AWS Advanced Tier PartnerISO 9001:2015 CertifiedISO 27001:2022 Certified
Book Free Review →
The Australian Cybersecurity Baseline

Essential Eight on AWS, From Maturity Level 1 to Level 3

Build an AWS workload aligned with the Australian Cyber Security Centre's Essential Eight Maturity Model. Updated for September 2025 revisions. Practical implementation paths for ML1, ML2, and ML3, without breaking developer velocity.

Book Free Essential Eight Review →Download Essential Eight + AWS Mapping
AWS Advanced Tier Partner
Google Cloud Partner
RedHat Partner
Google Cloud Partner
ISO 27001:2022 Certified
ISO 9001:2015 Certified
Essential Eight · ASDUpdated Sep 2025

Eight mitigations. Three maturity levels. One AWS architecture.

8
Mitigations
ML1-3
Maturity Levels
ML2
Procurement Floor
Sep 2025
Latest Revision
Essential Eight is the universal Australian cybersecurity baseline, required by federal government, increasingly required by state government and enterprise procurement.— ACSC Essential Eight Maturity Model
Procurement
ML2 typical
The Problem We Solve

Essential Eight is universal. Most teams have parts, not all eight.

01, MIXED MATURITY

We have MFA but not application control. We patch operating systems but not applications consistently. We're at ML1.5, not really at any level.

Maturity is measured per-mitigation. To claim ML2, all eight mitigations must achieve ML2 simultaneously. Most teams have inconsistent coverage.

02, DEVELOPER VELOCITY

Application control sounds like it'll break our deployment pipeline. We can't slow developers down for compliance.

Application control done badly halts CI/CD. Done well (allowlist by signature, AWS-native tooling, dev/prod boundaries), it adds 0% to deployment time. The implementation pattern matters.

03, PROCUREMENT PRESSURE

Our enterprise customers and government tenders increasingly demand ML2 attestation, we don't have it documented.

Self-attestation requires evidence: configuration screenshots, audit logs, incident response tests. Most teams haven't organized this.

What You'll Get

From mixed maturity to documented ML2 (or ML3), in three streams.

Stream A · Assessment

Scope of Work

  • Per-mitigation maturity baseline assessment (all 8)
  • Gap analysis to target maturity level (ML2 or ML3)
  • AWS service mapping for each mitigation
  • Developer velocity impact assessment
  • Procurement evidence requirements review
Stream B · Deliverables

Deliverables

  • Essential Eight implementation across all 8 mitigations
  • AWS-native tooling (Systems Manager, Identity Center, WAF, Inspector, Backup)
  • ASD-aligned configuration documentation
  • Audit log evidence framework (CloudTrail, Audit Manager)
  • Self-attestation evidence pack (procurement-ready)
  • Annual review framework
Stream C · Timeline

Timeline

  • Assessment: 2 weeks
  • Implementation: 6-10 weeks for ML2 (depends on starting point)
  • ML3 typically requires additional 4-6 weeks of hardening
  • Founder + AWS-certified engineer throughout
  • Compatible with IRAP, ISO 27001, SOCI engagements
  • Quarterly maturity tracking option
Past Engagement Outcomes

What Essential Eight ML2 delivers

Outcomes from engagements with Australian SaaS, FinTech, and HealthTech providers achieving Essential Eight Maturity Level 2 on AWS for procurement attestation.

8/8
Mitigations at target maturity level
ML2
Procurement floor achieved
0%
Developer velocity impact
100%
Self-attestation evidence ready
Built on Certified Foundations

Eight mitigations, AWS-native.

AWS Advanced TierISO/IEC 27001:2022ISO 9001:2015Essential Eight ML2

We implement Essential Eight using AWS-native services: Systems Manager (patching, application control), WAF + Inspector (user application hardening), Identity Center (MFA, restricted admin), AWS Backup with immutable copies (regular backups, ransomware defence). All configurations documented for procurement self-attestation.

Mini Case Study

How a Brisbane SaaS reached ML2 across all 8 mitigations in 8 weeks

A B2B SaaS company in Brisbane needed Essential Eight ML2 attestation to qualify for a Queensland state government tender. They had MFA, OS patching, and backups in place but lacked application control and consistent admin restriction. Their existing self-assessment scored ML1.5, meaning they couldn't truthfully claim ML2.

We started with a 2-week assessment per-mitigation, identifying ML2 gaps in 4 of 8 areas. Implementation ran 6 weeks: deployed AWS Systems Manager Distributor for application control, IAM Identity Center with permission boundaries for restricted admin, automated patching for both OS and application layers, and immutable AWS Backup copies for ransomware defence.

Total elapsed time to documented ML2: 8 weeks. The team won the Queensland tender and reused the documentation for two subsequent enterprise procurement processes.

We knew Essential Eight existed. We didn't realize we'd been at ML1.5 for two years claiming ML2. HAZERCLOUD made the gap visible and closed it.— Engineering Lead · Brisbane B2B SaaS (anonymized)

Outcomes

Mitigations at ML28/8
Engagement duration8 wks
Tenders won post-engagement1+2
Velocity impact0%
Cost impactMinimal
Read the full case study
Engagement Options

Predictable cost. Per-mitigation transparency.

Two stages. Pricing reflects starting maturity, teams already at ML1 are typically faster than teams starting from ML0.

Stage 01

Essential Eight Maturity Assessment

  • Per-mitigation maturity baseline (all 8)
  • Gap analysis to ML2 (or ML3 target)
  • AWS service mapping for each mitigation
  • Self-attestation evidence audit
  • Prioritized remediation roadmap
Start with assessment →
Stage 02

Essential Eight Implementation

  • Implementation across all 8 mitigations
  • AWS-native tooling (Systems Manager, WAF, Backup)
  • ASD-aligned configuration documentation
  • Self-attestation evidence pack
  • Annual review framework
  • Compatible with IRAP / ISO / SOCI engagements
Book scoping call →
FAQ

Essential Eight questions Australian CTOs ask first.

Mixed maturity? Application control concerns? Procurement attestation requirements? Book a call and we'll work through your specific situation.

Book Free Essential Eight Review →
What's the difference between Essential Eight Maturity Level 1, 2, and 3?+
ML1 is foundational, basic implementation. ML2 is the typical procurement floor, comprehensive coverage with monitoring. ML3 is mature, automated, tested, and continuously verified. Each mitigation has its own ML1/ML2/ML3 specification. Government procurement typically requires ML2 self-attestation; some sensitive workloads require ML3.
Is Essential Eight ML2 the same as ISO 27001?+
No. ISO 27001 is broader (organizational management system) but less prescriptive on technical controls. Essential Eight is narrower (8 specific technical mitigations) but more prescriptive. They overlap on access control, patching, and backups. Most Australian organizations need both: ISO 27001 for the ISMS, Essential Eight for technical baseline.
Do we need application control on AWS Lambda or just on EC2?+
Application control applies to both. On EC2, AWS Systems Manager Distributor + Application Manager handles application allowlisting. On Lambda, the deployment pipeline (signed artefacts, ECR image scanning, restricted IAM permissions) provides equivalent control. Most engagements implement both, Lambda's controls are typically simpler.
How does Essential Eight relate to APRA CPS 230 and SOCI?+
All three frameworks reference cybersecurity controls but at different levels. CPS 230 (operational resilience) and SOCI (critical infrastructure) require risk-management programs that cite technical controls. Essential Eight provides those technical controls. Implementing Essential Eight ML2 satisfies most CPS 230 and SOCI technical control requirements with shared evidence.
What's new in the September 2025 Essential Eight revision?+
ASD's September 2025 revision tightened requirements around macro restrictions, multifactor authentication universality, and patching speed for high-risk vulnerabilities. Most existing ML2 implementations need minor updates. We track ASD revisions and include relevant updates in any active engagement.
Will application control really break our deployment pipeline?+
If implemented badly, yes. If implemented well (allowlist by signature, separate dev/prod policies, signed CI/CD artefacts), zero impact. We've never had a velocity regression on our engagements, the pattern is well-tested. The trick is treating application control as an artefact-signing problem, not a runtime block.
Jobin Joseph, Founder & CTO of HAZERCLOUD
Jobin Joseph
Founder & CTO
AWS SA ProDevOps ProSecurity+2
Verify on Credly ↗
Who You'll Actually Work With

This engagement runs through me, personally.

The AWS-certified specialist on your discovery call leads the implementation team on your engagement. No bait-and-switch. No junior-led delivery.

Discovery call: I attend, no exceptions
Architecture sign-off: before any work begins
Weekly review: I'm on every call, every week
Material decisions: go through me first
Deliverable sign-off: my signature, my reputation
30 days post-handoff: direct line to me
Read more about Jobin and the engagement model
ESSENTIAL 8
Ready for documented Essential Eight ML2?

30 minutes with our founder. Per-mitigation maturity baseline.

We'll review your AWS setup against all 8 Essential Eight mitigations, identify which are at ML2 and which aren't, and tell you what it takes to reach documented ML2 across the board, typically 6-10 weeks of focused work.

Book Free Essential Eight Review →Download Essential Eight + AWS Mapping

AWS Advanced Tier Services Partner · ISO 27001:2022 · ISO 9001:2015 · 5× AWS-Certified Founder