ACSC Essential Eight
Best for: Australian government agencies subject to the Protective Security Policy Framework (PSPF) must implement the Essential Eight. The ACSC recommends it for all Australian businesses, especially critical infrastructure sectors under the Security of Critical Infrastructure Act 2018 (SOCI Act). Organizations reporting to the Australian Signals Directorate or undergoing ACSC assessments should treat it as a baseline.
| Mandatory? | Mandatory for PSPF-covered AU gov entities; recommended for all |
| Who validates? | Self-assessment against Maturity Model; optional third-party |
| Renewal | At least annually |
| Scope | Eight mitigation strategies for all Australian organizations |
๐ Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate (ASD) ยท Essential Eight (Nov 2023 update) Official source โ
Get Started
module "..." {
source = "acscessentialeight.compliance.tf/terraform-aws-modules/<module>/aws"
version = "<version>"
}What Compliance.tf Covers vs. What You Handle
What Compliance.tf automates
- Regular Backups: Runs 4 controls validating AWS Backup plan retention periods (minimum 35 days), recovery point encryption, and deletion protection. Detects backup vaults without manual deletion locks.
- Audit Logging: Ten-plus controls cover CloudTrail enablement across all regions, S3 data event logging, API Gateway stage logging, AppSync field-level logging, and CloudFront access log configuration, including CloudTrail integration with CloudWatch Logs.
- Log Integrity: Checks that CloudTrail log file validation is enabled, trail logs are encrypted with KMS CMKs, and CloudWatch alarms have associated actions configured.
- Administrative Privilege Restriction: Checks that AWS accounts belong to AWS Organizations for centralized policy enforcement. Detects CodeBuild projects running in privileged mode and publicly accessible CloudTrail S3 buckets.
- Encryption at Rest: Validates encryption for backup recovery points and CloudTrail logs using KMS CMKs. Detects unencrypted data stores relevant to the backups and logging controls in scope.
What you handle
- Regular Backups: Testing backup restoration procedures, documenting Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO), and verifying that backups are stored offline or in an isolated account for Maturity Level 3 compliance.
- Audit Logging: Defining log retention policies aligned to your maturity level target, configuring SIEM ingestion, and establishing alert triage workflows for security-relevant events.
- Log Integrity: Periodic review of CloudTrail digest files, KMS key rotation schedules, and incident response procedures triggered by CloudWatch alarm actions.
- Administrative Privilege Restriction: Implementing least-privilege IAM policies, separating privileged and unprivileged accounts, running periodic access reviews, and enforcing multi-factor authentication for all privileged users.
- Encryption at Rest: Defining a key management policy, assigning key administrators, and ensuring CMK access policies follow least-privilege principles.
Controls by Category
Audit and Accountability Logging (7 controls)
Comprehensive logging underpins detection across all eight strategies, so assessors check coverage gaps first. Expect scrutiny on CloudTrail multi-region enablement, S3 data event capture, and API Gateway and AppSync logging; application-layer audit trails are the most frequently missed. At Maturity Level 3, the ACSC expects logs flowing into a centralized analysis platform with alerting on indicators of compromise.
compliance.tf moduleCloudFront distributions access logs should be enabledcompliance.tf moduleCloudTrail trails should have at least one enabled trail present in a regionCloudTrail trails should be integrated with CloudWatch logsCodeBuild projects should have logging enabledLog Integrity and Protection (3 controls)
Log file validation and KMS encryption together prevent an attacker from covering tracks after a compromise. Assessors will ask whether digest files are actually checked during incident response, not just that validation is toggled on. A CloudWatch alarm with no configured action is a finding; it signals that the organization is collecting data but not acting on it.
Regular Backups (1 control)
Deletion locks on backup vaults are the first check; without them, ransomware can wipe recovery points before a response team engages. Maturity Level 2 and above also require recovery point encryption and documented, tested restoration procedures.
Restrict Administrative Privileges (1 control)
Publicly accessible CloudTrail buckets and CodeBuild projects running in privileged mode are immediate findings. AWS Organizations membership demonstrates centralized governance; at Maturity Level 1, the ACSC expects privileged accounts are not used for everyday tasks, which in cloud environments means least-privilege service role configurations across all service principals.
Additional Controls (53)
AWS Database Migration Service (1)
AWS Step Functions (1)
Amazon CloudWatch Logs (1)
Amazon DocumentDB (1)
Amazon EC2 (3)
Amazon ECS (1)
Amazon EFS (2)
Amazon ElastiCache (1)
Amazon Neptune (3)
Amazon OpenSearch Service (3)
Amazon RDS (8)
compliance.tf moduleAurora MySQL DB clusters should have audit logging enabledcompliance.tf moduleRDS DB clusters should have IAM authentication configuredcompliance.tf moduleRDS DB instance automatic minor version upgrade should be enabledcompliance.tf moduleRDS DB instance backup should be enabledcompliance.tf moduleRDS DB instances should have iam authentication enabledcompliance.tf moduleRDS DB instances should have logging enabledcompliance.tf moduleRDS DB instances should prohibit public accesscompliance.tf moduleAmazon Redshift (5)
compliance.tf moduleRedshift clusters should have automatic snapshots enabledcompliance.tf moduleRedshift clusters should have audit logging and encryption enabledcompliance.tf moduleRedshift clusters should have required maintenance settingscompliance.tf moduleRedshift clusters should prohibit public accesscompliance.tf moduleAmazon S3 (11)
compliance.tf moduleS3 buckets should have logging enabledcompliance.tf moduleS3 buckets should have MFA delete enabledcompliance.tf moduleS3 buckets should have policies that prohibit public accesscompliance.tf moduleS3 buckets should restrict cross-account permissionscompliance.tf moduleS3 buckets should prohibit public read accesscompliance.tf moduleS3 buckets should prohibit public write accesscompliance.tf moduleS3 buckets should have versioning enabledcompliance.tf moduleS3 public access should be blocked at account levelcompliance.tf moduleS3 public access should be blocked at bucket levelcompliance.tf moduleAmazon SageMaker (2)
Elastic Load Balancing (2)
Related Frameworks
NIST 800-53 Rev 5 โ ๐ก Medium overlap (45%)
NIST 800-53 Rev 5 covers all eight Essential Eight strategies within its broader control set, particularly across the AC (Access Control), SI (System and Information Integrity), CP (Contingency Planning), and AU (Audit and Accountability) families. The Essential Eight is narrower in scope, focusing on eight specific strategies rather than the full control catalog.
CIS AWS Benchmark v3.0.0 โ ๐ก Medium overlap (55%)
CIS AWS Foundations Benchmark partially overlaps with Essential Eight on logging, encryption, and access control checks, and many of the CloudTrail and IAM controls map directly. CIS goes deeper on AWS-specific configuration, while the Essential Eight is cloud-agnostic in its requirements.
NIST CSF v1.0 โ ๐ก Medium overlap (35%)
The NIST Cybersecurity Framework maps at a higher level. Essential Eight strategies align with CSF's Protect and Recover functions. CSF provides a broader risk management structure, while the Essential Eight prescribes specific technical mitigations.