Mod: aws-hipaa
The aws-hipaa mod consists of 1 policy and 161 controls.
Recommended Version
Version
5.2.0
Released On
Aug 18, 2023
Depends On
aws-acm ^5.0.0
aws-apigateway ^5.0.0
aws-backup ^5.8.0
aws-cloudfront ^5.0.0
aws-cloudtrail ^5.0.0
aws-cloudwatch ^5.4.0
aws-codebuild ^5.4.0
aws-dax ^5.3.0
aws-dms ^5.3.0
aws-dynamodb ^5.0.0
aws-ec2 ^5.0.0
aws-efs ^5.0.0
aws-eks ^5.0.0
aws-elasticache ^5.0.0
aws-elasticsearch ^5.0.0
aws-emr ^5.0.0
aws-fsx ^5.0.0
aws-guardduty ^5.6.0
aws-iam ^5.0.0
aws-kms ^5.0.0
aws-lambda ^5.0.0
aws-logs ^5.0.0
aws-rds ^5.0.0
aws-redshift ^5.0.0
aws-s3 ^5.0.0
aws-sagemaker ^5.6.0
aws-secretsmanager ^5.0.0
aws-sns ^5.0.0
aws-ssm ^5.13.0
aws-vpc-connect ^5.0.0
aws-vpc-core ^5.0.0
aws-vpc-internet ^5.0.0
aws-vpc-security ^5.0.0
aws-waf ^5.2.0
aws ^5.0.0
turbot-iam ^5.1.0
turbot ^5.37.0
aws-apigateway ^5.0.0
aws-backup ^5.8.0
aws-cloudfront ^5.0.0
aws-cloudtrail ^5.0.0
aws-cloudwatch ^5.4.0
aws-codebuild ^5.4.0
aws-dax ^5.3.0
aws-dms ^5.3.0
aws-dynamodb ^5.0.0
aws-ec2 ^5.0.0
aws-efs ^5.0.0
aws-eks ^5.0.0
aws-elasticache ^5.0.0
aws-elasticsearch ^5.0.0
aws-emr ^5.0.0
aws-fsx ^5.0.0
aws-guardduty ^5.6.0
aws-iam ^5.0.0
aws-kms ^5.0.0
aws-lambda ^5.0.0
aws-logs ^5.0.0
aws-rds ^5.0.0
aws-redshift ^5.0.0
aws-s3 ^5.0.0
aws-sagemaker ^5.6.0
aws-secretsmanager ^5.0.0
aws-sns ^5.0.0
aws-ssm ^5.13.0
aws-vpc-connect ^5.0.0
aws-vpc-core ^5.0.0
aws-vpc-internet ^5.0.0
aws-vpc-security ^5.0.0
aws-waf ^5.2.0
aws ^5.0.0
turbot-iam ^5.1.0
turbot ^5.37.0
Controls
- AWS > HIPAA
- AWS > HIPAA > Account
- AWS > HIPAA > Account > At least one multi-region AWS CloudTrail should be present in an account
- AWS > HIPAA > Account > Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
- AWS > HIPAA > Account > Ensure a log metric filter and alarm exist for usage of 'root' account
- AWS > HIPAA > Account > Ensure IAM password policy expires passwords within 90 days or less
- AWS > HIPAA > Account > Ensure IAM password policy prevents password reuse
- AWS > HIPAA > Account > Ensure IAM password policy requires at least one lowercase letter
- AWS > HIPAA > Account > Ensure IAM password policy requires at least one number
- AWS > HIPAA > Account > Ensure IAM password policy requires at least one symbol
- AWS > HIPAA > Account > Ensure IAM password policy requires at least one uppercase letter
- AWS > HIPAA > Account > IAM root user hardware MFA should be enabled
- AWS > HIPAA > ACM
- AWS > HIPAA > ACM > ACM certificates should be set to expire within 30 days
- AWS > HIPAA > API Gateway
- AWS > HIPAA > API Gateway > API Gateway stage cache encryption at rest should be enabled
- AWS > HIPAA > API Gateway > API Gateway stage logging should be enabled
- AWS > HIPAA > Backup
- AWS > HIPAA > Backup > Backup plan min frequency and min retention check
- AWS > HIPAA > Backup > Backup recovery point manual deletion should be disabled
- AWS > HIPAA > Backup > Backup recovery point should be encrypted
- AWS > HIPAA > CloudFront
- AWS > HIPAA > CloudFront > CloudFront distributions should require encryption in transit
- AWS > HIPAA > CloudTrail
- AWS > HIPAA > CloudTrail > CloudTrail trail log file validation should be enabled
- AWS > HIPAA > CloudTrail > CloudTrail trail logs should be encrypted with KMS CMK
- AWS > HIPAA > CloudTrail > CloudTrail trails should be integrated with CloudWatch logs
- AWS > HIPAA > CloudWatch
- AWS > HIPAA > CloudWatch > CloudWatch alarm action should be enabled
- AWS > HIPAA > CodeBuild
- AWS > HIPAA > CodeBuild > CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
- AWS > HIPAA > CodeBuild > CodeBuild project plaintext environment variables should not contain sensitive AWS values
- AWS > HIPAA > DAX
- AWS > HIPAA > DAX > DynamoDB Accelerator (DAX) clusters should be encrypted at rest
- AWS > HIPAA > DMS
- AWS > HIPAA > DMS > DMS replication instances should not be publicly accessible
- AWS > HIPAA > DynamoDB
- AWS > HIPAA > DynamoDB > DynamoDB table auto scaling should be enabled
- AWS > HIPAA > DynamoDB > DynamoDB table point-in-time recovery should be enabled
- AWS > HIPAA > DynamoDB > DynamoDB table should be encrypted with AWS KMS
- AWS > HIPAA > DynamoDB > DynamoDB table should be protected by backup plan
- AWS > HIPAA > DynamoDB > DynamoDB table should have encryption enabled
- AWS > HIPAA > DynamoDB > DynamoDB tables should be in a backup plan
- AWS > HIPAA > EC2
- AWS > HIPAA > EC2 > Attached EBS volumes should have encryption enabled
- AWS > HIPAA > EC2 > Auto Scaling groups with a load balancer should use health checks
- AWS > HIPAA > EC2 > EBS default encryption should be enabled
- AWS > HIPAA > EC2 > EBS snapshots should not be publicly restorable
- AWS > HIPAA > EC2 > EBS volume encryption at rest should be enabled
- AWS > HIPAA > EC2 > EBS volumes should be in a backup plan
- AWS > HIPAA > EC2 > EBS volumes should be protected by backup plan
- AWS > HIPAA > EC2 > EC2 instance should have EBS optimization enabled
- AWS > HIPAA > EC2 > EC2 instances should be in a VPC
- AWS > HIPAA > EC2 > EC2 instances should be managed by AWS Systems Manager
- AWS > HIPAA > EC2 > EC2 instances should be protected by backup plan
- AWS > HIPAA > EC2 > EC2 instances should not have a public IP address
- AWS > HIPAA > EC2 > EC2 stopped instances should be removed in 30 days
- AWS > HIPAA > EC2 > ELB application and classic load balancer logging should be enabled
- AWS > HIPAA > EC2 > ELB application load balancer deletion protection should be enabled
- AWS > HIPAA > EC2 > ELB application load balancers should drop HTTP headers
- AWS > HIPAA > EC2 > ELB application load balancers should redirect HTTP requests to HTTPS
- AWS > HIPAA > EC2 > ELB classic load balancers should only use SSL or HTTPS listeners
- AWS > HIPAA > EC2 > ELB classic load balancers should use SSL certificates
- AWS > HIPAA > EFS
- AWS > HIPAA > EFS > EFS file system encryption at rest should be enabled
- AWS > HIPAA > EFS > EFS file systems should be in a backup plan
- AWS > HIPAA > EFS > EFS file systems should be protected by backup plan
- AWS > HIPAA > EKS
- AWS > HIPAA > EKS > EKS clusters should be configured to have kubernetes secrets encrypted using KMS
- AWS > HIPAA > ElastiCache
- AWS > HIPAA > ElastiCache > ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
- AWS > HIPAA > Elasticsearch
- AWS > HIPAA > Elasticsearch > Elasticsearch domain node-to-node encryption should be enabled
- AWS > HIPAA > Elasticsearch > ES domain encryption at rest should be enabled
- AWS > HIPAA > Elasticsearch > ES domains should be in a VPC
- AWS > HIPAA > EMR
- AWS > HIPAA > EMR > EMR cluster kerberos should be enabled
- AWS > HIPAA > EMR > EMR cluster master nodes should not have public IP addresses
- AWS > HIPAA > FSx
- AWS > HIPAA > FSx > FSx file system should be protected by backup plan
- AWS > HIPAA > GuardDuty
- AWS > HIPAA > GuardDuty > GuardDuty findings should be archived
- AWS > HIPAA > IAM
- AWS > HIPAA > IAM > Ensure IAM password policy requires a minimum length of 14 or greater
- AWS > HIPAA > IAM > IAM groups should have at least one user
- AWS > HIPAA > IAM > IAM password policies for users should have strong configurations
- AWS > HIPAA > IAM > IAM policy should not have statements with admin access
- AWS > HIPAA > IAM > IAM root user MFA should be enabled
- AWS > HIPAA > IAM > IAM root user should not have access keys
- AWS > HIPAA > IAM > IAM user access keys should be rotated at least every 90 days
- AWS > HIPAA > IAM > IAM user credentials that have not been used in 90 days should be disabled
- AWS > HIPAA > IAM > IAM user MFA should be enabled
- AWS > HIPAA > IAM > IAM user should not have any inline or attached policies
- AWS > HIPAA > IAM > IAM users should be in at least one group
- AWS > HIPAA > IAM > IAM users with console access should have MFA enabled
- AWS > HIPAA > IAM > KMS key decryption should be restricted in IAM customer managed policy
- AWS > HIPAA > IAM > KMS key decryption should be restricted in IAM inline policy
- AWS > HIPAA > KMS
- AWS > HIPAA > KMS > KMS CMK rotation should be enabled
- AWS > HIPAA > KMS > KMS keys should not be pending deletion
- AWS > HIPAA > Lambda
- AWS > HIPAA > Lambda > Lambda functions should be configured with a dead-letter queue
- AWS > HIPAA > Lambda > Lambda functions should be in a VPC
- AWS > HIPAA > Lambda > Lambda functions should restrict public access
- AWS > HIPAA > Logs
- AWS > HIPAA > Logs > Log group encryption at rest should be enabled
- AWS > HIPAA > Logs > Log group retention period should be at least 365 days
- AWS > HIPAA > RDS
- AWS > HIPAA > RDS > Database logging should be enabled
- AWS > HIPAA > RDS > RDS Aurora clusters should be protected by backup plan
- AWS > HIPAA > RDS > RDS DB instance backup should be enabled
- AWS > HIPAA > RDS > RDS DB instance encryption at rest should be enabled
- AWS > HIPAA > RDS > RDS DB instance multiple az should be enabled
- AWS > HIPAA > RDS > RDS DB instance should be protected by backup plan
- AWS > HIPAA > RDS > RDS DB instances should be in a backup plan
- AWS > HIPAA > RDS > RDS DB instances should prohibit public access
- AWS > HIPAA > RDS > RDS DB snapshots should be encrypted at rest
- AWS > HIPAA > RDS > RDS snapshots should prohibit public access
- AWS > HIPAA > Redshift
- AWS > HIPAA > Redshift > Amazon Redshift clusters should have automatic snapshots enabled
- AWS > HIPAA > Redshift > Redshift cluster audit logging and encryption should be enabled
- AWS > HIPAA > Redshift > Redshift cluster encryption in transit should be enabled
- AWS > HIPAA > Redshift > Redshift clusters should prohibit public access
- AWS > HIPAA > Region
- AWS > HIPAA > Region > At least one enabled trail should be present in a region
- AWS > HIPAA > Region > AWS Config should be enabled
- AWS > HIPAA > Region > AWS Security Hub should be enabled for an AWS Account
- AWS > HIPAA > Region > GuardDuty should be enabled
- AWS > HIPAA > S3
- AWS > HIPAA > S3 > All S3 buckets should log S3 data events in CloudTrail
- AWS > HIPAA > S3 > S3 bucket cross-region replication should be enabled
- AWS > HIPAA > S3 > S3 bucket default encryption should be enabled
- AWS > HIPAA > S3 > S3 bucket default encryption should be enabled with KMS
- AWS > HIPAA > S3 > S3 bucket logging should be enabled
- AWS > HIPAA > S3 > S3 bucket object lock should be enabled
- AWS > HIPAA > S3 > S3 bucket versioning should be enabled
- AWS > HIPAA > S3 > S3 buckets should enforce SSL
- AWS > HIPAA > S3 > S3 buckets should prohibit public read access
- AWS > HIPAA > S3 > S3 buckets should prohibit public write access
- AWS > HIPAA > S3 > S3 public access should be blocked at account and bucket levels
- AWS > HIPAA > S3 > S3 public access should be blocked at account level
- AWS > HIPAA > SageMaker
- AWS > HIPAA > SageMaker > SageMaker endpoint configuration encryption should be enabled
- AWS > HIPAA > SageMaker > SageMaker notebook instance encryption should be enabled
- AWS > HIPAA > SageMaker > SageMaker notebook instances should not have direct internet access
- AWS > HIPAA > Secrets Manager
- AWS > HIPAA > Secrets Manager > Secrets Manager secrets should have automatic rotation enabled
- AWS > HIPAA > SNS
- AWS > HIPAA > SNS > SNS topics should be encrypted at rest
- AWS > HIPAA > SSM
- AWS > HIPAA > SSM > SSM managed instance associations should be compliant
- AWS > HIPAA > SSM > SSM managed instance patching should be compliant
- AWS > HIPAA > VPC
- AWS > HIPAA > VPC > Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status
- AWS > HIPAA > VPC > VPC flow logs should be enabled
- AWS > HIPAA > VPC > VPC internet gateways should be attached to authorized vpc
- AWS > HIPAA > VPC > VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
- AWS > HIPAA > VPC > VPC security groups should restrict ingress SSH access from 0.0.0.0/0
- AWS > HIPAA > VPC > VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
- AWS > HIPAA > WAFV2
- AWS > HIPAA > WAFV2 > Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)