Skip to content

ACSC Essential Eight

Best for: Australian government agencies subject to the Protective Security Policy Framework (PSPF) must implement the Essential Eight. The ACSC recommends it for all Australian businesses, especially critical infrastructure sectors under the Security of Critical Infrastructure Act 2018 (SOCI Act). Organizations reporting to the Australian Signals Directorate or undergoing ACSC assessments should treat it as a baseline.

Mandatory?Mandatory for PSPF-covered AU gov entities; recommended for all
Who validates?Self-assessment against Maturity Model; optional third-party
RenewalAt least annually
ScopeEight mitigation strategies for all Australian organizations

๐Ÿ› Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate (ASD) ยท Essential Eight (Nov 2023 update) Official source โ†’

Get Started

module "..." {
  source  = "acscessentialeight.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

What Compliance.tf Covers vs. What You Handle

  • What Compliance.tf automates

    • Regular Backups: Runs 4 controls validating AWS Backup plan retention periods (minimum 35 days), recovery point encryption, and deletion protection. Detects backup vaults without manual deletion locks.
    • Audit Logging: Ten-plus controls cover CloudTrail enablement across all regions, S3 data event logging, API Gateway stage logging, AppSync field-level logging, and CloudFront access log configuration, including CloudTrail integration with CloudWatch Logs.
    • Log Integrity: Checks that CloudTrail log file validation is enabled, trail logs are encrypted with KMS CMKs, and CloudWatch alarms have associated actions configured.
    • Administrative Privilege Restriction: Checks that AWS accounts belong to AWS Organizations for centralized policy enforcement. Detects CodeBuild projects running in privileged mode and publicly accessible CloudTrail S3 buckets.
    • Encryption at Rest: Validates encryption for backup recovery points and CloudTrail logs using KMS CMKs. Detects unencrypted data stores relevant to the backups and logging controls in scope.

  • What you handle

    • Regular Backups: Testing backup restoration procedures, documenting Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO), and verifying that backups are stored offline or in an isolated account for Maturity Level 3 compliance.
    • Audit Logging: Defining log retention policies aligned to your maturity level target, configuring SIEM ingestion, and establishing alert triage workflows for security-relevant events.
    • Log Integrity: Periodic review of CloudTrail digest files, KMS key rotation schedules, and incident response procedures triggered by CloudWatch alarm actions.
    • Administrative Privilege Restriction: Implementing least-privilege IAM policies, separating privileged and unprivileged accounts, running periodic access reviews, and enforcing multi-factor authentication for all privileged users.
    • Encryption at Rest: Defining a key management policy, assigning key administrators, and ensuring CMK access policies follow least-privilege principles.

Controls by Category

Audit and Accountability Logging (7 controls)

Comprehensive logging underpins detection across all eight strategies, so assessors check coverage gaps first. Expect scrutiny on CloudTrail multi-region enablement, S3 data event capture, and API Gateway and AppSync logging; application-layer audit trails are the most frequently missed. At Maturity Level 3, the ACSC expects logs flowing into a centralized analysis platform with alerting on indicators of compromise.

API Gateway REST API stages should have AWS X-Ray tracing enabled API Gateway stage logging should be enabled AppSync graphql API logging should be enabled compliance.tf module CloudFront distributions access logs should be enabled compliance.tf module At least one enabled trail should be present in a region CloudTrail trails should be integrated with CloudWatch logs CodeBuild projects should have logging enabled

Log Integrity and Protection (3 controls)

Log file validation and KMS encryption together prevent an attacker from covering tracks after a compromise. Assessors will ask whether digest files are actually checked during incident response, not just that validation is toggled on. A CloudWatch alarm with no configured action is a finding; it signals that the organization is collecting data but not acting on it.

CloudTrail trail logs should be encrypted with KMS CMK CloudTrail trail log file validation should be enabled CloudWatch alarm should have an action configured compliance.tf module

Regular Backups (1 control)

Deletion locks on backup vaults are the first check; without them, ransomware can wipe recovery points before a response team engages. Maturity Level 2 and above also require recovery point encryption and documented, tested restoration procedures.

Backup plan min frequency and min retention check

Restrict Administrative Privileges (1 control)

Publicly accessible CloudTrail buckets and CodeBuild projects running in privileged mode are immediate findings. AWS Organizations membership demonstrates centralized governance; at Maturity Level 1, the ACSC expects privileged accounts are not used for everyday tasks, which in cloud environments means least-privilege service role configurations across all service principals.

CodeBuild project environments should not have privileged mode enabled
Additional Controls (53)

AWS Database Migration Service (1)

DMS replication instances should not be publicly accessible compliance.tf module

AWS Lambda (1)

Lambda functions should use latest runtimes compliance.tf module

AWS Step Functions (1)

Step Function state machines should have logging turned on compliance.tf module

AWS WAF (1)

AWS WAF rules should have CloudWatch metrics enabled

Amazon CloudWatch Logs (1)

Log group encryption at rest should be enabled compliance.tf module

Amazon DocumentDB (1)

AWS DocumentDB clusters should have an adequate backup retention period

Amazon DynamoDB (1)

DynamoDB table point-in-time recovery should be enabled compliance.tf module

Amazon EC2 (3)

EC2 Client VPN endpoints should have client connection logging enabled EC2 instance detailed monitoring should be enabled compliance.tf module EC2 instances should have IAM profile attached compliance.tf module

Amazon ECR (1)

ECR repositories should have image scan on push enabled compliance.tf module

Amazon ECS (1)

ECS fargate services should run on the latest fargate platform version compliance.tf module

Amazon EFS (2)

EFS access points should enforce a root directory EFS access points should enforce a user identity

Amazon EKS (1)

EKS clusters should have control plane audit logging enabled compliance.tf module

Amazon ElastiCache (1)

ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater compliance.tf module

Amazon Neptune (3)

Neptune DB clusters should publish audit logs to CloudWatch Logs Neptune DB clusters should have automated backups enabled Neptune DB clusters should have IAM database authentication enabled

Amazon OpenSearch Service (3)

OpenSearch domains should have audit logging enabled. compliance.tf module OpenSearch domains should have fine-grained access control enabled compliance.tf module OpenSearch domains logs to AWS CloudWatch Logs compliance.tf module

Amazon RDS (8)

RDS Aurora clusters should have backtracking enabled compliance.tf module Aurora MySQL DB clusters should have audit logging enabled compliance.tf module IAM authentication should be configured for RDS clusters compliance.tf module RDS DB instance automatic minor version upgrade should be enabled compliance.tf module RDS DB instance backup should be enabled compliance.tf module RDS DB instances should have iam authentication enabled compliance.tf module Database logging should be enabled compliance.tf module RDS DB instances should prohibit public access compliance.tf module

Amazon Redshift (5)

AWS Redshift audit logging should be enabled compliance.tf module AWS Redshift clusters should have automatic snapshots enabled compliance.tf module Redshift cluster audit logging and encryption should be enabled compliance.tf module AWS Redshift should have required maintenance settings compliance.tf module Redshift clusters should prohibit public access compliance.tf module

Amazon S3 (11)

S3 access points should have block public access settings enabled S3 buckets access control lists (ACLs) should not be used to manage user access to buckets compliance.tf module S3 bucket logging should be enabled compliance.tf module S3 bucket MFA delete should be enabled compliance.tf module S3 bucket policy should prohibit public access compliance.tf module S3 bucket cross-account permissions should be restricted compliance.tf module S3 buckets should prohibit public read access compliance.tf module S3 buckets should prohibit public write access compliance.tf module S3 bucket versioning should be enabled compliance.tf module S3 public access should be blocked at account level compliance.tf module S3 public access should be blocked at bucket levels compliance.tf module

Amazon SageMaker (2)

SageMaker notebook instances should not have direct internet access SageMaker notebook instances root access should be disabled

Elastic Load Balancing (2)

ELB application and classic load balancer logging should be enabled compliance.tf module ELB classic load balancers should be configured with defensive or strictest desync mitigation mode compliance.tf module

Other (3)

Elasticsearch domains should have audit logging enabled Elasticsearch domain should send logs to CloudWatch Access logging should be configured for API Gateway V2 Stages compliance.tf module

  • NIST 800-53 Rev 5 โ€” ๐ŸŸก Medium overlap (45%)

    NIST 800-53 Rev 5 covers all eight Essential Eight strategies within its broader control set, particularly across the AC (Access Control), SI (System and Information Integrity), CP (Contingency Planning), and AU (Audit and Accountability) families. The Essential Eight is narrower in scope, focusing on eight specific strategies rather than the full control catalog.

  • CIS AWS Benchmark v3.0.0 โ€” ๐ŸŸก Medium overlap (55%)

    CIS AWS Foundations Benchmark partially overlaps with Essential Eight on logging, encryption, and access control checks, and many of the CloudTrail and IAM controls map directly. CIS goes deeper on AWS-specific configuration, while the Essential Eight is cloud-agnostic in its requirements.

  • NIST CSF v1.0 โ€” ๐ŸŸก Medium overlap (35%)

    The NIST Cybersecurity Framework maps at a higher level. Essential Eight strategies align with CSF's Protect and Recover functions. CSF provides a broader risk management structure, while the Essential Eight prescribes specific technical mitigations.

Frequently Asked Questions

Does the Essential Eight apply to my organization if we are not an Australian government entity?

The ACSC recommends the Essential Eight for all Australian organizations, but the mandate applies only to non-corporate Commonwealth entities under the PSPF. Organizations covered by the SOCI Act (critical infrastructure) face increasing pressure to adopt it. If you operate in Australia and handle sensitive data or provide essential services, treat it as a de facto requirement. Outside Australia, it is a practical baseline but carries no regulatory weight.

What maturity level should we target?

Target the same maturity level across all eight strategies. Reaching Level 3 in some while sitting at Level 0 in others is explicitly what the ACSC advises against. Most organizations start at Maturity Level 1. Government entities handling sensitive or classified information are expected to reach Maturity Level 2 or 3. Your target depends on your threat profile, which the ACSC outlines in the Maturity Model documentation.

How does the Essential Eight relate to the ASD Information Security Manual (ISM)?

The Essential Eight is a prioritized subset of the ISM. The ISM contains over 800 controls covering the full spectrum of information security. The Essential Eight extracts the eight mitigation strategies that the ACSC considers most effective against commodity and targeted cyber threats. Compliance at Maturity Level 3 covers a meaningful portion of the ISM's technical controls, but does not satisfy the ISM in full.

How do the 50 mapped controls in compliance.tf relate to the eight strategies?

The mapped controls primarily address 'Regular Backups' and 'Restrict Administrative Privileges' directly, with extensive coverage of audit logging requirements that support detection across all strategies. Strategies like 'Patch Applications,' 'Patch Operating Systems,' and 'Configure Microsoft Office Macro Settings' require endpoint management tools (WSUS, SCCM, Intune) and are not measurable through AWS resource configuration checks.

Is there a formal certification for the Essential Eight?

No. Organizations self-assess their maturity level against the Essential Eight Maturity Model, and government entities report through internal governance channels. Some engage external assessors for independent validation, but this is voluntary. The ACSC may conduct assessments of Commonwealth entities directly.