AWS Documentation
Is Amazon IAM HIPAA Eligible?
This cloud service is HIPAA-eligible
Amazon IAM is listed on the AWS HIPAA Eligible Services List. This means that organizations that sign Amazon’s Business Associates Agreement (BAA) and fulfill the AWS shared responsibility model may use IAM to manage AWS services handling protected health information (PHI). IAM is used to manage and secure access to other cloud services and resources.
What is Amazon IAM?
AWS Identity and Access Management (IAM) is Amazon’s offering for managing access to AWS services and resources. IAM is provided as a free feature for AWS cloud accounts. Cloud customers can utilize AWS IAM to create and manage AWS user accounts, groups, roles, and permissions to allow and deny access to AWS resources. IAM is an important service for managing AWS account and access between all AWS services.
Amazon IAM Compliance Requirements
IAM itself is not used to store data or protected health information (PHI), but directly affects access control for AWS services and the entire cloud account. HIPAA has many requirements related to system access. Configuration in AWS IAM can effect access to services across the entire cloud environment, so it is important that teams build intelligent processes for user access, permissions, and recurring reviews.
As part of the organization’s HIPAA security program, security staff should develop a System Access Policy and use IAM as a solution for addressing these certain access control safeguards.
User Access and Amazon IAM
HIPAA follows the principle of “Granting Least Privilege”, meaning that only necessary staff members should have access to PHI. This principle should be extended to all AWS cloud infrastructure. Organization’s should set procedures and restrictions on access to development, and production environments, and limit direct access to cloud services containing PHI.
- For IAM, organizations should avoid using the AWS root account and should scope permissions for each type of user. For example, developers should be limited to specific AWS services and have limited actions (ie. updates/deletion could be disabled).
- Security teams should also secure user accounts and ensure account integrity by requiring strong passwords, enabling multi-factor-authentication (MFA), rotating access keys, removing outdated credentials.
Audit Logging AWS Account Access
HIPAA requires that organizations collect and analyze audit logs related to PHI access. Privileged AWS users can make changes to configuration and data inside AWS cloud services so it is important to logging actions performed by AWS users. Security teams should use Amazon CloudTrail to log actions and activities performed by account users.
Ongoing Compliance and Amazon IAM
Cloud infrastructure changes often. Organizations create new EC2 instances, S3 buckets and constantly make configuration changes to cloud services. New user credentials are issued to new staff and staff members may leave the organization. With all of these changes it is important that periodically review system access and IAM settings to ensure that users, groups, and roles do not have too many permissions. Every quarter, security teams should remove unnecessary permissions, remove outdated user access, and address any other security concerns outlined in a System Access Policy.
Potential Threats to Compliance
- Misconfigured IAM roles can grant too much access to cloud services
- Identities with too many permissions may have access to PHI and sensitive data
- Weak password and account settings could allow an unauthorized users to access to PHI
- Old IAM users and credentials expose access to PHI
- Old access keys expose PHI to unauthorized users
- Old IAM roles may provide too many permissions to specific services
Security and HIPAA Compliance Controls
Dash Compliance Automation – IAM Security Controls
HIPAA Safeguards
164.308(a)(3)(ii)(B) Workforce Clearance Procedure
164.308(a)(3)(ii)(C) Termination Procedures
164.308(a)(4)(ii)(B) Access Authorization
164.308(a)(4)(ii)(C) Access Establishment and Modification
164.312(a)(2)(i) Unique User Identification
164.312(a)(2)(iii) Automatic Logoff
164.312(d) Person or Entity Authentication
Dash Administrative Controls
Roles Policy
System Access Policy
Configuration Management Policy
Dash Technical Controls
Password rotation disabled
Password reuse is not disabled
Weak minimum password length
User(s) without multi-factor-authentication (MFA)
Lack of access key rotation
Root account has active keys
Root account has been recently used
IAM Role has inline policies
IAM policy allows NotActions
IAM policy passes improper roles
Cross-account role lacks security features
