AiOpsOne

Essential Eight ML3 on AWS — Reference Diagram

The ASD Essential Eight Maturity Level 3 mitigation strategies mapped to an AWS reference architecture — which services satisfy each of the eight, by layer.

Version 1.0  ·  June 2026  ·  aiopsone.com  ·  YouTube @AiOpsOne

How to read this. Each architecture layer (left) runs on a set of AWS services (centre) and contributes to one or more Essential Eight strategies (right, E1–E8). Numbers match the legend below.

Governance & Identitywho can do what
AWS OrganizationsIAM Identity Center SCPsIAM (JIT access)Access Analyzer
E5E7
Compute & Appswhat runs
EC2 (CIS AMIs)ECS / EKSLambda SSM (inventory)ECR scan
E1E4
Patch & Vulnkeep current
SSM Patch ManagerAmazon InspectorECR image scanning
E2E6
Endpointsmanaged desktops
WorkSpacesFleet ManagerGPO / MDM
E3E4
Data & Backupprotect & recover
AWS BackupVault Lock (immutable)S3 / EBS / RDS (KMS)Cross-region copy
E8
Detect & Logsupporting controls
CloudTrailGuardDutySecurity HubAWS Config
all

The eight, mapped

#StrategyAWS services at ML3
E1Application controlAllow-listed AMIs/containers; signed images + ECR scanning + admission control; SSM software inventory vs approved list
E2Patch applicationsAmazon Inspector (vuln findings); ECR image scanning; SSM Patch Manager on SLA
E3Configure macro settingsN/A for cloud workloads; enforce on managed desktops (WorkSpaces) via GPO/MDM
E4User application hardeningCIS-benchmarked base images; WorkSpaces hardening; runtime/browser controls
E5Restrict admin privilegesIAM least-privilege; Identity Center + JIT elevation; SCPs; no standing admin; Access Analyzer
E6Patch operating systemsSSM Patch Manager (ML3 cadence); immutable infra; ec2-managedinstance-patch-compliance-status-check
E7Multi-factor authenticationMFA on all human identities; phishing-resistant (FIDO2) for privileged at ML3
E8Regular backupsAWS Backup + tested restores; Vault Lock immutability; cross-region/cross-account copies