Case Study

HIPAA Compliance on AWS: Step-by-Step Infrastructure Guide for Engineers

Turn AWS into a HIPAA-ready fortress with these proven cloud engineering best practices.
5 min read

When it comes to storing or processing healthcare data in the cloud, the stakes are high. HIPAA (the Health Insurance Portability and Accountability Act) isn’t just a U.S. law it’s the gold standard for handling protected health information (PHI) securely. And yes, AWS makes HIPAA compliance possible, but only if you configure it right.

This guide walks you through how to design AWS infrastructure that ticks all the HIPAA boxes while following international best practices (NIST, ISO 27001, HITRUST). We’ll focus on the AWS services most engineers deal with daily EC2, S3, RDS, IAM, EKS, and VPC, and cover logging, encryption, monitoring, and those pesky “oops, we forgot” items that often slip through the cracks.

Step 1 – Understand the Ground Rules

Before you even spin up an EC2 instance, you need two things in place:

  • Sign a Business Associate Agreement (BAA) with AWS – This is the legal handshake that says AWS is a “business associate” under HIPAA, and defines who’s responsible for what. AWS secures the infrastructure of the cloud; you secure your workloads in the cloud.

  • Stick to HIPAA-Eligible Services – Only certain AWS services are covered under the BAA (think EC2, S3, RDS, VPC, EKS, and more). If it’s not on the list, don’t put PHI there.

Pro tip: AWS regularly updates the eligible services list, so check it before adding new components.

Step 2 – Encrypt Everything, Everywhere

HIPAA allows some wiggle room with encryption. AWS doesn’t. If you’re storing PHI, encryption is non-negotiable.

At rest:

  • Turn on encryption for S3 buckets (SSE-KMS), EBS volumes, RDS databases, EFS file systems, basically, anything that holds data.

  • Use AWS KMS for key management, and rotate keys regularly.

In transit:

  • Use TLS (HTTPS) for all web/API traffic.

  • Enforce SSL for S3 access.

  • For internal service calls, use VPC Endpoints to keep traffic inside AWS.

  • Connect on-prem systems via VPN or AWS Direct Connect with encryption.

Bonus: Encrypt backups and log files too, those contain PHI just as much as your live data.

Step 3 – Tighten the Screws on IAM

Access control is where many HIPAA setups fail. You need military-grade discipline here.

  • Least privilege: Give people and services only the permissions they actually need.

  • MFA for everyone with console access, no exceptions.

  • No hardcoded credentials, use IAM roles and AWS Secrets Manager instead.

  • Audit changes: Turn on CloudTrail to record every IAM change.

  • Segregate environments: Keep dev/test and production PHI workloads in separate accounts or VPCs.

Step 4 – Log Everything and Keep It for 6 Years

HIPAA says you need audit logs for six years. That’s not a suggestion it’s the law.

What to do:

  • CloudTrail: Enable it in all regions and log both management and data events. Send them to an encrypted S3 bucket.

  • Retention: Use S3 lifecycle rules to store logs for 6 years. Glacier or Deep Archive works for older logs just make sure they’re tamper-proof with Object Lock/WORM.

  • VPC Flow Logs: Capture network traffic metadata for sensitive subnets.

  • CloudWatch + GuardDuty: Get real-time alerts on suspicious behavior.

  • AWS Config: Continuously check for misconfigurations like unencrypted storage or public access.

Step 5 – Build a Secure Network Foundation

Your VPC is your fortress. Treat it like one.

  • Keep sensitive workloads in private subnets with no direct internet access.

  • Use security groups with deny-by-default inbound rules; only open ports you need.

  • Block SSH/RDP from 0.0.0.0/0 use a bastion host or AWS Systems Manager instead.

  • Use VPC Endpoints for AWS services so PHI traffic never leaves AWS’s network.

  • For hybrid setups, use an encrypted VPN or Direct Connect.

Step 6 – Lock Down Your Compute and Containers

For EC2:

  • Private subnets + encrypted EBS volumes by default.

  • Keep instances patched with Systems Manager.

  • Enable IMDSv2 to protect instance metadata.

For EKS:

  • Private subnets for worker nodes.

  • Encrypted storage for all pods that touch PHI.

  • Enable Kubernetes audit logs to CloudWatch.

For Lambda/Fargate/ECS:

  • Use IAM roles with minimal permissions.

  • Encrypt environment variables and secrets.

  • Keep your container images clean and vulnerability-scanned.

Step 7 – Secure Your Storage and Databases

S3:

  • Default encryption (SSE-KMS) on all PHI buckets.

  • Block all public access at the account and bucket level.

  • Enable versioning and server access logging.

  • Require SSL for all access.

RDS:

  • Encryption at rest + SSL for connections.

  • Multi-AZ for high availability.

  • No public access ever.

  • Enable and retain logs (error, slow query, audit).

Other storage:

  • EFS with encryption in transit + at rest.

  • DynamoDB with encryption + Point-in-Time Recovery.

Step 8 – Backups and Disaster Recovery

HIPAA expects you to have a plan if things go south.

  • Use AWS Backup to automate and encrypt backups across services.

  • Keep backups in a separate region when possible.

  • Test restores regularly.

  • Document your incident response and DR plan, and review it often.

Commonly Missed (Overlapping) Guidelines

Even experienced engineers miss these:

  • Forgetting that HIPAA log retention is 6 years, many default AWS log settings keep them for far less.

  • Not enabling CloudTrail in all regions.

  • Using HIPAA-eligible services but leaving public access open (e.g., S3 bucket ACLs).

  • Storing PHI backups in non-encrypted buckets.

  • Overly broad IAM policies “just for testing” roles that never get fixed.

  • Neglecting network egress controls (data exfiltration risks).

Quick HIPAA-on-AWS Checklist

  • BAA signed with AWS

  • Only HIPAA-eligible services used

  • PHI is encrypted at rest and in transit

  • Least privilege IAM + MFA

  • CloudTrail, Config, GuardDuty enabled

  • Logs stored for 6 years, tamper-proof

  • Private subnets + VPC endpoints for AWS services

  • Public access blocked for all PHI resources

  • Regular backups + DR testing

  • Security policies documented and staff trained

Bottom line:
HIPAA compliance in AWS isn’t about checking boxes; it’s about building a secure, auditable, and resilient environment for healthcare data. If you follow these principles, you’ll not only meet HIPAA requirements but also align with global standards like NIST, ISO 27001, and HITRUST making your cloud environment defensible in any audit.

IAM Users? That’s Old School.

See why AWS SSO is the smarter, safer choice.

EzyInfra.dev – Expert DevOps & Infrastructure consulting! We help you set up, optimize, and manage cloud (AWS, GCP) and Kubernetes infrastructure—efficiently and cost-effectively. Need a strategy? Get a free consultation now!

Share this post

Want to discuss about DevOps practices, Infrastructure Audits or Free consulting for your AWS Cloud?

Prasanna would be glad to jump into a call
Loading...
Copyright © 2025, EzyInfra Knowledge Base - DevOps, AWS, Kubernetes. All rights reserved

Published with

Typeflo