Add HIPAA compliance checks
hhh0505 opened this issue ยท 4 comments
any plan to add this?
Hi @hhh0505, do you have a sample set of checks that might be suitable for HIPPA compliance in AWS? Some might be part of the existing checks and probably some new check points.
Adding HIPAA checks is no small task and I don't believe checks for full compliance will be possible as it depends much upon how each user/application handles PHI. But a good start would be checking for encryption at rest and in transit for the major services.
That being said, here is a quick place holder of needed/desired HIPAA checks. I will try to update this periodically. @toniblyx This is just a start but...feel free to shoot all this down if it starts adding too many checks ๐
Account Security
- MFA Enabled -
check12, check113 - Account Root User Credentials Protection
check112, check113
VPC Security
- VPC Flow Logging Used -
check29 - VPC Flow Logs are Encrypted - Needs check
- Enable ELB Logging - Needs check
extra739
EC2 Security
- Encrypted EBS Volumes -
extra729 - Encrypted EBS Snapshots -
extra740 - Ensure EC2 Instances are launched in a VPC - (No longer need, only for pretty old accounts)
S3 Security
- Bucket Policy, Enforce Encryption and Filter by source-ip. -
extra734 - IAM Roles, Enforce permissions -
check38,extra73 - Monitoring, Access Logs -
check23 , check26 , check27, extra718, extra725
RDS Security
- Encrypted RDS -
extra735
I'll update this list with new checks soon. Most of the checks I'm writing for GDPR are valid for HIPPA.
This is already finished in devel branch. I'll merge it to master soon.