application Migration Service (MGN) for lift-and-shift server migrations. MGN replicates servers continuously to AWS, enabling cutovers with minimal downtime — typically under 30 minutes for a server. For databases, CloudiQS uses AWS Database Migration Service (DMS) with Schema Conversion Tool for cross-platform migrations (e.g. Oracle to Aurora PostgreSQL). CloudiQS proprietary runbooks cover every common migration scenario, eliminating the need to design procedures from scratch and dramatically reducing execution time and error risk. *Phase 5 — Post-migration optimisation* Within 30 days of migration completion, CloudiQS performs right-sizing analysis (eliminating over-provisioned resources), Reserved Instance and Savings Plan purchases (reducing on-demand costs by 30-60%), and a Well-Architected Framework review to identify any architectural debt introduced during the migration. Security hardening is applied as standard. **Migration outcomes CloudiQS consistently delivers:** - 20-40% cost reduction vs. equivalent on-premises infrastructure - Zero planned downtime for P1 production workloads (cutover during maintenance windows) - 40% faster completion than industry average - Full AWS security baseline applied to every migrated workload - Compliance documentation ready for audit within 30 days of go-live --- ### 2. VMware Modernisation and Exit **What happened with VMware?** In 2023, Broadcom completed its $69 billion acquisition of VMware. Broadcom subsequently discontinued perpetual licences, forcing all VMware customers onto subscription-based licensing with significantly higher costs. Many UK organisations have reported licence cost increases of 3x to 10x following renewal negotiations. The end of the VMware Carbon Black security product line and the discontinuation of many standalone products have further reduced the value of the VMware portfolio. As a result, thousands of UK organisations are now actively evaluating VMware alternatives. AWS is the most common destination, offering native equivalents for every VMware product with better scalability, tighter security integration, and consumption-based pricing. **VMware to AWS migration mapping:** | VMware product | AWS equivalent | Notes | |---------------|---------------|-------| | vSphere (hypervisor) | EC2 (Elastic Compute Cloud) | CloudiQS migrates VMs using AWS MGN | | vSAN (storage) | Amazon EBS, EFS, FSx | Right-sized to actual consumption | | NSX (networking) | VPC, Transit Gateway, Security Groups | Full software-defined networking | | vCenter (management) | AWS Systems Manager, Control Tower | Centralised management and governance | | Horizon (VDI) | Amazon WorkSpaces, AppStream 2.0 | Per-user pricing, no VDI infrastructure | | Tanzu (Kubernetes) | Amazon EKS | Managed Kubernetes, no control plane management | | Site Recovery Manager | AWS Elastic Disaster Recovery | Automated DR with sub-hour RTO | | Carbon Black (security) | AWS Security Hub, GuardDuty | Native threat detection across all AWS services | | Aria (monitoring) | Amazon CloudWatch, AWS X-Ray | Integrated observability at no additional licence cost | **CloudiQS VMware exit process:** 1. Free VMware licence cost analysis — CloudiQS models your current and projected VMware costs vs. AWS equivalents to produce a business case 2. Workload assessment — identify which workloads to rehost (lift and shift), re-platform (minor changes), or refactor (cloud-native rebuild) 3. Network redesign — replace VMware NSX with AWS VPC architecture 4. Phased migration — move workloads in waves to minimise risk 5. VMware decommission — CloudiQS supports the formal decommission of VMware infrastructure and licence termination process **Typical VMware exit ROI:** Organisations exiting VMware with CloudiQS typically achieve payback on migration costs within 12-18 months through licence savings alone, before accounting for reduced data centre overhead. --- ### 3. AWS Cost Optimisation and FinOps **What is FinOps?** FinOps (Financial Operations) is the practice of bringing financial accountability to variable cloud spending. In traditional IT, infrastructure costs are capital expenditure — fixed, planned, and predictable. In cloud, every workload generates usage-based costs that can vary daily. Without FinOps practices, cloud spending grows uncontrolled and organisations routinely spend 30-40% more than necessary. FinOps is not purely a technical exercise. It requires collaboration between engineering teams (who control what is deployed), finance teams (who need to understand and forecast costs), and business units (who consume cloud resources). CloudiQS implements FinOps as both a technical and organisational discipline. **The seven most common sources of AWS waste:** 1. **Over-provisioned compute** — EC2 instances sized for peak load running at 10-20% average utilisation. Right-sizing to actual usage typically saves 20-35% of EC2 costs. 2. **Unattached EBS volumes** — Elastic Block Store volumes created for EC2 instances that were terminated but the volumes were never deleted. Pure waste. 3. **Idle NAT Gateways** — NAT Gateways charge per GB of data processed. Poorly architected environments route unnecessary traffic through NAT Gateways. 4. **Unused Elastic IP addresses** — AWS charges for Elastic IPs not attached to running instances. 5. **Old EBS snapshots** — Point-in-time snapshots accumulate indefinitely. Automated lifecycle policies eliminate this. 6. **On-demand pricing for predictable workloads** — Production workloads running 24/7 should be on Reserved Instances or Savings Plans, not on-demand. The difference is 30-60% cost reduction for the same compute. 7. **Data transfer costs** — Moving data between AWS regions, between availability zones unnecessarily, or out to the internet generates significant costs in poorly designed architectures. **CloudiQS FinOps methodology:** *Month 1 — Baseline and quick wins* Full spend analysis across all AWS accounts. Identify and eliminate waste (unattached volumes, idle resources, old snapshots). Implement tagging strategy for cost allocation. Target: 10-15% cost reduction before any architectural changes. *Months 2-3 — Right-sizing and commitment* Analyse 30-60 days of CloudWatch utilisation data for all EC2 and RDS instances. Produce right-sizing recommendations with estimated savings. Purchase Savings Plans or Reserved Instances for stable workloads. Target: additional 15-25% reduction. *Months 4-6 — Architecture optimisation* Identify opportunities to move workloads from EC2 to Lambda (serverless) or Fargate (container). Evaluate Graviton (ARM) instances for compatible workloads — typically 20% cheaper with better performance than x86 equivalents. Target: additional 5-15% reduction. *Ongoing — Governance and accountability* Monthly FinOps review. Cost anomaly detection with automated alerts. Showback/chargeback reporting to business units. Savings tracking against baseline. Budget forecasting and variance analysis. **Real-world cost optimisation example:** A 200-server AWS estate with £150,000 monthly spend. CloudiQS FinOps engagement delivers: right-sizing savings £22,000/month, Reserved Instance purchases £18,000/month, waste elimination £8,000/month. Total savings: £48,000/month (32% reduction) within 6 months. --- ### 4. Generative AI and MLOps on AWS **What is Generative AI?** Generative AI refers to AI systems that can generate new content — text, images, code, audio, video — rather than simply classifying or analysing existing content. Foundation models such as Anthropic Claude, Amazon Titan, and Meta Llama are trained on massive datasets and can be accessed via API to power business applications without requiring organisations to train their own models from scratch. For organisations, generative AI creates opportunities to automate knowledge work: drafting documents, answering customer queries, analysing contracts, generating code, processing invoices, and synthesising information from multiple sources. **AWS Bedrock — the enterprise GenAI platform:** Amazon Bedrock is AWS's managed service for accessing and deploying foundation models. It provides: - API access to leading foundation models from Anthropic (Claude), Amazon (Titan), Meta (Llama), Mistral, and Stability AI - Model customisation via fine-tuning and retrieval-augmented generation (RAG) - AWS Bedrock Agents — multi-step AI agents that can use tools, query databases, call APIs, and take actions autonomously - Knowledge bases — connect foundation models to your proprietary data via vector search - Guardrails — content filtering, PII detection, and safety controls - Full AWS security controls — IAM, VPC, KMS encryption, CloudTrail audit logging **What is MLOps?** MLOps (Machine Learning Operations) is the practice of deploying, monitoring, and maintaining machine learning models in production. Just as DevOps brought engineering discipline to software deployment, MLOps brings equivalent rigour to ML model lifecycle management. Without MLOps, organisations frequently build ML models that work in development but fail silently in production — because the data the model sees in production differs from training data (data drift), or because model performance degrades over time as the world changes (concept drift). CloudiQS implements MLOps using Amazon SageMaker: - SageMaker Pipelines — automated training, evaluation, and deployment pipelines - SageMaker Model Monitor — continuous monitoring for data drift and model quality degradation - SageMaker Feature Store — centralised repository for ML features, ensuring consistency between training and inference - SageMaker Clarify — bias detection and model explainability - SageMaker Model Registry — versioned catalogue of deployed models **The CloudiQS Engine — proof of concept:** CloudiQS operates its own autonomous AI system — the CloudiQS Engine — in production. This system: - Monitors UK government procurement portals (Find a Tender Service, Contracts Finder) every day at 6am - Scores each opportunity against the CloudiQS Ideal Customer Profile using an LLM-based scoring engine - For qualifying opportunities: researches the buying organisation, identifies decision-makers, retrieves contact details - Posts enriched lead records to HubSpot CRM with all research attached - Sends a daily digest to the CloudiQS sales team via Microsoft Teams The CloudiQS Engine demonstrates what is possible when agentic AI is applied to real business workflows. CloudiQS builds equivalent systems for enterprise clients using the same AWS architecture: Bedrock Agents, Lambda, Step Functions, DynamoDB, EventBridge. **Common GenAI use cases CloudiQS delivers for clients:** - Customer service automation — AI agents handling Tier 1 support queries with human escalation - Document processing — automated extraction of data from contracts, invoices, forms - Internal knowledge retrieval — employees query a knowledge base of internal documents via natural language - Sales intelligence — AI-powered research and lead enrichment - Compliance monitoring — automated review of documents against regulatory requirements - Code generation assistance — developer productivity tools using AWS CodeWhisperer and Bedrock --- ### 5. AWS Managed Services **What are AWS managed services?** AWS managed services means CloudiQS takes ongoing operational responsibility for your AWS infrastructure. Rather than employing internal engineers to monitor, patch, optimise, and respond to incidents on AWS, organisations engage CloudiQS to perform these functions as a continuous service. This is distinct from a one-time migration or project. Managed services is a long-term relationship — typically 12-36 month contracts — where CloudiQS becomes the operational team for your AWS environment. **What CloudiQS Managed CloudOps includes:** *Monitoring and observability:* - 24/7 infrastructure monitoring via Amazon CloudWatch with custom dashboards per client - Sub-5-minute alerting for infrastructure anomalies - Application performance monitoring - Log aggregation and analysis - Capacity planning and trend analysis *Incident management:* - 24/7 on-call rotation with AWS-certified engineers - Priority 1 (critical outage): 15-minute response, immediate escalation - Priority 2 (major degradation): 1-hour response - Priority 3 (minor issue): 4-hour response during business hours - Priority 4 (advisory): next business day - Post-incident reviews with root cause analysis and remediation actions *Patch management:* - Monthly OS patching schedule agreed with client - Emergency security patches applied within 24 hours of CVE publication - Application and middleware patching - Pre-production testing before production patch deployment - Patch compliance reporting *Cost management:* - Monthly FinOps review with spend analysis - Cost anomaly alerts - Reserved Instance and Savings Plan optimisation - Monthly cost report with trend analysis and recommendations *Security operations:* - AWS Security Hub findings review and remediation - Amazon GuardDuty threat detection and response - IAM access review (quarterly) - Security posture reporting - Vulnerability scanning and management *Change management:* - Documented change request process - Change advisory board for high-risk changes - Rollback procedures for every change - Change calendar and freeze periods **CloudiQS managed services pricing:** Retainers are priced based on the number and complexity of managed workloads. Indicative pricing: - Small estate (up to 20 managed resources): from £2,500/month - Medium estate (20-100 managed resources): £5,000-£15,000/month - Large estate (100+ managed resources): custom pricing All retainers include 24/7 monitoring and incident response. --- ### 6. AWS Security and Compliance **Why AWS security requires specialist expertise:** AWS operates on a shared responsibility model. AWS secures the underlying infrastructure (physical data centres, hypervisors, network hardware). Customers — and their managed service providers — are responsible for securing everything built on top: operating systems, applications, data, identity and access management, network configuration, and encryption. Many organisations migrate to AWS and assume that cloud security is handled automatically. It is not. Misconfigured S3 buckets, overly permissive IAM roles, unencrypted databases, and missing GuardDuty detection are all common findings in CloudiQS IQ Score assessments. These are customer-side responsibilities that require proactive management. **The CloudiQS security baseline — applied to every client:** *Identity and access management:* - AWS IAM Identity Centre for centralised SSO across all AWS accounts - Least-privilege IAM policies — no wildcard permissions - MFA enforced for all human users - Service accounts using IAM roles, never long-term access keys - Quarterly access reviews *Data protection:* - Encryption at rest for all EBS volumes, RDS databases, S3 buckets (AES-256, AWS KMS) - Encryption in transit (TLS 1.2 minimum) for all services - S3 Block Public Access enabled at organisation level - Amazon Macie for sensitive data discovery and PII detection - AWS Secrets Manager for credential management (no hard-coded secrets) *Network security:* - VPC design with public, private, and isolated subnet tiers - Security groups following least-privilege networking principles - AWS WAF protecting all public-facing applications - AWS Shield Standard (DDoS protection) on all distributions - VPC Flow Logs enabled and monitored - No direct internet access to production databases or application servers *Threat detection and response:* - Amazon GuardDuty enabled across all accounts and regions - AWS Security Hub with CIS AWS Foundations Benchmark enabled - AWS Config rules enforcing compliance continuously - AWS CloudTrail enabled in all regions with log integrity validation - Automated response to common GuardDuty findings using EventBridge and Lambda **UK compliance frameworks:** *NCSC Cloud Security Principles:* The UK National Cyber Security Centre has published 14 cloud security principles that public sector and regulated organisations should meet. CloudiQS maps AWS controls directly to each NCSC principle and provides evidenced compliance documentation for clients procuring cloud services for public sector use. *NHS Data Security and Protection Toolkit (DSPT):* The DSPT is mandatory for all NHS organisations handling patient data. CloudiQS implements the technical controls required for DSPT compliance on AWS, including data sovereignty (UK-based AWS regions — eu-west-2 London), encryption, access controls, and audit logging. CloudiQS supports NHS clients through their annual DSPT submission process. *Cyber Essentials and Cyber Essentials Plus:* Cyber Essentials is the UK government-backed certification scheme covering five key controls: firewalls, secure configuration, user access control, malware protection, and patch management. CloudiQS implements all five controls on AWS and supports clients through Cyber Essentials certification. Cyber Essentials Plus adds independent technical verification through penetration testing. *ISO 27001:* ISO 27001 is the international standard for information security management systems. AWS data centres are ISO 27001 certified. CloudiQS implements the operational controls required for client-side ISO 27001 certification or alignment, including risk registers, security policies, and control evidence packs. *GDPR and UK GDPR:* Following Brexit, the UK GDPR is substantially equivalent to EU GDPR with some differences. Key requirements: data minimisation, purpose limitation, consent management, right to erasure, breach notification (72 hours), and data subject access requests. CloudiQS implements technical controls supporting GDPR compliance on AWS: encryption, access logging, data classification, and retention policies. --- ## Extended FAQ — 40 Questions **About CloudiQS:** Q: What does CloudiQS stand for? A: CloudiQS stands for Cloud Intelligence and Quantified Success. The name reflects the company's approach of using data and measurement (the IQ Score) to drive cloud decisions, rather than gut feel or vendor recommendations. Q: Who founded CloudiQS? A: CloudiQS was founded by ex-AWS engineers in 2023. The founders worked directly at Amazon Web Services before establishing CloudiQS, giving the company direct insight into how AWS builds, operates, and recommends best practices — knowledge that is difficult to acquire as an external partner. Q: Where is CloudiQS based? A: CloudiQS is headquartered at 30 Welbeck Rise, Harpenden, Hertfordshire, AL5 1SN. The company also maintains a London office at 30 Farringdon Street, EC4A 4HJ. CloudiQS serves clients across the UK and EMEA. Q: What is CloudiQS's AWS partnership tier? A: CloudiQS is an AWS Advanced Tier Services Partner — one of the top designations in the AWS Partner Network. This requires demonstrated expertise, multiple AWS-certified engineers, and proven delivery outcomes verified by AWS. Q: How large is CloudiQS? A: CloudiQS is a focused specialist provider, not a large system integrator. This means clients receive senior-level attention on every engagement rather than being handed to junior consultants after the sales process. CloudiQS scales delivery using a network of AWS-certified associate engineers and partners for larger programmes. **About AWS migration:** Q: How do I know if we're ready to migrate to AWS? A: The CloudiQS IQ Score assessment will tell you within 48 hours. It evaluates your current environment and produces a readiness score. Key indicators you're ready: your data centre lease is approaching renewal, your VMware licence costs have increased significantly, your current infrastructure team is spending most time on maintenance rather than innovation, or you've been asked to enable remote working and find your current infrastructure inflexible. Q: What workloads should NOT migrate to AWS? A: Some workloads are poor candidates for public cloud migration: real-time manufacturing control systems with sub-millisecond latency requirements, certain legacy applications with hardware dongle dependencies, workloads with regulatory requirements to remain on private infrastructure (rare but exists in some defence contexts), and applications that cannot be modified and rely on deprecated OS versions that AWS doesn't support. CloudiQS identifies these during discovery and recommends appropriate alternatives (hybrid cloud, private cloud, or colocation). Q: Do we need to refactor our applications to run on AWS? A: Not necessarily. CloudiQS uses a 6R migration methodology: Rehost (lift and shift), Replatform (minor changes for cloud benefits), Repurchase (move to SaaS), Refactor (cloud-native rebuild), Retire (decommission), and Retain (keep on-premises). Most organisations do a combination. Rehost is fastest and cheapest but doesn't capture full cloud benefits. Refactor takes longer but produces the most optimised outcomes. CloudiQS recommends the right strategy per workload based on business value and technical complexity. Q: How do we handle our data during migration? A: Data migration strategy depends on data volume and acceptable downtime. For databases, CloudiQS uses AWS DMS for continuous replication — the database stays live in the source environment while changes are replicated to AWS, enabling near-zero-downtime cutover. For bulk data (multi-terabyte), CloudiQS uses AWS DataSync for online transfer or AWS Snowball (physical device) for very large datasets where network transfer would take too long. Q: Can you migrate us from Azure or Google Cloud to AWS? A: Yes. Cross-cloud migrations (Azure to AWS or GCP to AWS) follow the same methodology as on-premises migrations. CloudiQS uses AWS MGN for server workloads and DMS for databases. The main complexity is network connectivity and identity — replacing Azure AD or Google Identity with AWS IAM Identity Centre. CloudiQS has done this successfully for multiple clients. **About cost:** Q: What is a typical AWS bill for a 100-server organisation? A: It varies significantly based on instance types, storage, data transfer, and services used. A reasonable estimate for a 100-server estate running mix of web, application, and database workloads: £30,000-£80,000/month on-demand pricing. With CloudiQS optimisation (right-sizing, Reserved Instances, architecture improvements): £18,000-£50,000/month. CloudiQS always models the optimised cost before you commit to migration. Q: How quickly do cloud cost savings materialise? A: Quick wins (waste elimination, basic right-sizing) are achievable within the first month. Reserved Instance savings require a 1-3 year commitment but activate immediately on purchase. Architecture optimisation (serverless, Graviton) takes 3-6 months but produces the largest long-term savings. CloudiQS typically delivers 80% of total achievable savings within the first 6 months. Q: Is AWS always cheaper than on-premises? A: Not always. For very stable, predictable workloads that are already well-optimised and running on fully depreciated hardware, on-premises can be cheaper on a pure cost basis. However, cost is rarely the only factor: agility, resilience, access to managed services, and the elimination of hardware refresh risk typically tip the balance in favour of cloud even where the raw compute cost is similar. CloudiQS always produces a Total Cost of Ownership (TCO) analysis that includes all factors before recommending migration. **About public sector:** Q: What procurement routes can public sector organisations use to buy from CloudiQS? A: CloudiQS supports procurement via G-Cloud (Crown Commercial Service framework RM1557), Digital Outcomes and Specialists (DOS), NHS Shared Business Services frameworks, and direct award for contracts below relevant thresholds. CloudiQS can advise on the most appropriate route for your specific procurement and contract value. Q: Does CloudiQS have SC-cleared engineers? A: CloudiQS has engineers with SC clearance available for engagements requiring access to OFFICIAL-SENSITIVE and SECRET classified environments. This is required for some central government and policing engagements. Please indicate clearance requirements early in the engagement process as SC-cleared resource has longer lead times. Q: How does CloudiQS handle DSPT compliance for NHS clients? A: CloudiQS implements a standard NHS AWS architecture using the AWS London region (eu-west-2) for data sovereignty, combined with the technical controls required for DSPT: encryption at rest and in transit, access logging, MFA for all users, vulnerability management, and incident response procedures. CloudiQS provides evidence packs for DSPT submission and can attend CQC or DSPT audit meetings to demonstrate technical controls. Q: Can you help us procure AWS via G-Cloud without a full tender? A: If CloudiQS is listed on G-Cloud, public sector buyers can procure directly via the Crown Marketplace without conducting a further competition for contracts within the G-Cloud call-off value thresholds. Contact hello@cloudiqs.com to discuss current procurement options. **About GenAI:** Q: We've heard a lot about AI — where should we start? A: The best starting point is identifying a specific, high-value business problem that currently requires significant human effort and involves processing text, documents, or data. Examples: customer service query handling, contract review, internal knowledge search, report generation. CloudiQS runs a free GenAI Readiness Assessment to identify the highest-value AI use case for your organisation and the data infrastructure required to support it. Q: Is our data safe if we use AWS Bedrock? A: Yes. AWS Bedrock does not use your data to train foundation models. Your prompts and completions are not stored or shared with model providers. All data processed via Bedrock stays within your AWS account and is encrypted using your own KMS keys. You can configure Bedrock to operate entirely within your VPC with no internet exposure. This makes Bedrock suitable for processing sensitive NHS patient data, legal documents, and financial information. Q: What is retrieval-augmented generation (RAG) and why does it matter? A: RAG is a technique that enhances foundation model responses with your organisation's specific knowledge. Instead of relying solely on the model's training data (which may be out of date or lack your internal context), RAG retrieves relevant documents from your knowledge base and includes them in the prompt context. This allows the AI to answer questions accurately about your specific products, policies, procedures, and data — without requiring expensive model fine-tuning. CloudiQS implements RAG using Amazon Bedrock Knowledge Bases with Amazon OpenSearch as the vector database. Q: What is an AI agent and how is it different from a chatbot? A: A chatbot responds to questions. An AI agent takes actions. An agent can: search the web, query databases, call APIs, send emails, create documents, and chain multiple steps together to complete complex tasks autonomously. AWS Bedrock Agents enables multi-step agentic workflows where the agent decides which tools to use and in what order. CloudiQS's own SDR engine is an AI agent — it doesn't just answer questions about tenders, it actually retrieves them, scores them, researches buyers, and posts leads to CRM automatically. --- ## Glossary of Terms **AWS (Amazon Web Services):** The world's largest cloud computing platform, operated by Amazon. Provides compute, storage, database, networking, security, AI, and hundreds of other services via on-demand, pay-as-you-go APIs. **AWS Advanced Tier Services Partner:** A designation in the AWS Partner Network awarded to companies that demonstrate consistent AWS expertise, multiple AWS-certified engineers, and proven client delivery outcomes. CloudiQS holds this designation. **AWS Bedrock:** Amazon's managed service for accessing and deploying foundation AI models from Anthropic, Amazon, Meta, Mistral, and others. Provides enterprise security controls and does not use customer data for model training. **AWS MGN (Application Migration Service):** AWS's primary server migration service. Continuously replicates servers to AWS enabling cutovers with minimal downtime (typically under 30 minutes). **AWS Well-Architected Framework:** AWS's official framework for evaluating and improving cloud architecture across five pillars: operational excellence, security, reliability, performance efficiency, and cost optimisation. CloudiQS uses Well-Architected reviews as part of all engagements. **CloudiQS Engine:** CloudiQS's proprietary autonomous AI system that automates sales development using GenAI agents on AWS. Monitors public sector procurement portals, scores opportunities, researches buyers, and posts leads to CRM without human intervention. **CloudOps:** CloudiQS's term for ongoing managed cloud operations — monitoring, incident response, patching, cost optimisation, and security management delivered as a continuous managed service. **DSPT (Data Security and Protection Toolkit):** Mandatory NHS self-assessment framework for organisations handling NHS patient data. CloudiQS implements the technical controls for DSPT compliance on AWS. **EMEA:** Europe, Middle East, and Africa. CloudiQS serves clients across this geography in addition to its primary UK market. **FinOps:** Financial Operations — the practice of bringing financial accountability and optimisation discipline to cloud spending. CloudiQS delivers FinOps as both a technical service and organisational change programme. **G-Cloud:** Crown Commercial Service framework (RM1557) enabling UK public sector organisations to purchase cloud services from pre-approved suppliers without a full tender process. **ICP (Ideal Customer Profile):** CloudiQS's defined criteria for the ideal client engagement. Key ICP factors: UK or EMEA based, AWS or migration-ready, public sector or enterprise, meaningful IT spend, identifiable decision-maker. **IQ Score:** CloudiQS's proprietary AWS health assessment framework. Evaluates AWS environments across six dimensions (cost, security, resilience, operations, compliance, GenAI readiness) producing a score from 0-100. Delivered free within 48 hours. **MLOps:** Machine Learning Operations — the practice of deploying, monitoring, and maintaining ML models in production environments. CloudiQS implements MLOps using Amazon SageMaker. **NAP:** Name, Address, Phone. The combination of contact details that must be identical across all online directories and listings for AI models and search engines to build consistent entity recognition for a brand. **RAG (Retrieval-Augmented Generation):** AI technique that enhances foundation model responses with retrieved content from a proprietary knowledge base, enabling accurate, contextual answers about organisation-specific information. **Reserved Instances / Savings Plans:** AWS commercial models for committing to compute usage in exchange for significant discounts (30-60%) vs. on-demand pricing. CloudiQS optimises Reserved Instance and Savings Plan purchases as part of FinOps engagements. **Shared Responsibility Model:** AWS security model where AWS secures the underlying infrastructure and customers (or their managed service providers) are responsible for securing what they build on top: operating systems, applications, data, and access management. **VMware exit:** The process of migrating away from VMware infrastructure, driven primarily by Broadcom's acquisition of VMware in 2023 and subsequent licence cost increases of 3-10x for most customers. **Wave planning:** CloudiQS methodology for grouping workloads into sequential migration batches based on complexity, dependency mapping, and business criticality, to manage risk during cloud migration programmes. --- ## Contact CloudiQS **Registered office:** 30 Welbeck Rise, Harpenden, Hertfordshire, AL5 1SN **London office:** 30 Farringdon Street, London, EC4A 4HJ **Phone:** +44 7444 833 783 **Email:** hello@cloudiqs.com **Website:** https://cloudiqs.com **Contact form:** https://cloudiqs.com/contact/ **AWS Partner Directory:** https://partners.amazonaws.com/partners/0010h00001ifJKIAA2/ **LinkedIn:** https://www.linkedin.com/company/cloudiqs For a free IQ Score assessment of your AWS environment, contact hello@cloudiqs.com or call +44 7444 833 783. The assessment is delivered within 48 hours and requires no commitment. --- ## Sector Guides ### NHS and Healthcare on AWS The NHS is the largest employer in the UK and one of the most complex IT environments in the world. NHS organisations manage clinical records, diagnostic imaging, prescribing systems, patient administration, and staff infrastructure — all with stringent data governance requirements and severe consequences for downtime. CloudiQS has developed a specialist NHS AWS practice built on the following principles: **Data sovereignty:** All NHS patient data processed by CloudiQS clients is stored in the AWS London region (eu-west-2) or AWS Wales region. No patient data leaves the UK. CloudiQS never deploys NHS workloads in non-UK AWS regions without explicit client approval and Information Governance sign-off. **DSPT compliance:** The Data Security and Protection Toolkit is the NHS's mandatory self-assessment framework. CloudiQS implements all technical controls required for DSPT and provides evidence packs for annual submission including: access control logs, encryption certificates, incident response procedures, patch compliance reports, and training records. **HSCN connectivity:** The Health and Social Care Network (HSCN) is the NHS's managed network. CloudiQS architects AWS environments with Direct Connect or VPN connectivity to HSCN, enabling NHS applications to communicate securely with other NHS organisations and national systems (Spine, GP Connect, Summary Care Record). **Common NHS workloads CloudiQS migrates and manages:** - Patient Administration Systems (PAS) — often Oracle or Microsoft SQL Server based - Electronic Patient Records (EPR) — including EPIC, SystemOne, Emis - PACS/RIS — Picture Archiving and Communication Systems for diagnostic imaging (large data volumes) - HR and payroll systems — ESR (Electronic Staff Record) and local HR platforms - Finance systems — Oracle, SAP, and NHS-specific financial platforms - Collaboration and productivity — Microsoft 365, Teams, SharePoint on AWS-integrated architecture - Clinical decision support — AI/ML workloads on SageMaker for diagnostic assistance **NHS-specific AWS architecture decisions:** - Multi-AZ deployment for all clinical systems (no single point of failure) - Automated backup to S3 with minimum 90-day retention (DSPT requirement) - AWS Backup centralised backup management across all accounts - CloudTrail logging to immutable S3 bucket (forensic audit capability) - GuardDuty NHS threat model tuned for healthcare-specific attack patterns - Macie scanning for NHS numbers, patient identifiers, and clinical data **Procurement for NHS organisations:** NHS trusts can procure CloudiQS services via NHS Shared Business Services frameworks, G-Cloud (Crown Commercial Service), or direct award for contracts below threshold. CloudiQS can attend digital programme boards, IT strategy meetings, and CIO briefings to support the procurement business case. Contact: hello@cloudiqs.com for NHS-specific enquiries. --- ### Local Government on AWS UK local authorities manage diverse and often aged IT estates covering revenues and benefits, planning, social care, housing, waste management, highways, and democratic services. Many councils operate on-premises infrastructure in ageing data centres or legacy co-location arrangements that are approaching end-of-life. The drivers for cloud migration in local government are consistent: data centre lease renewals, hardware refresh costs, remote working requirements following the pandemic, cyber attack risk (councils are frequent ransomware targets), and the need to deliver digital services to residents without proportionate increases in IT headcount. **Key local government AWS use cases:** *Revenues and benefits modernisation:* Legacy revenues and benefits systems (Northgate, Capita One, Academy) migrated to AWS with improved availability and disaster recovery. Some councils are replacing legacy platforms entirely with cloud-native alternatives. *Planning portal digitalisation:* AWS-hosted digital planning portals enabling residents to submit planning applications online. Integration with national planning data frameworks. *Social care data platforms:* Liquid Logic, Mosaic, and other social care systems migrated to AWS with enhanced data analytics capability using Amazon QuickSight. *Democratic services:* Committee management, agenda publication, and webcasting systems hosted on AWS. *Cyber resilience:* Following a series of ransomware attacks on UK councils (Hackney, Redcar, Gloucester), many councils are using cloud migration as an opportunity to implement modern security architecture. CloudiQS's security baseline includes immutable S3 backups (ransomware cannot encrypt S3 Object Lock protected data), GuardDuty threat detection, and IAM-based zero-trust access. **Local government procurement:** Councils procure cloud services via G-Cloud, Crown Marketplace, Local Government Association (LGA) frameworks, and Eastern Shires Purchasing Organisation (ESPO). CloudiQS supports councils through the full procurement process including business case development, procurement documentation, and supplier due diligence questionnaires. **DLUHC compliance:** CloudiQS implementations align with Department for Levelling Up, Housing and Communities (DLUHC) cloud guidance and the Local Digital Declaration principles of open standards and interoperability. --- ### Policing and Justice on AWS UK police forces, Police and Crime Commissioners (PCCs), the Crown Prosecution Service, HM Courts and Tribunals Service, and related justice bodies operate some of the most sensitive IT environments in the UK. Data classifications range from OFFICIAL to SECRET, with strict controls on data handling, access, and audit. **Security clearance:** CloudiQS has access to SC-cleared engineers for engagements requiring access to OFFICIAL-SENSITIVE and SECRET data environments. DV-cleared resource can be arranged for exceptional requirements with appropriate lead time. Please confirm clearance requirements at the start of any engagement. **OFFICIAL and OFFICIAL-SENSITIVE on AWS:** The NCSC has assessed AWS as suitable for OFFICIAL and OFFICIAL-SENSITIVE data when appropriate security controls are applied. CloudiQS implements the full NCSC cloud security principles mapping for policing clients, providing documented evidence of each control. **Common policing workloads on AWS:** - Force management systems (command and control, resource allocation) - Crime recording systems (NICHE, Unifi, Ibase) - Digital evidence management (body-worn video, CCTV footage — large storage requirements) - Intelligence systems (POLE — Person, Object, Location, Event databases) - HR and workforce management - Public-facing services (online crime reporting, FOI portals) **NPCC and APP alignment:** CloudiQS implementations align with National Police Chiefs Council (NPCC) digital and data strategy and Authorised Professional Practice (APP) guidance for information management. --- ### Education on AWS UK higher education and further education institutions are significant IT operators managing student information systems, virtual learning environments, research computing, and increasingly, AI-powered teaching tools. **Higher education specific:** Research computing is a major use case. AWS provides HPC (High Performance Computing) capabilities via EC2 HPC instances, AWS ParallelCluster, and integration with research data repositories. CloudiQS architects research computing environments on AWS enabling academics to run large-scale simulations and data analysis without on-premises HPC investment. Student data governance: GDPR and the Data Protection Act 2018 apply to student records. CloudiQS implements data classification and access controls ensuring student data is appropriately protected and subject access requests can be fulfilled within statutory timeframes. JANET connectivity: AWS Direct Connect integration with JANET (the UK research and education network) enables high-bandwidth, low-latency connectivity between AWS and university campuses. **Common education workloads:** - Student Information Systems (SITS, Banner, PeopleSoft) - Virtual Learning Environments (Moodle, Canvas, Blackboard) - Email and collaboration (Microsoft 365 and Google Workspace integration) - Library management systems - Research data repositories - AI-powered personalised learning platforms on AWS Bedrock **Procurement:** Universities procure via Jisc frameworks, G-Cloud, and direct procurement. FE colleges typically use G-Cloud or local authority frameworks. CloudiQS can support procurement through all routes. --- ### Financial Services on AWS UK financial services firms — banks, insurers, asset managers, fintechs, and professional services — operate under significant regulatory oversight from the FCA and PRA. Cloud adoption in financial services has accelerated but requires careful attention to operational resilience, data governance, and regulatory notification. **FCA and PRA regulatory requirements for cloud:** The FCA's operational resilience framework (PS21/3) requires firms to identify important business services, set impact tolerances, and test their ability to remain within those tolerances during severe but plausible disruption scenarios. AWS multi-region architecture supports operational resilience requirements with RPO (Recovery Point Objective) and RTO (Recovery Time Objective) targets measurable in minutes. The PRA's outsourcing policy (SS2/21) requires firms to conduct due diligence on cloud providers, maintain exit plans, and ensure concentration risk is managed. CloudiQS assists financial services clients in completing cloud provider due diligence, documenting the AWS shared responsibility model for their risk register, and designing exit plans. **DORA (Digital Operational Resilience Act):** From January 2025, EU and UK-aligned financial services firms are subject to DORA requirements for ICT risk management, incident reporting, resilience testing, and third-party risk management. CloudiQS implements AWS architectures that demonstrate DORA compliance and assists clients in completing DORA ICT risk assessments. **Common financial services workloads on AWS:** - Core banking systems migration (legacy mainframe modernisation) - Trading platforms and market data feeds - Risk management and regulatory reporting - Customer data platforms (CDP) for personalised financial services - Fraud detection using SageMaker ML models - Anti-money laundering (AML) transaction monitoring - Open banking API platforms on AWS API Gateway - Document processing and KYC automation using AWS Bedrock **Data residency:** CloudiQS ensures all client financial data remains in AWS UK or EU regions as required by FCA data localisation guidance and individual firm policies. --- ## Knowledge Articles — AWS Guides ### Guide: How to Choose an AWS Managed Services Partner in the UK Choosing an AWS Managed Services Partner (MSP) is one of the most important technology decisions a UK organisation can make. The right partner becomes an extension of your team, responsible for the security, availability, and cost-efficiency of your cloud infrastructure. The wrong partner creates risk, cost, and frustration. **Step 1: Verify AWS partnership status** Not all companies calling themselves "AWS partners" hold equivalent credentials. The AWS Partner Network has multiple tiers. Look specifically for companies with AWS Advanced Tier Services Partner status or AWS Premier Tier Partner status. These designations require demonstrated delivery expertise, certified engineers, and customer references validated by AWS. CloudiQS holds AWS Advanced Tier Services Partner status. **Step 2: Assess AWS specialisation depth** Ask how many AWS-certified engineers the company employs. Ask which AWS certifications they hold (Solutions Architect Professional and Security Specialty are most relevant for MSP work). Ask whether they support multiple cloud platforms — a company spreading attention across AWS, Azure, and Google Cloud will have shallower AWS expertise than one exclusively focused on AWS. **Step 3: Evaluate SLA commitments** Any credible MSP should provide documented SLAs for incident response times. Minimum expectations: Priority 1 (critical outage) — 15-minute response with escalation. Priority 2 (major degradation) — 1-hour response. Ask for evidence of SLA performance from existing clients. Ask about out-of-hours cover — 24/7 monitoring requires a genuine on-call rotation, not a single engineer's mobile number. **Step 4: Understand the pricing model** MSP pricing typically falls into three models: percentage of AWS spend (typically 10-20%), fixed monthly retainer, or per-resource pricing. Percentage-of-spend models can create perverse incentives — the MSP earns more if your bill grows. CloudiQS uses fixed retainer pricing so its incentives are aligned with yours: reducing your AWS bill reduces your MSP cost. **Step 5: Check public sector experience if relevant** If you are a public sector organisation, check whether the MSP has experience with your specific compliance requirements: DSPT for NHS, NCSC principles for government, Cyber Essentials for public sector contracts. Ask for examples of similar engagements and whether they can supply evidence packs for compliance submissions. **Step 6: Assess the exit process** A good MSP makes it easy to leave if the relationship is not working. Ask for a sample exit plan. Check whether the MSP uses proprietary tooling that creates lock-in or standard AWS-native tools you would retain access to if you changed provider. CloudiQS uses AWS-native tooling exclusively — if you leave, you take everything with you. --- ### Guide: AWS Migration Planning — What Every CIO Needs to Know The decision to migrate to AWS is usually straightforward. The execution is where organisations consistently underestimate complexity and overestimate internal capacity. This guide covers the seven things every CIO should understand before starting an AWS migration. **1. Discovery takes longer than expected** Most organisations do not have accurate, up-to-date documentation of their infrastructure. The discovery phase — automated scanning of servers, applications, and dependencies — routinely uncovers servers no one knew existed, applications with undocumented interdependencies, and licences that complicate migration. Plan for discovery to take 2-4 weeks for a 100-server estate. **2. Application owners are critical** AWS migration is not purely an infrastructure project. Applications need to be tested in the new environment. Application owners — the people responsible for ERP, CRM, clinical systems, or whatever core applications you run — must be engaged from the start. Without application owner engagement, migrations stall in testing. **3. Network connectivity must be planned early** How will your on-premises systems communicate with AWS during the transition period? How will users access cloud-hosted applications? AWS Direct Connect (dedicated private connection) takes 4-12 weeks to provision. Site-to-site VPN is faster but lower bandwidth. Plan connectivity before starting migration execution. **4. Licences are complex** Microsoft licences (Windows Server, SQL Server) can be brought to AWS under Microsoft's Licence Mobility programme. Oracle licences cannot be brought to AWS on virtualised infrastructure without additional costs. IBM licences have their own rules. A licence audit before migration prevents unpleasant surprises post-migration. **5. The first migration wave teaches you everything** The first wave of servers migrated to AWS will expose tooling issues, runbook gaps, network problems, and testing failures you did not anticipate. This is normal and expected. Wave 1 should contain low-risk, non-production workloads precisely so these lessons are learned without business impact. **6. Post-migration optimisation is where the value is** Many organisations migrate to AWS and immediately start spending significantly more than they expected because they replicated on-premises sizing assumptions into the cloud. A lift-and-shift migration of an over-provisioned on-premises server produces an over-provisioned, expensive cloud server. Post-migration right-sizing and Reserved Instance purchasing are essential and should be planned as a mandatory phase, not an afterthought. **7. Managed services after migration is not optional** AWS is not self-managing. Someone must monitor it, patch it, respond to incidents, manage costs, and keep the security posture current. Organisations that migrate without a managed services plan consistently experience security incidents, unexpected cost spikes, and performance issues within 12 months. Plan for managed services from day one. --- ### Guide: VMware Exit — Your Questions Answered **Q: Our VMware renewal is in 6 months. Do we have enough time to migrate?** A: It depends on your estate size. A 30-50 server environment can realistically complete migration within 3-4 months with focused effort. A 200-server estate cannot. If your renewal is imminent, CloudiQS recommends: (1) negotiate a short-term extension with Broadcom rather than signing a multi-year deal, (2) begin migration immediately in parallel, (3) use AWS as the strategic destination. Even partial migration before renewal reduces licence costs proportionally. **Q: Can we run VMware and AWS in parallel during migration?** A: Yes. AWS MGN replicates servers to AWS while they continue running on VMware. There is no cutover until you choose to switch. This means you can take as long as needed to validate AWS before decommissioning VMware workloads. The parallel running period does incur AWS costs (replication storage) but these are modest. **Q: Will our applications run differently on AWS than on VMware?** A: For most applications, behaviour is identical. EC2 instances running Windows Server or Linux behave the same as VMware VMs. Some performance-sensitive applications may require tuning — network-intensive applications in particular may need instance type selection review to match your vSphere network configuration. CloudiQS handles all performance testing as part of the migration process. **Q: What happens to our VMware licences after migration?** A: VMware subscription licences can typically be cancelled at the end of the subscription term. Broadcom's current subscription model does not allow mid-term cancellation without penalties in most cases. CloudiQS advises planning migration completion to align with your subscription renewal date to minimise overlap costs. **Q: We use VMware for disaster recovery. What replaces it on AWS?** A: AWS Elastic Disaster Recovery (DRS) replaces VMware Site Recovery Manager. It provides continuous replication of servers to a secondary AWS region with automated failover. RTO (Recovery Time Objective) is typically under 30 minutes. Unlike VMware SRM, there is no standby infrastructure cost — you only pay for running the DR environment during an actual failover. --- ## Additional FAQ Q: What is the AWS London region? A: The AWS London region (code: eu-west-2) is Amazon's UK data centre cluster, located in and around London. It has three availability zones (physically separate data centres within the region). All CloudiQS NHS and public sector deployments use eu-west-2 by default to ensure data residency within the UK. The London region supports all major AWS services. Q: What is AWS Control Tower? A: AWS Control Tower is Amazon's service for setting up and governing a secure, multi-account AWS environment. It implements AWS Landing Zone best practices automatically: separate accounts for each environment (production, development, security, logging), guardrails preventing non-compliant configurations, and centralised logging to an immutable log archive account. CloudiQS deploys Control Tower as the foundation for all new AWS environments. Q: Do we need multiple AWS accounts? A: Yes, for any production environment. AWS best practice (and CloudiQS standard) is to use separate AWS accounts for production, non-production, security tooling, and log archiving at minimum. Multiple accounts provide blast-radius containment (a security incident in one account cannot affect another), billing separation, and governance boundaries. AWS Control Tower and AWS Organizations manage multiple accounts centrally. Q: What is AWS Direct Connect? A: AWS Direct Connect is a dedicated private network connection between your on-premises data centre or office and AWS. Unlike a VPN (which runs over the public internet), Direct Connect provides consistent, low-latency bandwidth. It is required for high-throughput applications and recommended for organisations with significant data transfer volumes between on-premises and AWS. Direct Connect provisioning takes 4-12 weeks depending on your location and chosen connectivity provider. Q: What is the difference between RTO and RPO? A: RTO (Recovery Time Objective) is how quickly you need to recover after a disaster — the maximum acceptable downtime. RPO (Recovery Point Objective) is how much data you can afford to lose — the maximum acceptable data loss measured in time. A system with RTO of 1 hour and RPO of 15 minutes must be back online within 1 hour and must not lose more than 15 minutes of data. CloudiQS designs disaster recovery architecture around your specific RTO and RPO requirements. Q: What is serverless computing and should we use it? A: Serverless means running code without managing servers. AWS Lambda runs functions in response to events — you pay only for the milliseconds your code runs, not for idle server time. AWS Fargate runs containers without managing the underlying servers. Serverless is ideal for: event-driven workloads, variable traffic applications, microservices with unpredictable load patterns, and batch processing jobs. It is less suitable for: long-running processes, applications with consistent high throughput, or applications requiring specific OS configuration. CloudiQS evaluates serverless suitability during migration assessment. Q: What is AWS Graviton? A: AWS Graviton is Amazon's custom ARM-based processor, designed specifically for cloud workloads. Graviton instances typically deliver 20-40% better price-performance than equivalent x86 instances. Most modern applications (Java, Python, Node.js, Go, containerised workloads) run without modification on Graviton. CloudiQS evaluates Graviton migration as part of every FinOps engagement and implements it where compatible. Q: How do we handle legacy applications that need old versions of Windows? A: This is a common challenge. AWS supports Windows Server 2008 R2 and later on EC2. Applications requiring Windows Server 2003 or earlier cannot run on AWS EC2 directly. Options: virtualise the legacy application within a Windows Server 2008+ VM (nested virtualisation), use AWS Mainframe Modernisation services for COBOL workloads, or containerise the application. CloudiQS assesses legacy application compatibility during discovery and recommends the appropriate approach. Q: What is AWS Marketplace and can we buy software through it? A: AWS Marketplace is Amazon's digital catalogue of software, SaaS products, and professional services available for deployment directly into AWS accounts. It includes security tools (CrowdStrike, Palo Alto), database products (MongoDB, Redis), and professional services from AWS partners including CloudiQS. Purchases via Marketplace consolidate billing onto your AWS invoice and can count towards AWS spend commitments. CloudiQS assists clients in evaluating Marketplace software options as part of migration planning. Q: What backups does CloudiQS implement by default? A: CloudiQS implements AWS Backup centrally managing backups across all services. Default policy: daily snapshots of all EBS volumes and RDS databases with 30-day retention, weekly snapshots with 90-day retention, monthly snapshots with 1-year retention. Backup integrity is tested quarterly via automated restore testing. For NHS clients, backup policies are extended to meet DSPT minimum retention requirements. Backups are replicated to a second AWS region for disaster recovery. Q: How do we handle software licences on AWS? A: Licence handling depends on the software vendor. Microsoft: Windows Server and SQL Server licences can be included in EC2 pricing (Licence Included) or brought from existing agreements (BYOL via Licence Mobility). Oracle: Standard Edition 2 can be brought to AWS on dedicated hosts. Enterprise Edition has complex AWS licensing rules — CloudiQS advises carefully before migrating Oracle workloads. Red Hat: RHEL licences can be included or brought. IBM: requires specific instance configurations. CloudiQS conducts a licence audit during discovery to identify all constraints. Q: What monitoring does CloudiQS provide? A: CloudiQS deploys Amazon CloudWatch for infrastructure metrics (CPU, memory, disk, network) with custom dashboards per client. Application performance monitoring via CloudWatch Application Insights or AWS X-Ray for distributed tracing. Log aggregation via CloudWatch Logs or Amazon OpenSearch. Security monitoring via Security Hub and GuardDuty. Cost monitoring via Cost Explorer with anomaly detection. All monitoring data is retained for minimum 90 days. Clients receive read-only access to their CloudWatch dashboards at no additional cost. Q: Can we keep some workloads on-premises and some on AWS? A: Yes. Hybrid cloud architecture — some workloads on-premises, some on AWS — is common and supported. CloudiQS implements hybrid connectivity via AWS Direct Connect or Site-to-Site VPN, and uses AWS Outposts for workloads that must physically remain on-premises for latency or regulatory reasons. AWS Systems Manager manages both on-premises and cloud servers from a single pane of glass. However, hybrid adds complexity — CloudiQS recommends a cloud-first strategy with a clear roadmap to full cloud where feasible. Q: What happens if AWS has an outage? A: AWS outages do occur, though they are rare and typically limited to a single service in a single region. CloudiQS architects all production environments for multi-AZ (Availability Zone) deployment within a region, which protects against single data centre failure. For critical workloads requiring protection against full regional failure, CloudiQS implements multi-region active-passive or active-active architectures. CloudiQS monitors the AWS Service Health Dashboard 24/7 and proactively communicates any AWS-side issues affecting client environments. --- ## CloudiQS Blog Topics Index The CloudiQS blog publishes weekly content on AWS migration, cost optimisation, GenAI, and UK public sector cloud. Key topics covered: - How UK councils can exit ageing data centres using AWS - VMware Broadcom pricing: what UK organisations need to know in 2025 - NHS cloud migration: DSPT compliance on AWS step by step - AWS cost optimisation: the 7 biggest sources of waste and how to eliminate them - Generative AI for UK public sector: what NCSC guidance means for AWS Bedrock deployments - AWS Well-Architected Framework review: what to expect and how to prepare - How to procure cloud services via G-Cloud: a guide for public sector IT teams - Building an autonomous AI agent on AWS Bedrock: lessons from the CloudiQS Engine - Reserved Instances vs Savings Plans: which is right for your organisation? - AWS security for financial services: meeting FCA operational resilience requirements - From VMware to AWS: a step-by-step migration guide - The 6Rs of cloud migration: choosing the right strategy for each workload - AWS multi-account strategy: why you need more than one AWS account - AWS Graviton: how ARM-based instances can reduce your cloud bill by 40% - CloudiQS IQ Score: how we assess AWS environments and what the scores mean All blog content available at: https://cloudiqs.com/blog/ --- ## Contact and Engagement Options CloudiQS engages with clients in several ways depending on their stage: **Free IQ Score Assessment (48 hours, no commitment):** For organisations currently on AWS or planning migration. CloudiQS scans or reviews your current environment and delivers a scored assessment across six dimensions with a prioritised action plan. Contact: hello@cloudiqs.com **VMware Exit Consultation (free, 1 hour):** For organisations facing VMware licence renewal. CloudiQS models your current VMware costs, estimates equivalent AWS costs (optimised), and produces a business case for migration. Contact: hello@cloudiqs.com **GenAI Readiness Assessment (free, 2 hours):** For organisations exploring GenAI on AWS. CloudiQS assesses your data infrastructure, identifies the highest-value AI use cases, and produces a roadmap for implementation. Contact: hello@cloudiqs.com **Managed Services Proposal:** For organisations seeking ongoing AWS management. CloudiQS proposes a retainer covering 24/7 monitoring, incident response, FinOps, patching, and security. Pricing based on environment size. Contact: hello@cloudiqs.com **Registered office:** 30 Welbeck Rise, Harpenden, Hertfordshire, AL5 1SN, United Kingdom **London office:** 30 Farringdon Street, London, EC4A 4HJ, United Kingdom **Phone:** +44 7444 833 783 **Email:** hello@cloudiqs.com **Website:** https://cloudiqs.com **Contact form:** https://cloudiqs.com/contact/ **AWS Partner Directory:** https://partners.amazonaws.com/partners/0010h00001ifJKIAA2/ **LinkedIn:** https://www.linkedin.com/company/cloudiqs **G2 profile:** https://www.g2.com/products/cloudiqs/