Is Amazon S3 HIPAA Eligible?
This cloud service is HIPAA-eligible
Amazon S3 is listed on the AWS HIPAA Eligible Services List. This means that organizations that sign Amazon’s Business Associates Agreement (BAA) and fulfill the AWS shared responsibility model may use S3 with protected health information (PHI). In order to utilize S3, you must implement administrative and technical requirements of shared responsibilities.
Amazon EC2 Security
Amazon Simple Storage Service (Amazon S3) is an object storage service that provides on-demand file storage. S3 can be used to store data for a wide range of use cases, such as websites, mobile applications, backup and restore, archival, and enterprise applications. Cloud users only pay for data stored and transmitted in S3. The service can be used as a storage service alongside many AWS services and is designed for durability and availability. Amazon S3 makes it easy for organizations to store application data, set security permissions, and handle data archival. Amazon S3 is a reasonable choice for a HIPAA compliant cloud storage option. AWS clients may also consider Amazon RDS as an HIPAA compliant database solution.
Amazon S3 Compliance Requirements
In order to utilize Amazon S3 in a HIPAA compliant manner, organization’s account for all technical safeguards regarded S3 access, data security, and transmission. This means that S3 Buckets should be configured to follow the principle of least privilege. Administrative policies must be in place to dictate who can access S3 Buckets, how they are deployed, and how they are managed. For S3 buckets containing PHI, access via AWS console and as well as SSH (shell) should be limited to only necessary users.
Additionally, customers should not use PHI in bucket names, object names, or metadata because this data is not encrypted using S3 server-side encryption and is not generally encrypted in client-side encryption architectures.
Encryption and Amazon S3
HIPAA requires that organization implement “all necessary” security requirements for encrypting PHI at-rest and in-transit. For Amazon S3, any S3 buckets that will contain protected health information (PHI), must be encrypted, this includes S3 buckets that will contain audit logs connected to PHI. Organizations can utilize server-side and client-side encryption and several methods of managing keys. Read about Amazon S3 encryption options.
Any external access to S3 should be over an SSL/TLS connection. Connections to Amazon S3 containing PHI must use endpoints that accept encrypted transport (HTTPS). For a list of regional endpoints, see S3 endpoint documentation.
System Access and Amazon S3
HIPAA follows the principle of “Granting Least Privilege”, meaning that only necessary staff members should have access to PHI. Organizations should follow this principle when providing users and services with access to S3. Only the minimal necessary staff should have access to production S3 services. Organizations should use separate development environments and avoid storing PHI inside development environments. It is very easy for S3 buckets to be made publicly available. Organizations must secure S3 buckets and ensure that buckets with PHI are not publicly readable/writable.
Availability and Amazon S3
HIPAA requires that PHI must account for potential service outages and must be available in case of emergency. This means that organizations should have a disaster recovery policy and plan for incidents leading to S3 unavailability.
Security teams should create backups of S3 data containing PHI or production data. Organizations should enable versioning for S3 buckets. Versioning-enabled buckets enable teams to recover objects from accidental deletion or overwrite. Teams should consider building S3 Lifecycle policies that archive data in S3 Glacier and similar services to provide further resiliency and avoid mitigate potential service outages.
Potential Threats to Compliance
- S3 Buckets that allow public access may allow unauthorized users to access the instance and result in a breach.
- S3 Buckets that are “writable” by the public or unrestricted staff may be vulnerable to unauthorized modification or deletion.
- S3 Buckets without proper backup, versioning, or lifecycle policies may be more susceptible to accidental deletion of data and/or PHI.
- S3 Buckets that are unencrypted are vulnerable to 3rd parties and security breaches.
- Unencrypted data that is sent and received from S3 Buckets may be intercepted and result in a breach.
Dash Compliance Automation – S3 Security Controls
164.312(a)(1) – Access Control
164.312(a)(2)(i) – Unique User Identification
164.312(b) – Audit Controls
164.312(c)(1) – Integrity
164.312(c)(2) – Mechanism to Authenticate Electronic Protected Health Information
164.312(d) – Person or Entity Authentication
164.312(e)(2)(ii) – Encryption
Dash Administrative Controls
System Access Policy
Configuration Management Policy
Data Integrity Policy
Dash Technical Controls
S3 Bucket versioning disabled
S3 Bucket default encryption disabled
S3 Bucket access logging disabled
S3 Bucket MFA delete disabled
S3 Bucket world-writable
S3 Bucket permissions world-writable
S3 Bucket world-listable (anonymous)
S3 Bucket permissions world-readable (anonymous)
S3 Bucket world-writable (anonymous)
S3 Bucket permissions world-writable
S3 Bucket world-listable