ACSC Essential Eight¶

The Australian Cyber Security Centre (ACSC) Essential Eight is a baseline cybersecurity framework designed to protect Australian organizations against cyber threats. It focuses on eight essential mitigation strategies including application control, patch applications, patch operating systems, multi-factor authentication, restrict administrative privileges, application hardening, user application hardening, and regular backups. This framework is recommended for all Australian organizations regardless of size or sector.

Terraform Registry Subdomain: acscessentialeight¶

module "..." {
  source  = "acscessentialeight.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

module "..." {
  source = "https://acscessentialeight.compliance.tf/terraform-aws-modules/<module>/aws"
}

Refer to the Terraform Registry Endpoints section for more details.

Implemented Controls¶

The following controls are implemented as part of this framework.

• API Gateway REST API stages should have AWS X-Ray tracing enabled
• API Gateway stage logging should be enabled
• AppSync graphql API logging should be enabled
• Backup plan min frequency and min retention check
• CloudFront distributions access logs should be enabled
• At least one enabled trail should be present in a region
• CloudTrail trails should be integrated with CloudWatch logs
• CloudTrail trail logs should be encrypted with KMS CMK
• CloudTrail trail log file validation should be enabled
• CloudWatch alarm should have an action configured
• CodeBuild project environments should not have privileged mode enabled
• CodeBuild projects should have logging enabled
• DMS replication instances should not be publicly accessible
• AWS DocumentDB clusters should have an adequate backup retention period
• DynamoDB table point-in-time recovery should be enabled
• EC2 Client VPN endpoints should have client connection logging enabled
• EC2 instance detailed monitoring should be enabled
• EC2 instances should have IAM profile attached
• ECR repositories should have image scan on push enabled
• ECS fargate services should run on the latest fargate platform version
• EFS access points should enforce a root directory
• EFS access points should enforce a user identity
• EKS clusters should have control plane audit logging enabled
• ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
• ELB application and classic load balancer logging should be enabled
• ELB classic load balancers should be configured with defensive or strictest desync mitigation mode
• Elasticsearch domains should have audit logging enabled
• Elasticsearch domain should send logs to CloudWatch
• Access logging should be configured for API Gateway V2 Stages
• Lambda functions should use latest runtimes
• Log group encryption at rest should be enabled
• Neptune DB clusters should publish audit logs to CloudWatch Logs
• Neptune DB clusters should have automated backups enabled
• Neptune DB clusters should have IAM database authentication enabled
• OpenSearch domains should have audit logging enabled.
• OpenSearch domains should have fine-grained access control enabled
• OpenSearch domains logs to AWS CloudWatch Logs
• RDS Aurora clusters should have backtracking enabled
• Aurora MySQL DB clusters should have audit logging enabled
• IAM authentication should be configured for RDS clusters
• RDS DB instance automatic minor version upgrade should be enabled
• RDS DB instance backup should be enabled
• RDS DB instances should have iam authentication enabled
• Database logging should be enabled
• RDS DB instances should prohibit public access
• AWS Redshift audit logging should be enabled
• AWS Redshift clusters should have automatic snapshots enabled
• Redshift cluster audit logging and encryption should be enabled
• AWS Redshift should have required maintenance settings
• Redshift clusters should prohibit public access
• S3 access points should have block public access settings enabled
• S3 buckets access control lists (ACLs) should not be used to manage user access to buckets
• S3 bucket logging should be enabled
• S3 bucket MFA delete should be enabled
• S3 bucket policy should prohibit public access
• S3 bucket cross-account permissions should be restricted
• S3 buckets should prohibit public read access
• S3 buckets should prohibit public write access
• S3 bucket versioning should be enabled
• S3 public access should be blocked at account level
• S3 public access should be blocked at bucket levels
• SageMaker notebook instances should not have direct internet access
• SageMaker notebook instances root access should be disabled
• Step Function state machines should have logging turned on
• AWS WAF rules should have CloudWatch metrics enabled

Enable/Disable Controls¶

You can customize the Terraform module for the desired compliance requirements by enabling/disabling individual controls.

Examples¶

S3 bucket module with ACSC Essential Eight compliance framework controls enabled, and a couple of controls disabled¶

module "..." {
  source = "https://acscessentialeight.compliance.tf/terraform-aws-modules/s3-bucket/aws?disable=apigateway_rest_api_stage_xray_tracing_enabled,apigateway_stage_logging_enabled"
}