The ASD Essential Eight Maturity Level 3 mitigation strategies mapped to an AWS reference architecture — which services satisfy each of the eight, by layer.
How to read this. Each architecture layer (left) runs on a set of AWS services (centre) and contributes to one or more Essential Eight strategies (right, E1–E8). Numbers match the legend below.
| # | Strategy | AWS services at ML3 |
|---|---|---|
| E1 | Application control | Allow-listed AMIs/containers; signed images + ECR scanning + admission control; SSM software inventory vs approved list |
| E2 | Patch applications | Amazon Inspector (vuln findings); ECR image scanning; SSM Patch Manager on SLA |
| E3 | Configure macro settings | N/A for cloud workloads; enforce on managed desktops (WorkSpaces) via GPO/MDM |
| E4 | User application hardening | CIS-benchmarked base images; WorkSpaces hardening; runtime/browser controls |
| E5 | Restrict admin privileges | IAM least-privilege; Identity Center + JIT elevation; SCPs; no standing admin; Access Analyzer |
| E6 | Patch operating systems | SSM Patch Manager (ML3 cadence); immutable infra; ec2-managedinstance-patch-compliance-status-check |
| E7 | Multi-factor authentication | MFA on all human identities; phishing-resistant (FIDO2) for privileged at ML3 |
| E8 | Regular backups | AWS Backup + tested restores; Vault Lock immutability; cross-region/cross-account copies |