@turbot/aws-hipaa

Recommended Version

Control Types

• AWS > HIPAA
• AWS > HIPAA > ACM
• AWS > HIPAA > ACM > ACM certificates should be set to expire within 30 days
• AWS > HIPAA > API Gateway
• AWS > HIPAA > API Gateway > API Gateway stage cache encryption at rest should be enabled
• AWS > HIPAA > API Gateway > API Gateway stage logging should be enabled
• AWS > HIPAA > Account
• AWS > HIPAA > Account > At least one multi-region AWS CloudTrail should be present in an account
• AWS > HIPAA > Account > Ensure IAM password policy expires passwords within 90 days or less
• AWS > HIPAA > Account > Ensure IAM password policy prevents password reuse
• AWS > HIPAA > Account > Ensure IAM password policy requires at least one lowercase letter
• AWS > HIPAA > Account > Ensure IAM password policy requires at least one number
• AWS > HIPAA > Account > Ensure IAM password policy requires at least one symbol
• AWS > HIPAA > Account > Ensure IAM password policy requires at least one uppercase letter
• AWS > HIPAA > Account > Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
• AWS > HIPAA > Account > Ensure a log metric filter and alarm exist for usage of 'root' account
• AWS > HIPAA > Account > IAM root user hardware MFA should be enabled
• AWS > HIPAA > Backup
• AWS > HIPAA > Backup > Backup plan min frequency and min retention check
• AWS > HIPAA > Backup > Backup recovery point manual deletion should be disabled
• AWS > HIPAA > Backup > Backup recovery point should be encrypted
• AWS > HIPAA > CloudFront
• AWS > HIPAA > CloudFront > CloudFront distributions should require encryption in transit
• AWS > HIPAA > CloudTrail
• AWS > HIPAA > CloudTrail > CloudTrail trail log file validation should be enabled
• AWS > HIPAA > CloudTrail > CloudTrail trail logs should be encrypted with KMS CMK
• AWS > HIPAA > CloudTrail > CloudTrail trails should be integrated with CloudWatch logs
• AWS > HIPAA > CloudWatch
• AWS > HIPAA > CloudWatch > CloudWatch alarm action should be enabled
• AWS > HIPAA > CodeBuild
• AWS > HIPAA > CodeBuild > CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
• AWS > HIPAA > CodeBuild > CodeBuild project plaintext environment variables should not contain sensitive AWS values
• AWS > HIPAA > DAX
• AWS > HIPAA > DAX > DynamoDB Accelerator (DAX) clusters should be encrypted at rest
• AWS > HIPAA > DMS
• AWS > HIPAA > DMS > DMS replication instances should not be publicly accessible
• AWS > HIPAA > DynamoDB
• AWS > HIPAA > DynamoDB > DynamoDB table auto scaling should be enabled
• AWS > HIPAA > DynamoDB > DynamoDB table point-in-time recovery should be enabled
• AWS > HIPAA > DynamoDB > DynamoDB table should be encrypted with AWS KMS
• AWS > HIPAA > DynamoDB > DynamoDB table should be protected by backup plan
• AWS > HIPAA > DynamoDB > DynamoDB table should have encryption enabled
• AWS > HIPAA > DynamoDB > DynamoDB tables should be in a backup plan
• AWS > HIPAA > EC2
• AWS > HIPAA > EC2 > Attached EBS volumes should have encryption enabled
• AWS > HIPAA > EC2 > Auto Scaling groups with a load balancer should use health checks
• AWS > HIPAA > EC2 > EBS default encryption should be enabled
• AWS > HIPAA > EC2 > EBS snapshots should not be publicly restorable
• AWS > HIPAA > EC2 > EBS volume encryption at rest should be enabled
• AWS > HIPAA > EC2 > EBS volumes should be in a backup plan
• AWS > HIPAA > EC2 > EBS volumes should be protected by backup plan
• AWS > HIPAA > EC2 > EC2 instance should have EBS optimization enabled
• AWS > HIPAA > EC2 > EC2 instances should be in a VPC
• AWS > HIPAA > EC2 > EC2 instances should be managed by AWS Systems Manager
• AWS > HIPAA > EC2 > EC2 instances should be protected by backup plan
• AWS > HIPAA > EC2 > EC2 instances should not have a public IP address
• AWS > HIPAA > EC2 > EC2 stopped instances should be removed in 30 days
• AWS > HIPAA > EC2 > ELB application and classic load balancer logging should be enabled
• AWS > HIPAA > EC2 > ELB application load balancer deletion protection should be enabled
• AWS > HIPAA > EC2 > ELB application load balancers should drop HTTP headers
• AWS > HIPAA > EC2 > ELB application load balancers should redirect HTTP requests to HTTPS
• AWS > HIPAA > EC2 > ELB classic load balancers should only use SSL or HTTPS listeners
• AWS > HIPAA > EC2 > ELB classic load balancers should use SSL certificates
• AWS > HIPAA > EFS
• AWS > HIPAA > EFS > EFS file system encryption at rest should be enabled
• AWS > HIPAA > EFS > EFS file systems should be in a backup plan
• AWS > HIPAA > EFS > EFS file systems should be protected by backup plan
• AWS > HIPAA > EKS
• AWS > HIPAA > EKS > EKS clusters should be configured to have kubernetes secrets encrypted using KMS
• AWS > HIPAA > EMR
• AWS > HIPAA > EMR > EMR cluster kerberos should be enabled
• AWS > HIPAA > EMR > EMR cluster master nodes should not have public IP addresses
• AWS > HIPAA > ElastiCache
• AWS > HIPAA > ElastiCache > ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
• AWS > HIPAA > Elasticsearch
• AWS > HIPAA > Elasticsearch > ES domain encryption at rest should be enabled
• AWS > HIPAA > Elasticsearch > ES domains should be in a VPC
• AWS > HIPAA > Elasticsearch > Elasticsearch domain node-to-node encryption should be enabled
• AWS > HIPAA > FSx
• AWS > HIPAA > FSx > FSx file system should be protected by backup plan
• AWS > HIPAA > GuardDuty
• AWS > HIPAA > GuardDuty > GuardDuty findings should be archived
• AWS > HIPAA > IAM
• AWS > HIPAA > IAM > Ensure IAM password policy requires a minimum length of 14 or greater
• AWS > HIPAA > IAM > IAM groups should have at least one user
• AWS > HIPAA > IAM > IAM password policies for users should have strong configurations
• AWS > HIPAA > IAM > IAM policy should not have statements with admin access
• AWS > HIPAA > IAM > IAM root user MFA should be enabled
• AWS > HIPAA > IAM > IAM root user should not have access keys
• AWS > HIPAA > IAM > IAM user MFA should be enabled
• AWS > HIPAA > IAM > IAM user access keys should be rotated at least every 90 days
• AWS > HIPAA > IAM > IAM user credentials that have not been used in 90 days should be disabled
• AWS > HIPAA > IAM > IAM user should not have any inline or attached policies
• AWS > HIPAA > IAM > IAM users should be in at least one group
• AWS > HIPAA > IAM > IAM users with console access should have MFA enabled
• AWS > HIPAA > IAM > KMS key decryption should be restricted in IAM customer managed policy
• AWS > HIPAA > IAM > KMS key decryption should be restricted in IAM inline policy
• AWS > HIPAA > KMS
• AWS > HIPAA > KMS > KMS CMK rotation should be enabled
• AWS > HIPAA > KMS > KMS keys should not be pending deletion
• AWS > HIPAA > Lambda
• AWS > HIPAA > Lambda > Lambda functions should be configured with a dead-letter queue
• AWS > HIPAA > Lambda > Lambda functions should be in a VPC
• AWS > HIPAA > Lambda > Lambda functions should restrict public access
• AWS > HIPAA > Logs
• AWS > HIPAA > Logs > Log group encryption at rest should be enabled
• AWS > HIPAA > Logs > Log group retention period should be at least 365 days
• AWS > HIPAA > RDS
• AWS > HIPAA > RDS > Database logging should be enabled
• AWS > HIPAA > RDS > RDS Aurora clusters should be protected by backup plan
• AWS > HIPAA > RDS > RDS DB instance backup should be enabled
• AWS > HIPAA > RDS > RDS DB instance encryption at rest should be enabled
• AWS > HIPAA > RDS > RDS DB instance multiple az should be enabled
• AWS > HIPAA > RDS > RDS DB instance should be protected by backup plan
• AWS > HIPAA > RDS > RDS DB instances should be in a backup plan
• AWS > HIPAA > RDS > RDS DB instances should prohibit public access
• AWS > HIPAA > RDS > RDS DB snapshots should be encrypted at rest
• AWS > HIPAA > RDS > RDS snapshots should prohibit public access
• AWS > HIPAA > Redshift
• AWS > HIPAA > Redshift > Amazon Redshift clusters should have automatic snapshots enabled
• AWS > HIPAA > Redshift > Redshift cluster audit logging and encryption should be enabled
• AWS > HIPAA > Redshift > Redshift cluster encryption in transit should be enabled
• AWS > HIPAA > Redshift > Redshift clusters should prohibit public access
• AWS > HIPAA > Region
• AWS > HIPAA > Region > AWS Config should be enabled
• AWS > HIPAA > Region > AWS Security Hub should be enabled for an AWS Account
• AWS > HIPAA > Region > At least one enabled trail should be present in a region
• AWS > HIPAA > Region > GuardDuty should be enabled
• AWS > HIPAA > S3
• AWS > HIPAA > S3 > All S3 buckets should log S3 data events in CloudTrail
• AWS > HIPAA > S3 > S3 bucket cross-region replication should be enabled
• AWS > HIPAA > S3 > S3 bucket default encryption should be enabled
• AWS > HIPAA > S3 > S3 bucket default encryption should be enabled with KMS
• AWS > HIPAA > S3 > S3 bucket logging should be enabled
• AWS > HIPAA > S3 > S3 bucket object lock should be enabled
• AWS > HIPAA > S3 > S3 bucket versioning should be enabled
• AWS > HIPAA > S3 > S3 buckets should enforce SSL
• AWS > HIPAA > S3 > S3 buckets should prohibit public read access
• AWS > HIPAA > S3 > S3 buckets should prohibit public write access
• AWS > HIPAA > S3 > S3 public access should be blocked at account and bucket levels
• AWS > HIPAA > S3 > S3 public access should be blocked at account level
• AWS > HIPAA > SNS
• AWS > HIPAA > SNS > SNS topics should be encrypted at rest
• AWS > HIPAA > SSM
• AWS > HIPAA > SSM > SSM managed instance associations should be compliant
• AWS > HIPAA > SSM > SSM managed instance patching should be compliant
• AWS > HIPAA > SageMaker
• AWS > HIPAA > SageMaker > SageMaker endpoint configuration encryption should be enabled
• AWS > HIPAA > SageMaker > SageMaker notebook instance encryption should be enabled
• AWS > HIPAA > SageMaker > SageMaker notebook instances should not have direct internet access
• AWS > HIPAA > Secrets Manager
• AWS > HIPAA > Secrets Manager > Secrets Manager secrets should have automatic rotation enabled
• AWS > HIPAA > VPC
• AWS > HIPAA > VPC > Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status
• AWS > HIPAA > VPC > VPC flow logs should be enabled
• AWS > HIPAA > VPC > VPC internet gateways should be attached to authorized vpc
• AWS > HIPAA > VPC > VPC security groups should restrict ingress SSH access from 0.0.0.0/0
• AWS > HIPAA > VPC > VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
• AWS > HIPAA > VPC > VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
• AWS > HIPAA > WAFV2
• AWS > HIPAA > WAFV2 > Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)

Policy Types

• AWS > HIPAA

Release Notes

5.2.0 (2023-08-18)

What's new?

• Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before.

Bug fixes

• The AWS > HIPAA > EC2 > EC2 stopped instances should be removed in 30 days would sometimes go into an error state if it was not able to determine the age of a stopped EC2 instance. This is fixed and the control will now move to a skipped state instead.

5.1.1 (2022-11-22)

Bug fixes

• The AWS > HIPAA > Account > Ensure a log metric filter and alarm exist for usage of 'root' account control would sometimes go into an error state because of an incorrect GraphQL query for metric names. This is fixed and the control will now work as expected.

5.1.0 (2022-09-02)

What's new?

• We've reimagined the HIPAA controls to be clearer, more concise and easier to navigate on the Guardrails console. Controls are now grouped under their parent services instead of being under a long list of benchmark hierarchies. This avoids duplication of similar controls per resource and gives users a better view of HIPAA compliance coverage in an account. Please note that existing controls will be destroyed and new controls will be installed as part of this mod version upgrade.

Control Types

Added

• AWS > HIPAA > ACM
• AWS > HIPAA > ACM > ACM certificates should be set to expire within 30 days
• AWS > HIPAA > API Gateway
• AWS > HIPAA > API Gateway > API Gateway stage cache encryption at rest should be enabled
• AWS > HIPAA > API Gateway > API Gateway stage logging should be enabled
• AWS > HIPAA > Account
• AWS > HIPAA > Account > At least one multi-region AWS CloudTrail should be present in an account
• AWS > HIPAA > Account > Ensure IAM password policy expires passwords within 90 days or less
• AWS > HIPAA > Account > Ensure IAM password policy prevents password reuse
• AWS > HIPAA > Account > Ensure IAM password policy requires at least one lowercase letter
• AWS > HIPAA > Account > Ensure IAM password policy requires at least one number
• AWS > HIPAA > Account > Ensure IAM password policy requires at least one symbol
• AWS > HIPAA > Account > Ensure IAM password policy requires at least one uppercase letter
• AWS > HIPAA > Account > Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
• AWS > HIPAA > Account > Ensure a log metric filter and alarm exist for usage of 'root' account
• AWS > HIPAA > Account > IAM root user hardware MFA should be enabled
• AWS > HIPAA > Backup
• AWS > HIPAA > Backup > Backup plan min frequency and min retention check
• AWS > HIPAA > Backup > Backup recovery point manual deletion should be disabled
• AWS > HIPAA > Backup > Backup recovery point should be encrypted
• AWS > HIPAA > CloudFront
• AWS > HIPAA > CloudFront > CloudFront distributions should require encryption in transit
• AWS > HIPAA > CloudTrail
• AWS > HIPAA > CloudTrail > CloudTrail trail log file validation should be enabled
• AWS > HIPAA > CloudTrail > CloudTrail trail logs should be encrypted with KMS CMK
• AWS > HIPAA > CloudTrail > CloudTrail trails should be integrated with CloudWatch logs
• AWS > HIPAA > CloudWatch
• AWS > HIPAA > CloudWatch > CloudWatch alarm action should be enabled
• AWS > HIPAA > CodeBuild
• AWS > HIPAA > CodeBuild > CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
• AWS > HIPAA > CodeBuild > CodeBuild project plaintext environment variables should not contain sensitive AWS values
• AWS > HIPAA > DAX
• AWS > HIPAA > DAX > DynamoDB Accelerator (DAX) clusters should be encrypted at rest
• AWS > HIPAA > DMS
• AWS > HIPAA > DMS > DMS replication instances should not be publicly accessible
• AWS > HIPAA > DynamoDB
• AWS > HIPAA > DynamoDB > DynamoDB table auto scaling should be enabled
• AWS > HIPAA > DynamoDB > DynamoDB table point-in-time recovery should be enabled
• AWS > HIPAA > DynamoDB > DynamoDB table should be encrypted with AWS KMS
• AWS > HIPAA > DynamoDB > DynamoDB table should be protected by backup plan
• AWS > HIPAA > DynamoDB > DynamoDB table should have encryption enabled
• AWS > HIPAA > DynamoDB > DynamoDB tables should be in a backup plan
• AWS > HIPAA > EC2
• AWS > HIPAA > EC2 > Attached EBS volumes should have encryption enabled
• AWS > HIPAA > EC2 > Auto Scaling groups with a load balancer should use health checks
• AWS > HIPAA > EC2 > EBS default encryption should be enabled
• AWS > HIPAA > EC2 > EBS snapshots should not be publicly restorable
• AWS > HIPAA > EC2 > EBS volume encryption at rest should be enabled
• AWS > HIPAA > EC2 > EBS volumes should be in a backup plan
• AWS > HIPAA > EC2 > EBS volumes should be protected by backup plan
• AWS > HIPAA > EC2 > EC2 instance should have EBS optimization enabled
• AWS > HIPAA > EC2 > EC2 instances should be in a VPC
• AWS > HIPAA > EC2 > EC2 instances should be managed by AWS Systems Manager
• AWS > HIPAA > EC2 > EC2 instances should be protected by backup plan
• AWS > HIPAA > EC2 > EC2 instances should not have a public IP address
• AWS > HIPAA > EC2 > EC2 stopped instances should be removed in 30 days
• AWS > HIPAA > EC2 > ELB application and classic load balancer logging should be enabled
• AWS > HIPAA > EC2 > ELB application load balancer deletion protection should be enabled
• AWS > HIPAA > EC2 > ELB application load balancers should drop HTTP headers
• AWS > HIPAA > EC2 > ELB application load balancers should redirect HTTP requests to HTTPS
• AWS > HIPAA > EC2 > ELB classic load balancers should only use SSL or HTTPS listeners
• AWS > HIPAA > EC2 > ELB classic load balancers should use SSL certificates
• AWS > HIPAA > EFS
• AWS > HIPAA > EFS > EFS file system encryption at rest should be enabled
• AWS > HIPAA > EFS > EFS file systems should be in a backup plan
• AWS > HIPAA > EFS > EFS file systems should be protected by backup plan
• AWS > HIPAA > EKS
• AWS > HIPAA > EKS > EKS clusters should be configured to have kubernetes secrets encrypted using KMS
• AWS > HIPAA > EMR
• AWS > HIPAA > EMR > EMR cluster kerberos should be enabled
• AWS > HIPAA > EMR > EMR cluster master nodes should not have public IP addresses
• AWS > HIPAA > ElastiCache
• AWS > HIPAA > ElastiCache > ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
• AWS > HIPAA > Elasticsearch
• AWS > HIPAA > Elasticsearch > ES domain encryption at rest should be enabled
• AWS > HIPAA > Elasticsearch > ES domains should be in a VPC
• AWS > HIPAA > Elasticsearch > Elasticsearch domain node-to-node encryption should be enabled
• AWS > HIPAA > FSx
• AWS > HIPAA > FSx > FSx file system should be protected by backup plan
• AWS > HIPAA > GuardDuty
• AWS > HIPAA > GuardDuty > GuardDuty findings should be archived
• AWS > HIPAA > IAM
• AWS > HIPAA > IAM > Ensure IAM password policy requires a minimum length of 14 or greater
• AWS > HIPAA > IAM > IAM groups should have at least one user
• AWS > HIPAA > IAM > IAM password policies for users should have strong configurations
• AWS > HIPAA > IAM > IAM policy should not have statements with admin access
• AWS > HIPAA > IAM > IAM root user MFA should be enabled
• AWS > HIPAA > IAM > IAM root user should not have access keys
• AWS > HIPAA > IAM > IAM user MFA should be enabled
• AWS > HIPAA > IAM > IAM user access keys should be rotated at least every 90 days
• AWS > HIPAA > IAM > IAM user credentials that have not been used in 90 days should be disabled
• AWS > HIPAA > IAM > IAM user should not have any inline or attached policies
• AWS > HIPAA > IAM > IAM users should be in at least one group
• AWS > HIPAA > IAM > IAM users with console access should have MFA enabled
• AWS > HIPAA > IAM > KMS key decryption should be restricted in IAM customer managed policy
• AWS > HIPAA > IAM > KMS key decryption should be restricted in IAM inline policy
• AWS > HIPAA > KMS
• AWS > HIPAA > KMS > KMS CMK rotation should be enabled
• AWS > HIPAA > KMS > KMS keys should not be pending deletion
• AWS > HIPAA > Lambda
• AWS > HIPAA > Lambda > Lambda functions should be configured with a dead-letter queue
• AWS > HIPAA > Lambda > Lambda functions should be in a VPC
• AWS > HIPAA > Lambda > Lambda functions should restrict public access
• AWS > HIPAA > Logs
• AWS > HIPAA > Logs > Log group encryption at rest should be enabled
• AWS > HIPAA > Logs > Log group retention period should be at least 365 days
• AWS > HIPAA > RDS
• AWS > HIPAA > RDS > Database logging should be enabled
• AWS > HIPAA > RDS > RDS Aurora clusters should be protected by backup plan
• AWS > HIPAA > RDS > RDS DB instance backup should be enabled
• AWS > HIPAA > RDS > RDS DB instance encryption at rest should be enabled
• AWS > HIPAA > RDS > RDS DB instance multiple az should be enabled
• AWS > HIPAA > RDS > RDS DB instance should be protected by backup plan
• AWS > HIPAA > RDS > RDS DB instances should be in a backup plan
• AWS > HIPAA > RDS > RDS DB instances should prohibit public access
• AWS > HIPAA > RDS > RDS DB snapshots should be encrypted at rest
• AWS > HIPAA > RDS > RDS snapshots should prohibit public access
• AWS > HIPAA > Redshift
• AWS > HIPAA > Redshift > Amazon Redshift clusters should have automatic snapshots enabled
• AWS > HIPAA > Redshift > Redshift cluster audit logging and encryption should be enabled
• AWS > HIPAA > Redshift > Redshift cluster encryption in transit should be enabled
• AWS > HIPAA > Redshift > Redshift clusters should prohibit public access
• AWS > HIPAA > Region
• AWS > HIPAA > Region > AWS Config should be enabled
• AWS > HIPAA > Region > AWS Security Hub should be enabled for an AWS Account
• AWS > HIPAA > Region > At least one enabled trail should be present in a region
• AWS > HIPAA > Region > GuardDuty should be enabled
• AWS > HIPAA > S3
• AWS > HIPAA > S3 > All S3 buckets should log S3 data events in CloudTrail
• AWS > HIPAA > S3 > S3 bucket cross-region replication should be enabled
• AWS > HIPAA > S3 > S3 bucket default encryption should be enabled
• AWS > HIPAA > S3 > S3 bucket default encryption should be enabled with KMS
• AWS > HIPAA > S3 > S3 bucket logging should be enabled
• AWS > HIPAA > S3 > S3 bucket object lock should be enabled
• AWS > HIPAA > S3 > S3 bucket versioning should be enabled
• AWS > HIPAA > S3 > S3 buckets should enforce SSL
• AWS > HIPAA > S3 > S3 buckets should prohibit public read access
• AWS > HIPAA > S3 > S3 buckets should prohibit public write access
• AWS > HIPAA > S3 > S3 public access should be blocked at account and bucket levels
• AWS > HIPAA > S3 > S3 public access should be blocked at account level
• AWS > HIPAA > SNS
• AWS > HIPAA > SNS > SNS topics should be encrypted at rest
• AWS > HIPAA > SSM
• AWS > HIPAA > SSM > SSM managed instance associations should be compliant
• AWS > HIPAA > SSM > SSM managed instance patching should be compliant
• AWS > HIPAA > SageMaker
• AWS > HIPAA > SageMaker > SageMaker endpoint configuration encryption should be enabled
• AWS > HIPAA > SageMaker > SageMaker notebook instance encryption should be enabled
• AWS > HIPAA > SageMaker > SageMaker notebook instances should not have direct internet access
• AWS > HIPAA > Secrets Manager
• AWS > HIPAA > Secrets Manager > Secrets Manager secrets should have automatic rotation enabled
• AWS > HIPAA > VPC
• AWS > HIPAA > VPC > Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status
• AWS > HIPAA > VPC > VPC flow logs should be enabled
• AWS > HIPAA > VPC > VPC internet gateways should be attached to authorized vpc
• AWS > HIPAA > VPC > VPC security groups should restrict ingress SSH access from 0.0.0.0/0
• AWS > HIPAA > VPC > VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
• AWS > HIPAA > VPC > VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
• AWS > HIPAA > WAFV2
• AWS > HIPAA > WAFV2 > Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)

Removed

• AWS > HIPAA > 164.308 Administrative Safeguards
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(A) Risk analysis
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(A) Risk analysis > AWS Config should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(A) Risk analysis > GuardDuty should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > API Gateway stage cache encryption at rest should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > Auto Scaling groups with a load balancer should use health checks
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > CloudTrail trail log file validation should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > CloudTrail trail logs should be encrypted with KMS CMK
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > CodeBuild project plaintext environment variables should not contain sensitive AWS values
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > DMS replication instances should not be publicly accessible
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > DynamoDB table auto scaling should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > DynamoDB table point-in-time recovery should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > EBS default encryption should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > EBS snapshots should not be publicly restorable
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > EBS volume encryption at rest should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > EC2 instances should be in a VPC
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > EC2 instances should not have a public IP address
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > EC2 stopped instances should be removed in 30 days
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > EFS file system encryption at rest should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > ELB application load balancer deletion protection should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > ELB application load balancers should redirect HTTP requests to HTTPS
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > ELB classic load balancers should use SSL certificates
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > EMR cluster master nodes should not have public IP addresses
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > ES domain encryption at rest should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > ES domains should be in a VPC
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > IAM policy should not have statements with admin access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > IAM root user should not have access keys
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > KMS keys should not be pending deletion
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > Lambda functions should be in a VPC
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > Lambda functions should restrict public access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > Log group encryption at rest should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > RDS DB instance backup should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > RDS DB instance encryption at rest should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > RDS DB instance multiple az should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > RDS DB snapshots should be encrypted at rest
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > RDS snapshots should prohibit public access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > Redshift cluster audit logging and encryption should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > Redshift cluster encryption in transit should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > Redshift clusters should prohibit public access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > S3 bucket cross-region replication should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > S3 bucket default encryption should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > S3 bucket object lock should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > S3 bucket versioning should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > S3 buckets should enforce SSL
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > S3 buckets should prohibit public read access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > S3 buckets should prohibit public write access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > S3 public access should be blocked at account level
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > SNS topics should be encrypted at rest
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > SageMaker endpoint configuration encryption should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > SageMaker notebook instance encryption should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > SageMaker notebook instances should not have direct internet access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > VPC internet gateways should be attached to authorized vpc
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > VPC security groups should restrict ingress SSH access from 0.0.0.0/0
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(D) Information system activity review
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(D) Information system activity review > API Gateway stage logging should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(D) Information system activity review > AWS Security Hub should be enabled for an AWS Account
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(D) Information system activity review > All S3 buckets should log S3 data events in CloudTrail
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(D) Information system activity review > At least one enabled trail should be present in a region
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(D) Information system activity review > At least one multi-region AWS CloudTrail should be present in an account
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(D) Information system activity review > CloudTrail trail log file validation should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(D) Information system activity review > CloudTrail trail logs should be encrypted with KMS CMK
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(D) Information system activity review > CloudTrail trails should be integrated with CloudWatch logs
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(D) Information system activity review > ELB application and classic load balancer logging should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(D) Information system activity review > GuardDuty should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(D) Information system activity review > Redshift cluster audit logging and encryption should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(D) Information system activity review > S3 bucket logging should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(D) Information system activity review > VPC flow logs should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > DMS replication instances should not be publicly accessible
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > EBS snapshots should not be publicly restorable
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > EC2 instances should be in a VPC
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > EC2 instances should not have a public IP address
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > ES domains should be in a VPC
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > IAM groups should have at least one user
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > IAM policy should not have statements with admin access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > IAM root user should not have access keys
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > IAM user should not have any inline or attached policies
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > IAM users should be in at least one group
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > Lambda functions should be in a VPC
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > Lambda functions should restrict public access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > RDS DB instances should prohibit public access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > RDS snapshots should prohibit public access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > Redshift clusters should prohibit public access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > S3 buckets should prohibit public read access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > S3 buckets should prohibit public write access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > S3 public access should be blocked at account level
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > SageMaker notebook instances should not have direct internet access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(A) Authorization and/or supervision
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(A) Authorization and/or supervision > API Gateway stage logging should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(A) Authorization and/or supervision > AWS Security Hub should be enabled for an AWS Account
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(A) Authorization and/or supervision > All S3 buckets should log S3 data events in CloudTrail
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(A) Authorization and/or supervision > At least one enabled trail should be present in a region
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(A) Authorization and/or supervision > At least one multi-region AWS CloudTrail should be present in an account
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(A) Authorization and/or supervision > ELB application and classic load balancer logging should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(A) Authorization and/or supervision > EMR cluster kerberos should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(A) Authorization and/or supervision > GuardDuty should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(A) Authorization and/or supervision > IAM root user MFA should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(A) Authorization and/or supervision > IAM root user hardware MFA should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(A) Authorization and/or supervision > IAM user MFA should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(A) Authorization and/or supervision > IAM users with console access should have MFA enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(A) Authorization and/or supervision > Redshift cluster audit logging and encryption should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(A) Authorization and/or supervision > S3 bucket logging should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(A) Authorization and/or supervision > VPC flow logs should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(B) Workforce clearance procedure
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(B) Workforce clearance procedure > IAM groups should have at least one user
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(B) Workforce clearance procedure > IAM policy should not have statements with admin access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(B) Workforce clearance procedure > IAM root user should not have access keys
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(B) Workforce clearance procedure > IAM user credentials that have not been used in 90 days should be disabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(B) Workforce clearance procedure > IAM user should not have any inline or attached policies
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(B) Workforce clearance procedure > IAM users should be in at least one group
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(C) Termination procedures
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(C) Termination procedures > IAM user access keys should be rotated at least every 90 days
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(i) Information access management
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(i) Information access management > IAM groups should have at least one user
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(i) Information access management > IAM policy should not have statements with admin access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(i) Information access management > IAM user should not have any inline or attached policies
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(i) Information access management > IAM users should be in at least one group
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > ACM certificates should be set to expire within 30 days
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > API Gateway stage cache encryption at rest should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > Amazon Redshift clusters should have automatic snapshots enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > Attached EBS volumes should have encryption enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > CloudFront distributions should require encryption in transit
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > CloudTrail trail logs should be encrypted with KMS CMK
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > Database logging should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > DynamoDB Accelerator (DAX) clusters should be encrypted at rest
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > DynamoDB table should be encrypted with AWS KMS
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > DynamoDB table should have encryption enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > EBS default encryption should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > EBS volume encryption at rest should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > EFS file system encryption at rest should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > EKS clusters should be configured to have kubernetes secrets encrypted using KMS
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > ELB application load balancers should drop HTTP headers
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > ELB application load balancers should redirect HTTP requests to HTTPS
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > ELB classic load balancers should only use SSL or HTTPS listeners
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > ELB classic load balancers should use SSL certificates
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > ES domain encryption at rest should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > Elasticsearch domain node-to-node encryption should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > Log group encryption at rest should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > RDS DB instance encryption at rest should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > RDS DB instances should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > RDS DB snapshots should be encrypted at rest
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > Redshift cluster audit logging and encryption should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > Redshift cluster encryption in transit should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > S3 bucket default encryption should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > S3 bucket default encryption should be enabled with KMS
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > SNS topics should be encrypted at rest
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > SageMaker endpoint configuration encryption should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > SageMaker notebook instance encryption should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(B) Access authorization
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(B) Access authorization > IAM groups should have at least one user
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(B) Access authorization > IAM policy should not have statements with admin access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(B) Access authorization > IAM user should not have any inline or attached policies
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(B) Access authorization > IAM users should be in at least one group
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(C) Access establishment and modification
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(C) Access establishment and modification > IAM groups should have at least one user
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(C) Access establishment and modification > IAM password policies for users should have strong configurations
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(C) Access establishment and modification > IAM policy should not have statements with admin access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(C) Access establishment and modification > IAM root user should not have access keys
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(C) Access establishment and modification > IAM user access keys should be rotated at least every 90 days
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(C) Access establishment and modification > IAM user credentials that have not been used in 90 days should be disabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(C) Access establishment and modification > IAM user should not have any inline or attached policies
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(C) Access establishment and modification > IAM users should be in at least one group
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(C) Access establishment and modification > Secrets Manager secrets should have automatic rotation enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(B) Protection from malicious software
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(B) Protection from malicious software > EC2 instances should be managed by AWS Systems Manager
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(B) Protection from malicious software > SSM managed instance associations should be compliant
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(B) Protection from malicious software > SSM managed instance patching should be compliant
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(C) Log-in monitoring
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(C) Log-in monitoring > AWS Security Hub should be enabled for an AWS Account
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(C) Log-in monitoring > Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(C) Log-in monitoring > GuardDuty should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(D) Password management
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(D) Password management > Ensure IAM password policy expires passwords within 90 days or less
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(D) Password management > Ensure IAM password policy prevents password reuse
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(D) Password management > Ensure IAM password policy requires a minimum length of 14 or greater
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(D) Password management > Ensure IAM password policy requires at least one lowercase letter
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(D) Password management > Ensure IAM password policy requires at least one number
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(D) Password management > Ensure IAM password policy requires at least one symbol
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(D) Password management > Ensure IAM password policy requires at least one uppercase letter
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(D) Password management > IAM user access keys should be rotated at least every 90 days
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(D) Password management > IAM user credentials that have not been used in 90 days should be disabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(i) Security incident procedures
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(i) Security incident procedures > AWS Security Hub should be enabled for an AWS Account
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(i) Security incident procedures > CloudWatch alarm action should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(i) Security incident procedures > Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(i) Security incident procedures > Ensure a log metric filter and alarm exist for usage of 'root' account
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(i) Security incident procedures > GuardDuty should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(i) Security incident procedures > Lambda functions should be configured with a dead-letter queue
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(ii) Response and reporting
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(ii) Response and reporting > API Gateway stage logging should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(ii) Response and reporting > AWS Security Hub should be enabled for an AWS Account
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(ii) Response and reporting > All S3 buckets should log S3 data events in CloudTrail
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(ii) Response and reporting > At least one enabled trail should be present in a region
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(ii) Response and reporting > At least one multi-region AWS CloudTrail should be present in an account
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(ii) Response and reporting > CloudTrail trails should be integrated with CloudWatch logs
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(ii) Response and reporting > ELB application and classic load balancer logging should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(ii) Response and reporting > Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(ii) Response and reporting > Ensure a log metric filter and alarm exist for usage of 'root' account
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(ii) Response and reporting > GuardDuty findings should be archived
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(ii) Response and reporting > GuardDuty should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(ii) Response and reporting > S3 bucket logging should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(ii) Response and reporting > VPC flow logs should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > Amazon Redshift clusters should have automatic snapshots enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > Auto Scaling groups with a load balancer should use health checks
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > Backup plan min frequency and min retention check
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > Backup recovery point manual deletion should be disabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > Backup recovery point should be encrypted
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > DynamoDB table auto scaling should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > DynamoDB table point-in-time recovery should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > DynamoDB table should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > DynamoDB tables should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > EBS volumes should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > EBS volumes should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > EC2 instance should have EBS optimization enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > EC2 instances should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > EFS file systems should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > EFS file systems should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > FSx file system should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > RDS Aurora clusters should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > RDS DB instance backup should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > RDS DB instance multiple az should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > RDS DB instance should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > RDS DB instances should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > S3 bucket cross-region replication should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > S3 bucket versioning should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > Amazon Redshift clusters should have automatic snapshots enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > Auto Scaling groups with a load balancer should use health checks
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > Backup plan min frequency and min retention check
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > Backup recovery point manual deletion should be disabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > Backup recovery point should be encrypted
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > DynamoDB table auto scaling should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > DynamoDB table point-in-time recovery should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > DynamoDB table should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > DynamoDB tables should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > EBS volumes should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > EBS volumes should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > EC2 instance should have EBS optimization enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > EC2 instances should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > EFS file systems should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > EFS file systems should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > FSx file system should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > RDS Aurora clusters should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > RDS DB instance backup should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > RDS DB instance multiple az should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > RDS DB instance should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > RDS DB instances should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > S3 bucket cross-region replication should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > S3 bucket versioning should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > Amazon Redshift clusters should have automatic snapshots enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > Auto Scaling groups with a load balancer should use health checks
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > Backup plan min frequency and min retention check
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > Backup recovery point manual deletion should be disabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > Backup recovery point should be encrypted
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > DynamoDB table auto scaling should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > DynamoDB table point-in-time recovery should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > DynamoDB table should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > DynamoDB tables should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > EBS volumes should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > EBS volumes should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > EC2 instance should have EBS optimization enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > EC2 instances should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > EFS file systems should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > EFS file systems should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > FSx file system should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > RDS Aurora clusters should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > RDS DB instance backup should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > RDS DB instance multiple az should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > RDS DB instance should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > RDS DB instances should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > S3 bucket cross-region replication should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > S3 bucket versioning should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > Amazon Redshift clusters should have automatic snapshots enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > Auto Scaling groups with a load balancer should use health checks
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > Backup plan min frequency and min retention check
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > Backup recovery point manual deletion should be disabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > Backup recovery point should be encrypted
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > DynamoDB table auto scaling should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > DynamoDB table point-in-time recovery should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > DynamoDB table should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > DynamoDB tables should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > EBS volumes should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > EBS volumes should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > EC2 instance should have EBS optimization enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > EC2 instances should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > EFS file systems should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > EFS file systems should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > FSx file system should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > RDS Aurora clusters should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > RDS DB instance backup should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > RDS DB instance multiple az should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > RDS DB instance should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > RDS DB instances should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > S3 bucket cross-region replication should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > S3 bucket versioning should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(8) Evaluation
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(8) Evaluation > AWS Security Hub should be enabled for an AWS Account
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(8) Evaluation > GuardDuty should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > DMS replication instances should not be publicly accessible
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > EBS snapshots should not be publicly restorable
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > EC2 instances should be in a VPC
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > EC2 instances should not have a public IP address
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > EMR cluster kerberos should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > EMR cluster master nodes should not have public IP addresses
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > ES domains should be in a VPC
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > IAM groups should have at least one user
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > IAM policy should not have statements with admin access
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > IAM user should not have any inline or attached policies
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > IAM users should be in at least one group
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > IAM users with console access should have MFA enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > Lambda functions should be in a VPC
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > Lambda functions should restrict public access
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > RDS DB instances should prohibit public access
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > RDS snapshots should prohibit public access
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > Redshift clusters should prohibit public access
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > S3 buckets should prohibit public read access
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > S3 buckets should prohibit public write access
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > S3 public access should be blocked at account and bucket levels
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > SageMaker notebook instances should not have direct internet access
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(i) Unique user identification
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(i) Unique user identification > All S3 buckets should log S3 data events in CloudTrail
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(i) Unique user identification > IAM root user should not have access keys
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(i) Unique user identification > S3 buckets should prohibit public read access
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > Amazon Redshift clusters should have automatic snapshots enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > Backup plan min frequency and min retention check
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > Backup recovery point manual deletion should be disabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > Backup recovery point should be encrypted
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > DynamoDB table point-in-time recovery should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > DynamoDB table should be protected by backup plan
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > DynamoDB tables should be in a backup plan
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > EBS volumes should be in a backup plan
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > EBS volumes should be protected by backup plan
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > EC2 instance should have EBS optimization enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > EC2 instances should be protected by backup plan
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > EFS file systems should be in a backup plan
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > EFS file systems should be protected by backup plan
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > FSx file system should be protected by backup plan
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > RDS Aurora clusters should be protected by backup plan
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > RDS DB instance backup should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > RDS DB instance should be protected by backup plan
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > RDS DB instances should be in a backup plan
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > S3 bucket cross-region replication should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > S3 bucket versioning should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > API Gateway stage cache encryption at rest should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > CloudTrail trail logs should be encrypted with KMS CMK
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > DynamoDB Accelerator (DAX) clusters should be encrypted at rest
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > DynamoDB table should be encrypted with AWS KMS
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > DynamoDB table should have encryption enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > EBS default encryption should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > EBS volume encryption at rest should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > EFS file system encryption at rest should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > EKS clusters should be configured to have kubernetes secrets encrypted using KMS
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > ES domain encryption at rest should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > KMS CMK rotation should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > KMS key decryption should be restricted in IAM customer managed policy
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > KMS key decryption should be restricted in IAM inline policy
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > KMS keys should not be pending deletion
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > Log group encryption at rest should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > RDS DB instance encryption at rest should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > RDS DB snapshots should be encrypted at rest
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > Redshift cluster audit logging and encryption should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > Redshift cluster encryption in transit should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > S3 bucket default encryption should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > S3 bucket default encryption should be enabled with KMS
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > S3 buckets should enforce SSL
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > SNS topics should be encrypted at rest
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > SageMaker endpoint configuration encryption should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > SageMaker notebook instance encryption should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(b) Audit controls
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(b) Audit controls > API Gateway stage logging should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(b) Audit controls > AWS Security Hub should be enabled for an AWS Account
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(b) Audit controls > All S3 buckets should log S3 data events in CloudTrail
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(b) Audit controls > At least one enabled trail should be present in a region
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(b) Audit controls > At least one multi-region AWS CloudTrail should be present in an account
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(b) Audit controls > CloudTrail trail log file validation should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(b) Audit controls > CloudTrail trails should be integrated with CloudWatch logs
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(b) Audit controls > Database logging should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(b) Audit controls > ELB application and classic load balancer logging should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(b) Audit controls > GuardDuty should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(b) Audit controls > Log group retention period should be at least 365 days
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(b) Audit controls > Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(b) Audit controls > Redshift cluster audit logging and encryption should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(b) Audit controls > S3 bucket logging should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(b) Audit controls > VPC flow logs should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(1) Integrity
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(1) Integrity > Attached EBS volumes should have encryption enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(1) Integrity > CloudTrail trail log file validation should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(1) Integrity > CloudTrail trail logs should be encrypted with KMS CMK
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(1) Integrity > S3 bucket default encryption should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(1) Integrity > S3 bucket object lock should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(1) Integrity > S3 bucket versioning should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(1) Integrity > S3 buckets should enforce SSL
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(2) Mechanism to authenticate electronic protected health information
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(2) Mechanism to authenticate electronic protected health information > Attached EBS volumes should have encryption enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(2) Mechanism to authenticate electronic protected health information > CloudTrail trail log file validation should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(2) Mechanism to authenticate electronic protected health information > CloudTrail trail logs should be encrypted with KMS CMK
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(2) Mechanism to authenticate electronic protected health information > S3 bucket default encryption should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(2) Mechanism to authenticate electronic protected health information > S3 bucket object lock should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(2) Mechanism to authenticate electronic protected health information > S3 bucket versioning should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(2) Mechanism to authenticate electronic protected health information > S3 buckets should enforce SSL
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(2) Mechanism to authenticate electronic protected health information > VPC flow logs should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(d) Person or entity authentication
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(d) Person or entity authentication > IAM password policies for users should have strong configurations
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(d) Person or entity authentication > IAM root user MFA should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(d) Person or entity authentication > IAM root user hardware MFA should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(d) Person or entity authentication > IAM user MFA should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(d) Person or entity authentication > IAM users with console access should have MFA enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security > ACM certificates should be set to expire within 30 days
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security > API Gateway stage cache encryption at rest should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security > CloudFront distributions should require encryption in transit
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security > EC2 instances should be in a VPC
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security > ELB application load balancers should drop HTTP headers
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security > ELB application load balancers should redirect HTTP requests to HTTPS
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security > ELB classic load balancers should only use SSL or HTTPS listeners
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security > ELB classic load balancers should use SSL certificates
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security > ES domains should be in a VPC
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security > Elasticsearch domain node-to-node encryption should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security > Lambda functions should be in a VPC
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security > Redshift cluster encryption in transit should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security > S3 buckets should enforce SSL
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security > VPC security groups should restrict ingress SSH access from 0.0.0.0/0
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security > VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security > VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(i) Integrity controls
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(i) Integrity controls > AWS Security Hub should be enabled for an AWS Account
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(i) Integrity controls > All S3 buckets should log S3 data events in CloudTrail
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(i) Integrity controls > At least one enabled trail should be present in a region
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(i) Integrity controls > At least one multi-region AWS CloudTrail should be present in an account
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(i) Integrity controls > CloudTrail trails should be integrated with CloudWatch logs
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(i) Integrity controls > ELB application load balancers should redirect HTTP requests to HTTPS
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(i) Integrity controls > ELB classic load balancers should use SSL certificates
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(i) Integrity controls > GuardDuty should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(i) Integrity controls > Redshift cluster encryption in transit should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(i) Integrity controls > S3 bucket logging should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(i) Integrity controls > S3 buckets should enforce SSL
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > API Gateway stage cache encryption at rest should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > CloudTrail trail logs should be encrypted with KMS CMK
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > DynamoDB Accelerator (DAX) clusters should be encrypted at rest
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > DynamoDB table should be encrypted with AWS KMS
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > DynamoDB table should have encryption enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > EBS default encryption should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > EBS volume encryption at rest should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > EFS file system encryption at rest should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > EKS clusters should be configured to have kubernetes secrets encrypted using KMS
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > ELB application load balancers should redirect HTTP requests to HTTPS
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > ELB classic load balancers should use SSL certificates
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > ES domain encryption at rest should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > Log group encryption at rest should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > RDS DB instance encryption at rest should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > RDS DB snapshots should be encrypted at rest
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > Redshift cluster audit logging and encryption should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > Redshift cluster encryption in transit should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > S3 bucket default encryption should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > S3 bucket default encryption should be enabled with KMS
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > S3 buckets should enforce SSL
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > SNS topics should be encrypted at rest
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > SageMaker endpoint configuration encryption should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > SageMaker notebook instance encryption should be enabled

5.0.4 (2022-08-09)

Bug fixes

• The AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security > CloudFront distributions should require encryption in transit control would incorrectly move to an error state while evaluating the outcome for encryption in transit set on CloudFront distributions. This is now fixed.

5.0.3 (2022-06-27)

Bug fixes

• The AWS > HIPAA > 164.312 Technical Safeguards > 164.312(b) Audit controls > API Gateway stage logging should be enabled control would incorrectly go into an error state while evaluating the outcome for a v2 stage resource. This is now fixed.

5.0.2 (2022-06-24)

Bug fixes

• HIPAA controls checking for multi-region CloudTrail Trails will now also check for shadow trails in the account to evaluate their outcome correctly.

5.0.1 (2022-06-14)

Bug fixes

• The AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(C) Access establishment and modification > IAM password policies for users should have strong configurations control would incorrectly move to an Alarm state even when the IAM password policies were set with strong configurations. This is fixed and the control will now work as expected.

Control Types

Renamed

• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > S3 bucket cross-region replication should enabled to AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > S3 bucket cross-region replication should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > S3 bucket cross-region replication should enabled to AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > S3 bucket cross-region replication should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > S3 bucket cross-region replication should enabled to AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > S3 bucket cross-region replication should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > S3 bucket cross-region replication should enabled to AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > S3 bucket cross-region replication should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > S3 bucket cross-region replication should enabled to AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > S3 bucket cross-region replication should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > S3 bucket cross-region replication should enabled to AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > S3 bucket cross-region replication should be enabled

5.0.0 (2022-06-13)

Control Types

Added

• AWS > HIPAA
• AWS > HIPAA > 164.308 Administrative Safeguards
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(A) Risk analysis
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(A) Risk analysis > AWS Config should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(A) Risk analysis > GuardDuty should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > API Gateway stage cache encryption at rest should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > Auto Scaling groups with a load balancer should use health checks
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > CloudTrail trail log file validation should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > CloudTrail trail logs should be encrypted with KMS CMK
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > CodeBuild project plaintext environment variables should not contain sensitive AWS values
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > DMS replication instances should not be publicly accessible
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > DynamoDB table auto scaling should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > DynamoDB table point-in-time recovery should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > EBS default encryption should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > EBS snapshots should not be publicly restorable
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > EBS volume encryption at rest should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > EC2 instances should be in a VPC
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > EC2 instances should not have a public IP address
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > EC2 stopped instances should be removed in 30 days
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > EFS file system encryption at rest should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > ELB application load balancer deletion protection should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > ELB application load balancers should redirect HTTP requests to HTTPS
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > ELB classic load balancers should use SSL certificates
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > EMR cluster master nodes should not have public IP addresses
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > ES domain encryption at rest should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > ES domains should be in a VPC
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > IAM policy should not have statements with admin access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > IAM root user should not have access keys
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > KMS keys should not be pending deletion
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > Lambda functions should be in a VPC
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > Lambda functions should restrict public access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > Log group encryption at rest should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > RDS DB instance backup should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > RDS DB instance encryption at rest should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > RDS DB instance multiple az should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > RDS DB snapshots should be encrypted at rest
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > RDS snapshots should prohibit public access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > Redshift cluster audit logging and encryption should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > Redshift cluster encryption in transit should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > Redshift clusters should prohibit public access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > S3 bucket cross-region replication should enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > S3 bucket default encryption should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > S3 bucket object lock should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > S3 bucket versioning should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > S3 buckets should enforce SSL
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > S3 buckets should prohibit public read access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > S3 buckets should prohibit public write access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > S3 public access should be blocked at account level
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > SNS topics should be encrypted at rest
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > SageMaker endpoint configuration encryption should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > SageMaker notebook instance encryption should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > SageMaker notebook instances should not have direct internet access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > VPC internet gateways should be attached to authorized vpc
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > VPC security groups should restrict ingress SSH access from 0.0.0.0/0
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(B) Risk Management > VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(D) Information system activity review
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(D) Information system activity review > API Gateway stage logging should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(D) Information system activity review > AWS Security Hub should be enabled for an AWS Account
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(D) Information system activity review > All S3 buckets should log S3 data events in CloudTrail
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(D) Information system activity review > At least one enabled trail should be present in a region
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(D) Information system activity review > At least one multi-region AWS CloudTrail should be present in an account
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(D) Information system activity review > CloudTrail trail log file validation should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(D) Information system activity review > CloudTrail trail logs should be encrypted with KMS CMK
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(D) Information system activity review > CloudTrail trails should be integrated with CloudWatch logs
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(D) Information system activity review > ELB application and classic load balancer logging should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(D) Information system activity review > GuardDuty should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(D) Information system activity review > Redshift cluster audit logging and encryption should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(D) Information system activity review > S3 bucket logging should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(1)(ii)(D) Information system activity review > VPC flow logs should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > DMS replication instances should not be publicly accessible
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > EBS snapshots should not be publicly restorable
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > EC2 instances should be in a VPC
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > EC2 instances should not have a public IP address
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > ES domains should be in a VPC
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > IAM groups should have at least one user
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > IAM policy should not have statements with admin access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > IAM root user should not have access keys
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > IAM user should not have any inline or attached policies
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > IAM users should be in at least one group
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > Lambda functions should be in a VPC
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > Lambda functions should restrict public access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > RDS DB instances should prohibit public access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > RDS snapshots should prohibit public access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > Redshift clusters should prohibit public access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > S3 buckets should prohibit public read access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > S3 buckets should prohibit public write access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > S3 public access should be blocked at account level
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(i) Workforce security > SageMaker notebook instances should not have direct internet access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(A) Authorization and/or supervision
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(A) Authorization and/or supervision > API Gateway stage logging should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(A) Authorization and/or supervision > AWS Security Hub should be enabled for an AWS Account
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(A) Authorization and/or supervision > All S3 buckets should log S3 data events in CloudTrail
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(A) Authorization and/or supervision > At least one enabled trail should be present in a region
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(A) Authorization and/or supervision > At least one multi-region AWS CloudTrail should be present in an account
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(A) Authorization and/or supervision > ELB application and classic load balancer logging should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(A) Authorization and/or supervision > EMR cluster kerberos should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(A) Authorization and/or supervision > GuardDuty should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(A) Authorization and/or supervision > IAM root user MFA should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(A) Authorization and/or supervision > IAM root user hardware MFA should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(A) Authorization and/or supervision > IAM user MFA should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(A) Authorization and/or supervision > IAM users with console access should have MFA enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(A) Authorization and/or supervision > Redshift cluster audit logging and encryption should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(A) Authorization and/or supervision > S3 bucket logging should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(A) Authorization and/or supervision > VPC flow logs should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(B) Workforce clearance procedure
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(B) Workforce clearance procedure > IAM groups should have at least one user
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(B) Workforce clearance procedure > IAM policy should not have statements with admin access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(B) Workforce clearance procedure > IAM root user should not have access keys
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(B) Workforce clearance procedure > IAM user credentials that have not been used in 90 days should be disabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(B) Workforce clearance procedure > IAM user should not have any inline or attached policies
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(B) Workforce clearance procedure > IAM users should be in at least one group
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(C) Termination procedures
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(3)(ii)(C) Termination procedures > IAM user access keys should be rotated at least every 90 days
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(i) Information access management
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(i) Information access management > IAM groups should have at least one user
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(i) Information access management > IAM policy should not have statements with admin access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(i) Information access management > IAM user should not have any inline or attached policies
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(i) Information access management > IAM users should be in at least one group
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > ACM certificates should be set to expire within 30 days
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > API Gateway stage cache encryption at rest should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > Amazon Redshift clusters should have automatic snapshots enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > Attached EBS volumes should have encryption enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > CloudFront distributions should require encryption in transit
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > CloudTrail trail logs should be encrypted with KMS CMK
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > Database logging should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > DynamoDB Accelerator (DAX) clusters should be encrypted at rest
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > DynamoDB table should be encrypted with AWS KMS
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > DynamoDB table should have encryption enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > EBS default encryption should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > EBS volume encryption at rest should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > EFS file system encryption at rest should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > EKS clusters should be configured to have kubernetes secrets encrypted using KMS
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > ELB application load balancers should drop HTTP headers
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > ELB application load balancers should redirect HTTP requests to HTTPS
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > ELB classic load balancers should only use SSL or HTTPS listeners
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > ELB classic load balancers should use SSL certificates
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > ES domain encryption at rest should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > Elasticsearch domain node-to-node encryption should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > Log group encryption at rest should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > RDS DB instance encryption at rest should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > RDS DB instances should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > RDS DB snapshots should be encrypted at rest
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > Redshift cluster audit logging and encryption should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > Redshift cluster encryption in transit should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > S3 bucket default encryption should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > S3 bucket default encryption should be enabled with KMS
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > SNS topics should be encrypted at rest
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > SageMaker endpoint configuration encryption should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions > SageMaker notebook instance encryption should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(B) Access authorization
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(B) Access authorization > IAM groups should have at least one user
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(B) Access authorization > IAM policy should not have statements with admin access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(B) Access authorization > IAM user should not have any inline or attached policies
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(B) Access authorization > IAM users should be in at least one group
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(C) Access establishment and modification
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(C) Access establishment and modification > IAM groups should have at least one user
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(C) Access establishment and modification > IAM password policies for users should have strong configurations
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(C) Access establishment and modification > IAM policy should not have statements with admin access
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(C) Access establishment and modification > IAM root user should not have access keys
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(C) Access establishment and modification > IAM user access keys should be rotated at least every 90 days
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(C) Access establishment and modification > IAM user credentials that have not been used in 90 days should be disabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(C) Access establishment and modification > IAM user should not have any inline or attached policies
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(C) Access establishment and modification > IAM users should be in at least one group
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(4)(ii)(C) Access establishment and modification > Secrets Manager secrets should have automatic rotation enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(B) Protection from malicious software
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(B) Protection from malicious software > EC2 instances should be managed by AWS Systems Manager
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(B) Protection from malicious software > SSM managed instance associations should be compliant
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(B) Protection from malicious software > SSM managed instance patching should be compliant
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(C) Log-in monitoring
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(C) Log-in monitoring > AWS Security Hub should be enabled for an AWS Account
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(C) Log-in monitoring > Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(C) Log-in monitoring > GuardDuty should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(D) Password management
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(D) Password management > Ensure IAM password policy expires passwords within 90 days or less
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(D) Password management > Ensure IAM password policy prevents password reuse
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(D) Password management > Ensure IAM password policy requires a minimum length of 14 or greater
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(D) Password management > Ensure IAM password policy requires at least one lowercase letter
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(D) Password management > Ensure IAM password policy requires at least one number
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(D) Password management > Ensure IAM password policy requires at least one symbol
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(D) Password management > Ensure IAM password policy requires at least one uppercase letter
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(D) Password management > IAM user access keys should be rotated at least every 90 days
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(5)(ii)(D) Password management > IAM user credentials that have not been used in 90 days should be disabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(i) Security incident procedures
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(i) Security incident procedures > AWS Security Hub should be enabled for an AWS Account
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(i) Security incident procedures > CloudWatch alarm action should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(i) Security incident procedures > Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(i) Security incident procedures > Ensure a log metric filter and alarm exist for usage of 'root' account
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(i) Security incident procedures > GuardDuty should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(i) Security incident procedures > Lambda functions should be configured with a dead-letter queue
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(ii) Response and reporting
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(ii) Response and reporting > API Gateway stage logging should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(ii) Response and reporting > AWS Security Hub should be enabled for an AWS Account
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(ii) Response and reporting > All S3 buckets should log S3 data events in CloudTrail
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(ii) Response and reporting > At least one enabled trail should be present in a region
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(ii) Response and reporting > At least one multi-region AWS CloudTrail should be present in an account
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(ii) Response and reporting > CloudTrail trails should be integrated with CloudWatch logs
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(ii) Response and reporting > ELB application and classic load balancer logging should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(ii) Response and reporting > Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(ii) Response and reporting > Ensure a log metric filter and alarm exist for usage of 'root' account
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(ii) Response and reporting > GuardDuty findings should be archived
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(ii) Response and reporting > GuardDuty should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(ii) Response and reporting > S3 bucket logging should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(6)(ii) Response and reporting > VPC flow logs should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > Amazon Redshift clusters should have automatic snapshots enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > Auto Scaling groups with a load balancer should use health checks
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > Backup plan min frequency and min retention check
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > Backup recovery point manual deletion should be disabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > Backup recovery point should be encrypted
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > DynamoDB table auto scaling should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > DynamoDB table point-in-time recovery should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > DynamoDB table should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > DynamoDB tables should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > EBS volumes should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > EBS volumes should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > EC2 instance should have EBS optimization enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > EC2 instances should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > EFS file systems should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > EFS file systems should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > FSx file system should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > RDS Aurora clusters should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > RDS DB instance backup should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > RDS DB instance multiple az should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > RDS DB instance should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > RDS DB instances should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > S3 bucket cross-region replication should enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(i) Contingency plan > S3 bucket versioning should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > Amazon Redshift clusters should have automatic snapshots enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > Auto Scaling groups with a load balancer should use health checks
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > Backup plan min frequency and min retention check
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > Backup recovery point manual deletion should be disabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > Backup recovery point should be encrypted
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > DynamoDB table auto scaling should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > DynamoDB table point-in-time recovery should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > DynamoDB table should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > DynamoDB tables should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > EBS volumes should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > EBS volumes should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > EC2 instance should have EBS optimization enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > EC2 instances should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > EFS file systems should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > EFS file systems should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > FSx file system should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > RDS Aurora clusters should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > RDS DB instance backup should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > RDS DB instance multiple az should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > RDS DB instance should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > RDS DB instances should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > S3 bucket cross-region replication should enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(A) Data backup plan > S3 bucket versioning should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > Amazon Redshift clusters should have automatic snapshots enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > Auto Scaling groups with a load balancer should use health checks
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > Backup plan min frequency and min retention check
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > Backup recovery point manual deletion should be disabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > Backup recovery point should be encrypted
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > DynamoDB table auto scaling should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > DynamoDB table point-in-time recovery should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > DynamoDB table should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > DynamoDB tables should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > EBS volumes should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > EBS volumes should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > EC2 instance should have EBS optimization enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > EC2 instances should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > EFS file systems should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > EFS file systems should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > FSx file system should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > RDS Aurora clusters should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > RDS DB instance backup should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > RDS DB instance multiple az should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > RDS DB instance should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > RDS DB instances should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > S3 bucket cross-region replication should enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(B) Disaster recovery plan > S3 bucket versioning should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > Amazon Redshift clusters should have automatic snapshots enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > Auto Scaling groups with a load balancer should use health checks
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > Backup plan min frequency and min retention check
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > Backup recovery point manual deletion should be disabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > Backup recovery point should be encrypted
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > DynamoDB table auto scaling should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > DynamoDB table point-in-time recovery should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > DynamoDB table should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > DynamoDB tables should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > EBS volumes should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > EBS volumes should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > EC2 instance should have EBS optimization enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > EC2 instances should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > EFS file systems should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > EFS file systems should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > FSx file system should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > RDS Aurora clusters should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > RDS DB instance backup should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > RDS DB instance multiple az should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > RDS DB instance should be protected by backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > RDS DB instances should be in a backup plan
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > S3 bucket cross-region replication should enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(7)(ii)(C) Emergency mode operation plan > S3 bucket versioning should be enabled
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(8) Evaluation
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(8) Evaluation > AWS Security Hub should be enabled for an AWS Account
• AWS > HIPAA > 164.308 Administrative Safeguards > 164.308(a)(8) Evaluation > GuardDuty should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > DMS replication instances should not be publicly accessible
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > EBS snapshots should not be publicly restorable
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > EC2 instances should be in a VPC
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > EC2 instances should not have a public IP address
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > EMR cluster kerberos should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > EMR cluster master nodes should not have public IP addresses
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > ES domains should be in a VPC
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > IAM groups should have at least one user
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > IAM policy should not have statements with admin access
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > IAM user should not have any inline or attached policies
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > IAM users should be in at least one group
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > IAM users with console access should have MFA enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > Lambda functions should be in a VPC
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > Lambda functions should restrict public access
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > RDS DB instances should prohibit public access
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > RDS snapshots should prohibit public access
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > Redshift clusters should prohibit public access
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > S3 buckets should prohibit public read access
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > S3 buckets should prohibit public write access
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > S3 public access should be blocked at account and bucket levels
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(1) Access control > SageMaker notebook instances should not have direct internet access
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(i) Unique user identification
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(i) Unique user identification > All S3 buckets should log S3 data events in CloudTrail
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(i) Unique user identification > IAM root user should not have access keys
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(i) Unique user identification > S3 buckets should prohibit public read access
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > Amazon Redshift clusters should have automatic snapshots enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > Backup plan min frequency and min retention check
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > Backup recovery point manual deletion should be disabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > Backup recovery point should be encrypted
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > DynamoDB table point-in-time recovery should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > DynamoDB table should be protected by backup plan
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > DynamoDB tables should be in a backup plan
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > EBS volumes should be in a backup plan
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > EBS volumes should be protected by backup plan
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > EC2 instance should have EBS optimization enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > EC2 instances should be protected by backup plan
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > EFS file systems should be in a backup plan
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > EFS file systems should be protected by backup plan
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > FSx file system should be protected by backup plan
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > RDS Aurora clusters should be protected by backup plan
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > RDS DB instance backup should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > RDS DB instance should be protected by backup plan
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > RDS DB instances should be in a backup plan
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > S3 bucket cross-region replication should enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(ii) Emergency access procedure > S3 bucket versioning should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > API Gateway stage cache encryption at rest should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > CloudTrail trail logs should be encrypted with KMS CMK
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > DynamoDB Accelerator (DAX) clusters should be encrypted at rest
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > DynamoDB table should be encrypted with AWS KMS
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > DynamoDB table should have encryption enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > EBS default encryption should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > EBS volume encryption at rest should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > EFS file system encryption at rest should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > EKS clusters should be configured to have kubernetes secrets encrypted using KMS
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > ES domain encryption at rest should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > KMS CMK rotation should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > KMS key decryption should be restricted in IAM customer managed policy
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > KMS key decryption should be restricted in IAM inline policy
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > KMS keys should not be pending deletion
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > Log group encryption at rest should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > RDS DB instance encryption at rest should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > RDS DB snapshots should be encrypted at rest
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > Redshift cluster audit logging and encryption should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > Redshift cluster encryption in transit should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > S3 bucket default encryption should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > S3 bucket default encryption should be enabled with KMS
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > S3 buckets should enforce SSL
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > SNS topics should be encrypted at rest
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > SageMaker endpoint configuration encryption should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(a)(2)(iv) Encryption and decryption > SageMaker notebook instance encryption should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(b) Audit controls
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(b) Audit controls > API Gateway stage logging should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(b) Audit controls > AWS Security Hub should be enabled for an AWS Account
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(b) Audit controls > All S3 buckets should log S3 data events in CloudTrail
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(b) Audit controls > At least one enabled trail should be present in a region
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(b) Audit controls > At least one multi-region AWS CloudTrail should be present in an account
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(b) Audit controls > CloudTrail trail log file validation should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(b) Audit controls > CloudTrail trails should be integrated with CloudWatch logs
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(b) Audit controls > Database logging should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(b) Audit controls > ELB application and classic load balancer logging should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(b) Audit controls > GuardDuty should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(b) Audit controls > Log group retention period should be at least 365 days
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(b) Audit controls > Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(b) Audit controls > Redshift cluster audit logging and encryption should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(b) Audit controls > S3 bucket logging should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(b) Audit controls > VPC flow logs should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(1) Integrity
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(1) Integrity > Attached EBS volumes should have encryption enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(1) Integrity > CloudTrail trail log file validation should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(1) Integrity > CloudTrail trail logs should be encrypted with KMS CMK
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(1) Integrity > S3 bucket default encryption should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(1) Integrity > S3 bucket object lock should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(1) Integrity > S3 bucket versioning should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(1) Integrity > S3 buckets should enforce SSL
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(2) Mechanism to authenticate electronic protected health information
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(2) Mechanism to authenticate electronic protected health information > Attached EBS volumes should have encryption enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(2) Mechanism to authenticate electronic protected health information > CloudTrail trail log file validation should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(2) Mechanism to authenticate electronic protected health information > CloudTrail trail logs should be encrypted with KMS CMK
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(2) Mechanism to authenticate electronic protected health information > S3 bucket default encryption should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(2) Mechanism to authenticate electronic protected health information > S3 bucket object lock should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(2) Mechanism to authenticate electronic protected health information > S3 bucket versioning should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(2) Mechanism to authenticate electronic protected health information > S3 buckets should enforce SSL
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(c)(2) Mechanism to authenticate electronic protected health information > VPC flow logs should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(d) Person or entity authentication
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(d) Person or entity authentication > IAM password policies for users should have strong configurations
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(d) Person or entity authentication > IAM root user MFA should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(d) Person or entity authentication > IAM root user hardware MFA should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(d) Person or entity authentication > IAM user MFA should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(d) Person or entity authentication > IAM users with console access should have MFA enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security > ACM certificates should be set to expire within 30 days
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security > API Gateway stage cache encryption at rest should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security > CloudFront distributions should require encryption in transit
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security > EC2 instances should be in a VPC
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security > ELB application load balancers should drop HTTP headers
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security > ELB application load balancers should redirect HTTP requests to HTTPS
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security > ELB classic load balancers should only use SSL or HTTPS listeners
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security > ELB classic load balancers should use SSL certificates
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security > ES domains should be in a VPC
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security > Elasticsearch domain node-to-node encryption should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security > Lambda functions should be in a VPC
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security > Redshift cluster encryption in transit should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security > S3 buckets should enforce SSL
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security > VPC security groups should restrict ingress SSH access from 0.0.0.0/0
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security > VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(1) Transmission security > VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(i) Integrity controls
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(i) Integrity controls > AWS Security Hub should be enabled for an AWS Account
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(i) Integrity controls > All S3 buckets should log S3 data events in CloudTrail
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(i) Integrity controls > At least one enabled trail should be present in a region
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(i) Integrity controls > At least one multi-region AWS CloudTrail should be present in an account
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(i) Integrity controls > CloudTrail trails should be integrated with CloudWatch logs
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(i) Integrity controls > ELB application load balancers should redirect HTTP requests to HTTPS
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(i) Integrity controls > ELB classic load balancers should use SSL certificates
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(i) Integrity controls > GuardDuty should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(i) Integrity controls > Redshift cluster encryption in transit should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(i) Integrity controls > S3 bucket logging should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(i) Integrity controls > S3 buckets should enforce SSL
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > API Gateway stage cache encryption at rest should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > CloudTrail trail logs should be encrypted with KMS CMK
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > DynamoDB Accelerator (DAX) clusters should be encrypted at rest
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > DynamoDB table should be encrypted with AWS KMS
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > DynamoDB table should have encryption enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > EBS default encryption should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > EBS volume encryption at rest should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > EFS file system encryption at rest should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > EKS clusters should be configured to have kubernetes secrets encrypted using KMS
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > ELB application load balancers should redirect HTTP requests to HTTPS
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > ELB classic load balancers should use SSL certificates
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > ES domain encryption at rest should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > Log group encryption at rest should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > RDS DB instance encryption at rest should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > RDS DB snapshots should be encrypted at rest
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > Redshift cluster audit logging and encryption should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > Redshift cluster encryption in transit should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > S3 bucket default encryption should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > S3 bucket default encryption should be enabled with KMS
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > S3 buckets should enforce SSL
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > SNS topics should be encrypted at rest
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > SageMaker endpoint configuration encryption should be enabled
• AWS > HIPAA > 164.312 Technical Safeguards > 164.312(e)(2)(ii) Encryption > SageMaker notebook instance encryption should be enabled

Policy Types

Added

• AWS > HIPAA