Control types for @turbot/aws-hipaa

• AWS > HIPAA
• AWS > HIPAA > ACM
• AWS > HIPAA > ACM > ACM certificates should be set to expire within 30 days
• AWS > HIPAA > API Gateway
• AWS > HIPAA > API Gateway > API Gateway stage cache encryption at rest should be enabled
• AWS > HIPAA > API Gateway > API Gateway stage logging should be enabled
• AWS > HIPAA > Account
• AWS > HIPAA > Account > At least one multi-region AWS CloudTrail should be present in an account
• AWS > HIPAA > Account > Ensure IAM password policy expires passwords within 90 days or less
• AWS > HIPAA > Account > Ensure IAM password policy prevents password reuse
• AWS > HIPAA > Account > Ensure IAM password policy requires at least one lowercase letter
• AWS > HIPAA > Account > Ensure IAM password policy requires at least one number
• AWS > HIPAA > Account > Ensure IAM password policy requires at least one symbol
• AWS > HIPAA > Account > Ensure IAM password policy requires at least one uppercase letter
• AWS > HIPAA > Account > Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
• AWS > HIPAA > Account > Ensure a log metric filter and alarm exist for usage of 'root' account
• AWS > HIPAA > Account > IAM root user hardware MFA should be enabled
• AWS > HIPAA > Backup
• AWS > HIPAA > Backup > Backup plan min frequency and min retention check
• AWS > HIPAA > Backup > Backup recovery point manual deletion should be disabled
• AWS > HIPAA > Backup > Backup recovery point should be encrypted
• AWS > HIPAA > CloudFront
• AWS > HIPAA > CloudFront > CloudFront distributions should require encryption in transit
• AWS > HIPAA > CloudTrail
• AWS > HIPAA > CloudTrail > CloudTrail trail log file validation should be enabled
• AWS > HIPAA > CloudTrail > CloudTrail trail logs should be encrypted with KMS CMK
• AWS > HIPAA > CloudTrail > CloudTrail trails should be integrated with CloudWatch logs
• AWS > HIPAA > CloudWatch
• AWS > HIPAA > CloudWatch > CloudWatch alarm action should be enabled
• AWS > HIPAA > CodeBuild
• AWS > HIPAA > CodeBuild > CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
• AWS > HIPAA > CodeBuild > CodeBuild project plaintext environment variables should not contain sensitive AWS values
• AWS > HIPAA > DAX
• AWS > HIPAA > DAX > DynamoDB Accelerator (DAX) clusters should be encrypted at rest
• AWS > HIPAA > DMS
• AWS > HIPAA > DMS > DMS replication instances should not be publicly accessible
• AWS > HIPAA > DynamoDB
• AWS > HIPAA > DynamoDB > DynamoDB table auto scaling should be enabled
• AWS > HIPAA > DynamoDB > DynamoDB table point-in-time recovery should be enabled
• AWS > HIPAA > DynamoDB > DynamoDB table should be encrypted with AWS KMS
• AWS > HIPAA > DynamoDB > DynamoDB table should be protected by backup plan
• AWS > HIPAA > DynamoDB > DynamoDB table should have encryption enabled
• AWS > HIPAA > DynamoDB > DynamoDB tables should be in a backup plan
• AWS > HIPAA > EC2
• AWS > HIPAA > EC2 > Attached EBS volumes should have encryption enabled
• AWS > HIPAA > EC2 > Auto Scaling groups with a load balancer should use health checks
• AWS > HIPAA > EC2 > EBS default encryption should be enabled
• AWS > HIPAA > EC2 > EBS snapshots should not be publicly restorable
• AWS > HIPAA > EC2 > EBS volume encryption at rest should be enabled
• AWS > HIPAA > EC2 > EBS volumes should be in a backup plan
• AWS > HIPAA > EC2 > EBS volumes should be protected by backup plan
• AWS > HIPAA > EC2 > EC2 instance should have EBS optimization enabled
• AWS > HIPAA > EC2 > EC2 instances should be in a VPC
• AWS > HIPAA > EC2 > EC2 instances should be managed by AWS Systems Manager
• AWS > HIPAA > EC2 > EC2 instances should be protected by backup plan
• AWS > HIPAA > EC2 > EC2 instances should not have a public IP address
• AWS > HIPAA > EC2 > EC2 stopped instances should be removed in 30 days
• AWS > HIPAA > EC2 > ELB application and classic load balancer logging should be enabled
• AWS > HIPAA > EC2 > ELB application load balancer deletion protection should be enabled
• AWS > HIPAA > EC2 > ELB application load balancers should drop HTTP headers
• AWS > HIPAA > EC2 > ELB application load balancers should redirect HTTP requests to HTTPS
• AWS > HIPAA > EC2 > ELB classic load balancers should only use SSL or HTTPS listeners
• AWS > HIPAA > EC2 > ELB classic load balancers should use SSL certificates
• AWS > HIPAA > EFS
• AWS > HIPAA > EFS > EFS file system encryption at rest should be enabled
• AWS > HIPAA > EFS > EFS file systems should be in a backup plan
• AWS > HIPAA > EFS > EFS file systems should be protected by backup plan
• AWS > HIPAA > EKS
• AWS > HIPAA > EKS > EKS clusters should be configured to have kubernetes secrets encrypted using KMS
• AWS > HIPAA > EMR
• AWS > HIPAA > EMR > EMR cluster kerberos should be enabled
• AWS > HIPAA > EMR > EMR cluster master nodes should not have public IP addresses
• AWS > HIPAA > ElastiCache
• AWS > HIPAA > ElastiCache > ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
• AWS > HIPAA > Elasticsearch
• AWS > HIPAA > Elasticsearch > ES domain encryption at rest should be enabled
• AWS > HIPAA > Elasticsearch > ES domains should be in a VPC
• AWS > HIPAA > Elasticsearch > Elasticsearch domain node-to-node encryption should be enabled
• AWS > HIPAA > FSx
• AWS > HIPAA > FSx > FSx file system should be protected by backup plan
• AWS > HIPAA > GuardDuty
• AWS > HIPAA > GuardDuty > GuardDuty findings should be archived
• AWS > HIPAA > IAM
• AWS > HIPAA > IAM > Ensure IAM password policy requires a minimum length of 14 or greater
• AWS > HIPAA > IAM > IAM groups should have at least one user
• AWS > HIPAA > IAM > IAM password policies for users should have strong configurations
• AWS > HIPAA > IAM > IAM policy should not have statements with admin access
• AWS > HIPAA > IAM > IAM root user MFA should be enabled
• AWS > HIPAA > IAM > IAM root user should not have access keys
• AWS > HIPAA > IAM > IAM user MFA should be enabled
• AWS > HIPAA > IAM > IAM user access keys should be rotated at least every 90 days
• AWS > HIPAA > IAM > IAM user credentials that have not been used in 90 days should be disabled
• AWS > HIPAA > IAM > IAM user should not have any inline or attached policies
• AWS > HIPAA > IAM > IAM users should be in at least one group
• AWS > HIPAA > IAM > IAM users with console access should have MFA enabled
• AWS > HIPAA > IAM > KMS key decryption should be restricted in IAM customer managed policy
• AWS > HIPAA > IAM > KMS key decryption should be restricted in IAM inline policy
• AWS > HIPAA > KMS
• AWS > HIPAA > KMS > KMS CMK rotation should be enabled
• AWS > HIPAA > KMS > KMS keys should not be pending deletion
• AWS > HIPAA > Lambda
• AWS > HIPAA > Lambda > Lambda functions should be configured with a dead-letter queue
• AWS > HIPAA > Lambda > Lambda functions should be in a VPC
• AWS > HIPAA > Lambda > Lambda functions should restrict public access
• AWS > HIPAA > Logs
• AWS > HIPAA > Logs > Log group encryption at rest should be enabled
• AWS > HIPAA > Logs > Log group retention period should be at least 365 days
• AWS > HIPAA > RDS
• AWS > HIPAA > RDS > Database logging should be enabled
• AWS > HIPAA > RDS > RDS Aurora clusters should be protected by backup plan
• AWS > HIPAA > RDS > RDS DB instance backup should be enabled
• AWS > HIPAA > RDS > RDS DB instance encryption at rest should be enabled
• AWS > HIPAA > RDS > RDS DB instance multiple az should be enabled
• AWS > HIPAA > RDS > RDS DB instance should be protected by backup plan
• AWS > HIPAA > RDS > RDS DB instances should be in a backup plan
• AWS > HIPAA > RDS > RDS DB instances should prohibit public access
• AWS > HIPAA > RDS > RDS DB snapshots should be encrypted at rest
• AWS > HIPAA > RDS > RDS snapshots should prohibit public access
• AWS > HIPAA > Redshift
• AWS > HIPAA > Redshift > Amazon Redshift clusters should have automatic snapshots enabled
• AWS > HIPAA > Redshift > Redshift cluster audit logging and encryption should be enabled
• AWS > HIPAA > Redshift > Redshift cluster encryption in transit should be enabled
• AWS > HIPAA > Redshift > Redshift clusters should prohibit public access
• AWS > HIPAA > Region
• AWS > HIPAA > Region > AWS Config should be enabled
• AWS > HIPAA > Region > AWS Security Hub should be enabled for an AWS Account
• AWS > HIPAA > Region > At least one enabled trail should be present in a region
• AWS > HIPAA > Region > GuardDuty should be enabled
• AWS > HIPAA > S3
• AWS > HIPAA > S3 > All S3 buckets should log S3 data events in CloudTrail
• AWS > HIPAA > S3 > S3 bucket cross-region replication should be enabled
• AWS > HIPAA > S3 > S3 bucket default encryption should be enabled
• AWS > HIPAA > S3 > S3 bucket default encryption should be enabled with KMS
• AWS > HIPAA > S3 > S3 bucket logging should be enabled
• AWS > HIPAA > S3 > S3 bucket object lock should be enabled
• AWS > HIPAA > S3 > S3 bucket versioning should be enabled
• AWS > HIPAA > S3 > S3 buckets should enforce SSL
• AWS > HIPAA > S3 > S3 buckets should prohibit public read access
• AWS > HIPAA > S3 > S3 buckets should prohibit public write access
• AWS > HIPAA > S3 > S3 public access should be blocked at account and bucket levels
• AWS > HIPAA > S3 > S3 public access should be blocked at account level
• AWS > HIPAA > SNS
• AWS > HIPAA > SNS > SNS topics should be encrypted at rest
• AWS > HIPAA > SSM
• AWS > HIPAA > SSM > SSM managed instance associations should be compliant
• AWS > HIPAA > SSM > SSM managed instance patching should be compliant
• AWS > HIPAA > SageMaker
• AWS > HIPAA > SageMaker > SageMaker endpoint configuration encryption should be enabled
• AWS > HIPAA > SageMaker > SageMaker notebook instance encryption should be enabled
• AWS > HIPAA > SageMaker > SageMaker notebook instances should not have direct internet access
• AWS > HIPAA > Secrets Manager
• AWS > HIPAA > Secrets Manager > Secrets Manager secrets should have automatic rotation enabled
• AWS > HIPAA > VPC
• AWS > HIPAA > VPC > Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status
• AWS > HIPAA > VPC > VPC flow logs should be enabled
• AWS > HIPAA > VPC > VPC internet gateways should be attached to authorized vpc
• AWS > HIPAA > VPC > VPC security groups should restrict ingress SSH access from 0.0.0.0/0
• AWS > HIPAA > VPC > VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
• AWS > HIPAA > VPC > VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
• AWS > HIPAA > WAFV2
• AWS > HIPAA > WAFV2 > Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)

AWS > HIPAA

The AWS Health Insurance Portability and Accountability (HIPAA) is a set of controls to use the secure AWS environment to process, maintain, and store protected health information.

AWS > HIPAA > ACM

This section contains recommendations for configuring ACM resources and options.

AWS > HIPAA > ACM > ACM certificates should be set to expire within 30 days

Ensure network integrity is protected by ensuring X509 certificates are issued by AWS ACM.

AWS > HIPAA > API Gateway

This section contains recommendations for configuring API Gateway resources and options.

AWS > HIPAA > API Gateway > API Gateway stage cache encryption at rest should be enabled

To help protect data at rest, ensure encryption is enabled for your API Gateway stage's cache.

AWS > HIPAA > API Gateway > API Gateway stage logging should be enabled

API Gateway logging displays detailed views of users who accessed the API and the way they accessed the API.

AWS > HIPAA > Account

This section contains recommendations for configuring resources and options at an account level.

AWS > HIPAA > Account > At least one multi-region AWS CloudTrail should be present in an account

AWS CloudTrail records AWS Management Console actions and API calls. You can identify which users and accounts called AWS,
the source IP address from where the calls were made, and when the calls occurred. CloudTrail will deliver log files
from all AWS Regions to your S3 bucket if MULTI_REGION_CLOUD_TRAIL_ENABLED is enabled.

AWS > HIPAA > Account > Ensure IAM password policy expires passwords within 90 days or less

IAM password policies can require passwords to be rotated or expired after a given number of days. Security Hub recommends that the password policy expire passwords after 90 days or less. Reducing the password lifetime increases account resiliency against brute force login attempts.

AWS > HIPAA > Account > Ensure IAM password policy prevents password reuse

This control checks whether the number of passwords to remember is set to 24. The control fails if the value is not 24. IAM password policies can prevent the reuse of a given password by the same user.

AWS > HIPAA > Account > Ensure IAM password policy requires at least one lowercase letter

Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one lowercase letter. Setting a password complexity policy increases account resiliency against brute force login attempts.

AWS > HIPAA > Account > Ensure IAM password policy requires at least one number

Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets.

AWS > HIPAA > Account > Ensure IAM password policy requires at least one symbol

Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one symbol. Setting a password complexity policy increases account resiliency against brute force login attempts.

AWS > HIPAA > Account > Ensure IAM password policy requires at least one uppercase letter

Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets.

AWS > HIPAA > Account > Ensure a log metric filter and alarm exist for AWS Management Console authentication failures

You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for failed console authentication attempts.

AWS > HIPAA > Account > Ensure a log metric filter and alarm exist for usage of 'root' account

You can do real-time monitoring of API calls directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.Security Hub recommends that you create a metric filter and alarm for root login attempts. Monitoring for root account logins provides visibility into the use of a fully privileged account and an opportunity to reduce the use of it.

AWS > HIPAA > Account > IAM root user hardware MFA should be enabled

Manage access to resources in the AWS Cloud by ensuring hardware MFA is enabled for the root user.

AWS > HIPAA > Backup

This section contains recommendations for configuring Backup resources and options.

AWS > HIPAA > Backup > Backup plan min frequency and min retention check

Checks if a backup plan has a backup rule that satisfies the required frequency and retention period (35 Days). The rule is non complaint if recovery points are not created at least as often as the specified frequency or expire before the specified period.

AWS > HIPAA > Backup > Backup recovery point manual deletion should be disabled

Checks if a backup vault has an attached resource-based policy which prevents deletion of recovery points. The rule is non complaint if the Backup Vault does not have resource-based policies or has policies without a suitable 'Deny' statement.

AWS > HIPAA > Backup > Backup recovery point should be encrypted

Ensure if a recovery point is encrypted. The rule is non complaint if the recovery point is not encrypted.

AWS > HIPAA > CloudFront

This section contains recommendations for configuring CloudFront resources and options.

AWS > HIPAA > CloudFront > CloudFront distributions should require encryption in transit

This control checks whether an Amazon CloudFront distribution requires viewers to use HTTPS directly or whether it uses redirection. The control fails if ViewerProtocolPolicy is set to allow-all for defaultCacheBehavior or for cacheBehaviors.

AWS > HIPAA > CloudTrail

This section contains recommendations for configuring CloudTrail resources and options.

AWS > HIPAA > CloudTrail > CloudTrail trail log file validation should be enabled

Utilize AWS CloudTrail log file validation to check the integrity of CloudTrail logs. Log file validation helps determine if a log file was modified or deleted or unchanged after CloudTrail delivered it. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection.

AWS > HIPAA > CloudTrail > CloudTrail trail logs should be encrypted with KMS CMK

To help protect sensitive data at rest, ensure encryption is enabled for your Amazon CloudWatch Log Groups.

AWS > HIPAA > CloudTrail > CloudTrail trails should be integrated with CloudWatch logs

Use Amazon CloudWatch to centrally collect and manage log event activity. Inclusion of AWS CloudTrail data provides
details of API call activity within your AWS account.

AWS > HIPAA > CloudWatch

This section contains recommendations for configuring CloudWatch resources and options.

AWS > HIPAA > CloudWatch > CloudWatch alarm action should be enabled

Amazon CloudWatch alarms alert when a metric breaches the threshold for a specified number of evaluation periods. The alarm performs one or more actions based on the value of the metric or expression relative to a threshold over a number of time periods.

AWS > HIPAA > CodeBuild

This section contains recommendations for configuring CodeBuild resources and options.

AWS > HIPAA > CodeBuild > CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

Ensure the GitHub or Bitbucket source repository URL does not contain personal access tokens, user name and password within AWS Codebuild project environments.

AWS > HIPAA > CodeBuild > CodeBuild project plaintext environment variables should not contain sensitive AWS values

Ensure authentication credentials AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY do not exist within AWS CodeBuild project environments. Do not store these variables in clear text. Storing these variables in clear text leads to unintended data exposure and unauthorized access.

AWS > HIPAA > DAX

This section contains recommendations for configuring DAX resources and options.

AWS > HIPAA > DAX > DynamoDB Accelerator (DAX) clusters should be encrypted at rest

This control checks whether a DAX cluster is encrypted at rest. Encrypting data at rest reduces the risk of data
stored on disk being accessed by a user not authenticated to AWS. The encryption adds another set of access controls
to limit the ability of unauthorized users to access to the data. For example, API permissions are required to
decrypt the data before it can be read.

AWS > HIPAA > DMS

This section contains recommendations for configuring DMS resources and options.

AWS > HIPAA > DMS > DMS replication instances should not be publicly accessible

Manage access to the AWS Cloud by ensuring DMS replication instances cannot be publicly accessed.

AWS > HIPAA > DynamoDB

This section contains recommendations for configuring DynamoDB resources and options.

AWS > HIPAA > DynamoDB > DynamoDB table auto scaling should be enabled

Amazon DynamoDB auto scaling uses the AWS Application Auto Scaling service to adjust provisioned throughput capacity that automatically responds to actual traffic patterns.

AWS > HIPAA > DynamoDB > DynamoDB table point-in-time recovery should be enabled

Enable this rule to check that information has been backed up. It also maintains the backups by ensuring that point-in-time recovery is enabled in Amazon DynamoDB.

AWS > HIPAA > DynamoDB > DynamoDB table should be encrypted with AWS KMS

Ensure that encryption is enabled for your Amazon DynamoDB tables. Because sensitive data can exist at rest in these
tables, enable encryption at rest to help protect that data.

AWS > HIPAA > DynamoDB > DynamoDB table should be protected by backup plan

Ensure if Amazon DynamoDB tables are protected by a backup plan. The rule is non complaint if the DynamoDB Table is not covered by a backup plan.

AWS > HIPAA > DynamoDB > DynamoDB table should have encryption enabled

Ensure that encryption is enabled for your Amazon DynamoDB tables. Because sensitive data can exist at rest in these
tables, enable encryption at rest to help protect that data.

AWS > HIPAA > DynamoDB > DynamoDB tables should be in a backup plan

To help with data back-up processes, ensure your Amazon DynamoDB tables are a part of an AWS Backup plan.

AWS > HIPAA > EC2

This section contains recommendations for configuring EC2 resources and options.

AWS > HIPAA > EC2 > Attached EBS volumes should have encryption enabled

Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elastic Block Store (Amazon EBS) volumes.

AWS > HIPAA > EC2 > Auto Scaling groups with a load balancer should use health checks

The Elastic Load Balancer (ELB) health checks for Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling groups support maintenance of adequate capacity and availability.

AWS > HIPAA > EC2 > EBS default encryption should be enabled

To help protect data at rest, ensure that encryption is enabled for your Amazon Elastic Block Store (Amazon EBS) volumes.

AWS > HIPAA > EC2 > EBS snapshots should not be publicly restorable

Manage access to the AWS Cloud by ensuring EBS snapshots are not publicly restorable.

AWS > HIPAA > EC2 > EBS volume encryption at rest should be enabled

Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elastic Block Store (Amazon EBS) volumes.

AWS > HIPAA > EC2 > EBS volumes should be in a backup plan

To help with data back-up processes, ensure your Amazon Elastic Block Store (Amazon EBS) volumes are a part of an AWS Backup plan.

AWS > HIPAA > EC2 > EBS volumes should be protected by backup plan

Ensure if Amazon Elastic Block Store (Amazon EBS) volumes are protected by a backup plan. The rule is non complaint if the Amazon EBS volume is not covered by a backup plan.

AWS > HIPAA > EC2 > EC2 instance should have EBS optimization enabled

An optimized instance in Amazon Elastic Block Store (Amazon EBS) provides additional, dedicated capacity for Amazon EBS I/O operations.

AWS > HIPAA > EC2 > EC2 instances should be in a VPC

Deploy Amazon Elastic Compute Cloud (Amazon EC2) instances within an Amazon Virtual Private Cloud (Amazon VPC) to enable secure communication between an instance and other services within the amazon VPC, without requiring an internet gateway, NAT device, or VPN connection.

AWS > HIPAA > EC2 > EC2 instances should be managed by AWS Systems Manager

An inventory of the software platforms and applications within the organization is possible by managing Amazon Elastic Compute Cloud (Amazon EC2) instances with AWS Systems Manager.

AWS > HIPAA > EC2 > EC2 instances should be protected by backup plan

Ensure if Amazon Elastic Compute Cloud (Amazon EC2) instances are protected by a backup plan. The rule is non complaint if the Amazon EC2 instance is not covered by a backup plan.

AWS > HIPAA > EC2 > EC2 instances should not have a public IP address

Manage access to the AWS Cloud by ensuring Amazon Elastic Compute Cloud (Amazon EC2) instances cannot be publicly accessed.

AWS > HIPAA > EC2 > EC2 stopped instances should be removed in 30 days

Enable this rule to help with the baseline configuration of Amazon Elastic Compute Cloud (Amazon EC2) instances by checking whether Amazon EC2 instances have been stopped for more than the allowed number of days, according to your organization's standards.

AWS > HIPAA > EC2 > ELB application and classic load balancer logging should be enabled

Elastic Load Balancing activity is a central point of communication within an environment.

AWS > HIPAA > EC2 > ELB application load balancer deletion protection should be enabled

This rule ensures that Elastic Load Balancing has deletion protection enabled.

AWS > HIPAA > EC2 > ELB application load balancers should drop HTTP headers

Ensure that your Elastic Load Balancers (ELB) are configured to drop http headers.

AWS > HIPAA > EC2 > ELB application load balancers should redirect HTTP requests to HTTPS

To help protect data in transit, ensure that your Application Load Balancer automatically redirects unencrypted HTTP requests to HTTPS.

AWS > HIPAA > EC2 > ELB classic load balancers should only use SSL or HTTPS listeners

Ensure that your Elastic Load Balancers (ELBs) are configured with SSL or HTTPS listeners. Because sensitive data can exist, enable encryption in transit to help protect that data.

AWS > HIPAA > EC2 > ELB classic load balancers should use SSL certificates

Because sensitive data can exist and to help protect data at transit, ensure encryption is enabled for your Elastic Load Balancing.

AWS > HIPAA > EFS

This section contains recommendations for configuring EFS resources and options.

AWS > HIPAA > EFS > EFS file system encryption at rest should be enabled

Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elastic File System (EFS).

AWS > HIPAA > EFS > EFS file systems should be in a backup plan

To help with data back-up processes, ensure your Amazon Elastic File System (Amazon EFS) file systems are a part of an AWS Backup plan.

AWS > HIPAA > EFS > EFS file systems should be protected by backup plan

Ensure if Amazon Elastic File System (Amazon EFS) File Systems are protected by a backup plan. The rule is non complaint if the EFS File System is not covered by a backup plan.

AWS > HIPAA > EKS

This section contains recommendations for configuring EKS resources and options.

AWS > HIPAA > EKS > EKS clusters should be configured to have kubernetes secrets encrypted using KMS

Ensure if Amazon Elastic Kubernetes Service clusters are configured to have Kubernetes secrets encrypted using AWS Key Management Service (KMS) keys.

AWS > HIPAA > EMR

This section contains recommendations for configuring EMR resources and options.

AWS > HIPAA > EMR > EMR cluster kerberos should be enabled

The access permissions and authorizations can be managed and incorporated with the principles of least privilege and separation of duties, by enabling Kerberos for Amazon EMR clusters.

AWS > HIPAA > EMR > EMR cluster master nodes should not have public IP addresses

Manage access to the AWS Cloud by ensuring Amazon EMR cluster master nodes cannot be publicly accessed.

AWS > HIPAA > ElastiCache

This section contains recommendations for configuring ElastiCache resources and options.

AWS > HIPAA > ElastiCache > ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater

When automatic backups are enabled, Amazon ElastiCache creates a backup of the cluster on a daily basis. The backup can be retained for a number of days as specified by your organization. Automatic backups can help guard against data loss.

AWS > HIPAA > Elasticsearch

This section contains recommendations for configuring Elasticsearch resources and options.

AWS > HIPAA > Elasticsearch > ES domain encryption at rest should be enabled

Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elasticsearch Service (Amazon ES) domains

AWS > HIPAA > Elasticsearch > ES domains should be in a VPC

Manage access to the AWS Cloud by ensuring Amazon Elasticsearch Service (Amazon ES) Domains are within an Amazon Virtual Private Cloud (Amazon VPC).

AWS > HIPAA > Elasticsearch > Elasticsearch domain node-to-node encryption should be enabled

Ensure node-to-node encryption for Amazon Elasticsearch Service is enabled. Node-to-node encryption enables TLS 1.2 encryption for all communications within the Amazon Virtual Private Cloud (Amazon VPC).

AWS > HIPAA > FSx

This section contains recommendations for configuring FSx resources and options.

AWS > HIPAA > FSx > FSx file system should be protected by backup plan

Checks if Amazon FSx File Systems are protected by a backup plan. The rule is non complaint if the Amazon FSx File System is not covered by a backup plan.

AWS > HIPAA > GuardDuty

This section contains recommendations for configuring GuardDuty resources and options.

AWS > HIPAA > GuardDuty > GuardDuty findings should be archived

Amazon GuardDuty helps you understand the impact of an incident by classifying findings by severity: low, medium, and high.

AWS > HIPAA > IAM

This section contains recommendations for configuring IAM resources and options.

AWS > HIPAA > IAM > Ensure IAM password policy requires a minimum length of 14 or greater

Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords are at least a given length. Security Hub recommends that the password policy require a minimum password length of 14 characters.

AWS > HIPAA > IAM > IAM groups should have at least one user

AWS Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation
of duties with access permissions and authorizations, by ensuring that IAM groups have at least one IAM user.

AWS > HIPAA > IAM > IAM password policies for users should have strong configurations

The identities and the credentials are issued, managed, and verified based on an organizational IAM password policy.

IAM password policy is considered to have a strong configuration when:
- Minimum password length is greater than or equal to 14 characters
- Require at least one uppercase letter from the Latin alphabet (A-Z)
- Require at least one lowercase letter from the Latin alphabet (a-z)
- Require at least one number
- Require at least one non-alphanumeric character
- Password should expire in at least 90 days
- Remember at least the last 24 passwords and prevent reuse

AWS > HIPAA > IAM > IAM policy should not have statements with admin access

AWS Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation of duties with access permissions and authorizations, restricting policies from containing 'Effect': 'Allow' with 'Action': '*' over 'Resource': '*'.

AWS > HIPAA > IAM > IAM root user MFA should be enabled

Manage access to resources in the AWS Cloud by ensuring MFA is enabled for the root user.

AWS > HIPAA > IAM > IAM root user should not have access keys

Access to systems and assets can be controlled by checking that the root user does not have access keys attached to their AWS Identity and Access Management (IAM) role.

AWS > HIPAA > IAM > IAM user MFA should be enabled

Enable this rule to restrict access to resources in the AWS Cloud.

AWS > HIPAA > IAM > IAM user access keys should be rotated at least every 90 days

The credentials are audited for authorized devices, users, and processes by ensuring IAM access keys are rotated as per organizational policy.

AWS > HIPAA > IAM > IAM user credentials that have not been used in 90 days should be disabled

AWS Identity and Access Management (IAM) can help you with access permissions and authorizations by checking for IAM passwords and access keys that are not used for a specified time period.

AWS > HIPAA > IAM > IAM user should not have any inline or attached policies

This rule ensures AWS Identity and Access Management (IAM) policies are attached only to groups or roles to control
access to systems and assets.

AWS > HIPAA > IAM > IAM users should be in at least one group

AWS Identity and Access Management (IAM) can help you restrict access permissions and authorizations, by ensuring
IAM users are members of at least one group.

AWS > HIPAA > IAM > IAM users with console access should have MFA enabled

Manage access to resources in the AWS Cloud by ensuring that MFA is enabled for all AWS Identity and Access Management (IAM) users that have a console password.

AWS > HIPAA > IAM > KMS key decryption should be restricted in IAM customer managed policy

Checks whether the default version of IAM customer managed policies allow principals to use the AWS KMS decryption actions on all resources. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts. This control fails if the kms:Decrypt or kms:ReEncryptFrom actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It does not check inline policies or AWS managed policies.

AWS > HIPAA > IAM > KMS key decryption should be restricted in IAM inline policy

Checks whether the inline policies that are embedded in your IAM identities (role, user, or group) allow the AWS KMS decryption actions on all KMS keys. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts. This control fails if kms:Decrypt or kms:ReEncryptFrom actions are allowed on all KMS keys in an inline policy.

AWS > HIPAA > KMS

This section contains recommendations for configuring KMS resources and options.

AWS > HIPAA > KMS > KMS CMK rotation should be enabled

Enable key rotation to ensure that keys are rotated once they have reached the end of their crypto period.

AWS > HIPAA > KMS > KMS keys should not be pending deletion

To help protect data at rest, ensure necessary customer master keys (CMKs) are not scheduled for deletion in AWS Key Management Service (AWS KMS).

AWS > HIPAA > Lambda

This section contains recommendations for configuring Lambda resources and options.

AWS > HIPAA > Lambda > Lambda functions should be configured with a dead-letter queue

Enable this rule to help notify the appropriate personnel through Amazon Simple Queue Service (Amazon SQS) or Amazon Simple Notification Service (Amazon SNS) when a function has failed.

AWS > HIPAA > Lambda > Lambda functions should be in a VPC

Deploy AWS Lambda functions within an Amazon Virtual Private Cloud (Amazon VPC) for a secure communication between
a function and other services within the Amazon VPC.

AWS > HIPAA > Lambda > Lambda functions should restrict public access

Manage access to resources in the AWS Cloud by ensuring AWS Lambda functions cannot be publicly accessed.

AWS > HIPAA > Logs

This section contains recommendations for configuring Logs resources and options.

AWS > HIPAA > Logs > Log group encryption at rest should be enabled

To help protect sensitive data at rest, ensure encryption is enabled for your Amazon CloudWatch Log Group.

AWS > HIPAA > Logs > Log group retention period should be at least 365 days

Ensure a minimum duration of event log data is retained for your log groups to help with troubleshooting and forensics investigations.

AWS > HIPAA > RDS

This section contains recommendations for configuring RDS resources and options.

AWS > HIPAA > RDS > Database logging should be enabled

To help with logging and monitoring within your environment, ensure Amazon Relational Database Service (Amazon RDS) logging is enabled.

AWS > HIPAA > RDS > RDS Aurora clusters should be protected by backup plan

Checks if Amazon Aurora DB clusters are protected by a backup plan. The rule is non complaint if the Amazon Relational Database Service (Amazon RDS) Database Cluster is not protected by a backup plan.

AWS > HIPAA > RDS > RDS DB instance backup should be enabled

The backup feature of Amazon RDS creates backups of your databases and transaction logs.

AWS > HIPAA > RDS > RDS DB instance encryption at rest should be enabled

To help protect data at rest, ensure that encryption is enabled for your Amazon Relational Database Service (Amazon RDS) instances.

AWS > HIPAA > RDS > RDS DB instance multiple az should be enabled

Multi-AZ support in Amazon Relational Database Service (Amazon RDS) provides enhanced availability and durability for database instances.

AWS > HIPAA > RDS > RDS DB instance should be protected by backup plan

Ensure if Amazon Relational Database Service (Amazon RDS) instances are protected by a backup plan. The rule is non complaint if the Amazon RDS Database instance is not covered by a backup plan.

AWS > HIPAA > RDS > RDS DB instances should be in a backup plan

To help with data back-up processes, ensure your Amazon Relational Database Service (Amazon RDS) instances are a part of an AWS Backup plan.

AWS > HIPAA > RDS > RDS DB instances should prohibit public access

Manage access to resources in the AWS Cloud by ensuring that Amazon Relational Database Service (Amazon RDS)
instances are not public.

AWS > HIPAA > RDS > RDS DB snapshots should be encrypted at rest

Ensure that encryption is enabled for your Amazon Relational Database Service (Amazon RDS) snapshots.

AWS > HIPAA > RDS > RDS snapshots should prohibit public access

Manage access to resources in the AWS Cloud by ensuring that Amazon Relational Database Service (Amazon RDS) instances are not public.

AWS > HIPAA > Redshift

This section contains recommendations for configuring Redshift resources and options.

AWS > HIPAA > Redshift > Amazon Redshift clusters should have automatic snapshots enabled

This control checks whether Amazon Redshift clusters have automated snapshots enabled. It also checks whether the snapshot retention period is greater than or equal to seven.

AWS > HIPAA > Redshift > Redshift cluster audit logging and encryption should be enabled

To protect data at rest, ensure that encryption is enabled for your Amazon Redshift clusters. You must also ensure
that required configurations are deployed on Amazon Redshift clusters. The audit logging should be enabled to provide
information about connections and user activities in the database.

AWS > HIPAA > Redshift > Redshift cluster encryption in transit should be enabled

Ensure that your Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients.

AWS > HIPAA > Redshift > Redshift clusters should prohibit public access

Manage access to resources in the AWS Cloud by ensuring that Amazon Redshift clusters are not public.

AWS > HIPAA > Region

This section contains recommendations for configuring resources and options at a regional level.

AWS > HIPAA > Region > AWS Config should be enabled

This control checks whether AWS Config is enabled in the account for the local Region and is recording all resources.

AWS > HIPAA > Region > AWS Security Hub should be enabled for an AWS Account

AWS Security Hub helps to monitor unauthorized personnel, connections, devices, and software. AWS Security Hub aggregates, organizes, and prioritizes the security alerts, or findings, from multiple AWS services.

AWS > HIPAA > Region > At least one enabled trail should be present in a region

AWS CloudTrail can help in non-repudiation by recording AWS Management Console actions and API calls. You can identify the users and AWS accounts that called an AWS service, the source IP address where the calls generated, and the timings of the calls. Details of captured data are seen within AWS CloudTrail Record Contents.

AWS > HIPAA > Region > GuardDuty should be enabled

Amazon GuardDuty can help to monitor and detect potential cybersecurity events by using threat intelligence feeds.

AWS > HIPAA > S3

This section contains recommendations for configuring S3 resources and options.

AWS > HIPAA > S3 > All S3 buckets should log S3 data events in CloudTrail

The collection of Simple Storage Service (Amazon S3) data events helps in detecting any anomalous activity. The details include AWS account information that accessed an Amazon S3 bucket, IP address, and time of event.

AWS > HIPAA > S3 > S3 bucket cross-region replication should be enabled

Amazon Simple Storage Service (Amazon S3) Cross-Region Replication (CRR) supports maintaining adequate capacity and availability.

AWS > HIPAA > S3 > S3 bucket default encryption should be enabled

To help protect data at rest, ensure encryption is enabled for your Amazon Simple Storage Service (Amazon S3) buckets.

AWS > HIPAA > S3 > S3 bucket default encryption should be enabled with KMS

To help protect data at rest, ensure encryption is enabled for your Amazon Simple Storage Service (Amazon S3) buckets.

AWS > HIPAA > S3 > S3 bucket logging should be enabled

Amazon Simple Storage Service (Amazon S3) server access logging provides a method to monitor the network for potential cybersecurity events.

AWS > HIPAA > S3 > S3 bucket object lock should be enabled

Ensure that your Amazon Simple Storage Service (Amazon S3) bucket has lock enabled, by default.

AWS > HIPAA > S3 > S3 bucket versioning should be enabled

Amazon Simple Storage Service (Amazon S3) bucket versioning helps keep multiple variants of an object in the same Amazon S3 bucket.

AWS > HIPAA > S3 > S3 buckets should enforce SSL

To help protect data in transit, ensure that your Amazon Simple Storage Service (Amazon S3) buckets require requests to use Secure Socket Layer (SSL).

AWS > HIPAA > S3 > S3 buckets should prohibit public read access

Manage access to resources in the AWS Cloud by only allowing authorized users, processes, and devices access to Amazon Simple Storage Service (Amazon S3) buckets.

AWS > HIPAA > S3 > S3 buckets should prohibit public write access

Manage access to resources in the AWS Cloud by only allowing authorized users, processes, and devices access to Amazon Simple Storage Service (Amazon S3) buckets.

AWS > HIPAA > S3 > S3 public access should be blocked at account and bucket levels

Manage access to resources in the AWS Cloud by ensuring that Amazon Simple Storage Service (Amazon S3) buckets cannot be publicly accessed.

AWS > HIPAA > S3 > S3 public access should be blocked at account level

Manage access to resources in the AWS Cloud by ensuring that Amazon Simple Storage Service (Amazon S3) buckets
cannot be publicly accessed.

AWS > HIPAA > SNS

This section contains recommendations for configuring SNS resources and options.

AWS > HIPAA > SNS > SNS topics should be encrypted at rest

To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS).

AWS > HIPAA > SSM

This section contains recommendations for configuring SSM resources and options.

AWS > HIPAA > SSM > SSM managed instance associations should be compliant

Use AWS Systems Manager Associations to help with inventory of software platforms and applications within an organization.

AWS > HIPAA > SSM > SSM managed instance patching should be compliant

Enable this rule to help with identification and documentation of Amazon Elastic Compute Cloud (Amazon EC2) vulnerabilities.

AWS > HIPAA > SageMaker

This section contains recommendations for configuring SageMaker resources and options.

AWS > HIPAA > SageMaker > SageMaker endpoint configuration encryption should be enabled

To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for your SageMaker endpoint.

AWS > HIPAA > SageMaker > SageMaker notebook instance encryption should be enabled

To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for your SageMaker notebook.

AWS > HIPAA > SageMaker > SageMaker notebook instances should not have direct internet access

Manage access to resources in the AWS Cloud by ensuring that Amazon SageMaker notebooks do not allow direct internet access.

AWS > HIPAA > Secrets Manager

This section contains recommendations for configuring Secrets Manager resources and options.

AWS > HIPAA > Secrets Manager > Secrets Manager secrets should have automatic rotation enabled

This rule ensures AWS Secrets Manager secrets have rotation enabled. Rotating secrets on a regular schedule can shorten the period a secret is active, and potentially reduce the business impact if the secret is compromised.

AWS > HIPAA > VPC

This section contains recommendations for configuring VPC resources and options.

AWS > HIPAA > VPC > Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status

Redundant Site-to-Site VPN tunnels can be implemented to achieve resilience requirements.

AWS > HIPAA > VPC > VPC flow logs should be enabled

The VPC flow logs provide detailed records for information about the IP traffic going to and from network interfaces
in your Amazon Virtual Private Cloud (Amazon VPC).

AWS > HIPAA > VPC > VPC internet gateways should be attached to authorized vpc

Manage access to resources in the AWS Cloud by ensuring that internet gateways are only attached to authorized Amazon Virtual Private Cloud (Amazon VPC).

AWS > HIPAA > VPC > VPC security groups should restrict ingress SSH access from 0.0.0.0/0

Amazon Elastic Compute Cloud (Amazon EC2) Security Groups can help manage network access by providing stateful filtering of ingress and egress network traffic to AWS resources.

AWS > HIPAA > VPC > VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) Security Groups.

AWS > HIPAA > VPC > VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on Amazon Elastic Compute Cloud (Amazon EC2) security groups.

AWS > HIPAA > WAFV2

This section contains recommendations for configuring WAFV2 resources and options.

AWS > HIPAA > WAFV2 > Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)

To help with logging and monitoring within your environment, enable AWS WAF (V2) logging on regional and global web ACLs.