Amazon Redshift

AWS Documentation

Is Amazon Redshift HIPAA Eligible?

This cloud service is HIPAA-eligible

Amazon Redshift is listed on the AWS HIPAA Eligible Services List. This means that organizations that sign Amazon’s Business Associates Agreement (BAA) and fulfill the AWS shared responsibility model may use Redshift to store and transmit protected health information (PHI).

What is Amazon Redshift?

Amazon Redshift is Amazon’s managed cloud data warehouse offering. Redshift allows cloud users to manage data and scale to unlimited concurrency. Redshift can be used to manage and query large datasets (Exabytes sized data lakes). Users can connect Redshift to S3 and S3 Data Lakes to build robust services and applications. Redshift can be used for Business Intelligence (BI), Predictive Analytics, and Realtime applications. For raw file and data storage, AWS clients may consider Amazon S3 for HIPAA compliant cloud storage or Amazon RDS for a HIPAA compliant database.

Amazon Redshift Compliance Requirements

Amazon Redshift can be used to store production data and protected health information (PHI) but must be configured to comply with HIPAA regulations and be used as a HIPAA compliant data store. Organizations must manage permissions and system access, encryption standards, audit logging, and overall services availability. These compliance controls should be built around the organization’s set System Access Policy, Data Integrity and Auditing Policies.

Redshift manages many operational concerns for data warehousing and has many options for security configuration, it is the cloud user’s responsibility to properly configure HIPAA administrative and technical safeguards.

Encryption and Amazon Redshift

HIPAA requires that organization implement encryption for PHI. AWS clients that utilize Redshift with PHI should ensure that Redshift data is encrypted at-rest as well as in-transit via SSL. Backups and log data should also be treated as PHI and encrypted as well. For Redshift, organizations should encrypt all clusters and require an SSL connection for all queries.

System Access and Amazon Redshift

HIPAA follows the principle of “Granting Least Privilege”, meaning that only necessary staff members should have access to PHI. Organizations should follow this principle when providing users with access to Redshift. Only the minimal necessary staff should have access to production Redshift services. Organizations should use separate development and production environments and avoid storing PHI inside development environments.

Availability and Amazon Redshift

HIPAA requires that PHI must account for potential service outages and must be available in case of emergency. This means that organizations should have a disaster recovery policy and plan for incidents leading to Redshift unavailability. Organizations should create backups of Redshift/S3 data in-case of data loss or error. Additionally, Redshift services should be configured for high availability across multiple availability zones (AZs) to minimize the impact of a service outage. Organizations may consider creating two or more identical Redshift clusters across multiple AWS availability zones.

Audit Logging and Amazon Redshift

HIPAA requires that organizations collect and analyze audit logs related to PHI access. For Redshift data warehouses containing PHI, organizations must collect access logs. Collecting these logs allows security teams the ability to detect suspicious activity and respond to potential security threats. Audit logging should be dictated alongside an Audit Logging Policy, with logs being reviewed periodically to analyze compliance issues.

Potential Threats to Compliance

  • Redshift cluster(s) open to the public could allow unauthorized users to access to PHI
  • Unencrypted Redshift cluster(s) can be vulnerable to unauthorized users
  • Redshift cluster(s) not using SSL/TLS can be vulnerable to unauthorized users
  • Redshift cluster(s) without backup processes could lose PHI data


Security and HIPAA Compliance Controls

Dash Compliance Automation – Redshift Security Controls

HIPAA Safeguards

164.308(a)(1)(ii)(B) Risk Management

164.312(c)(1) Integrity

Dash Administrative Controls

System Access Policy

Configuration Management Policy

Dash Technical Controls

Redshift Security Group allows all
Redshift cluster database encryption disabled
Redshift cluster does not allow version upgrade

Redshift cluster is publicly accessible
Redshift cluster user activity logging disabled
Redshift parameter group does not require SSL

dash complyops hipaa

See how Dash ComplyOps streamlines HIPAA management in AWS.
Configure, monitor, and maintain administrative and technical controls in the cloud.