Amazon Lambda

AWS Documentation

Is AWS Lambda HIPAA Eligible?

This cloud service is HIPAA-eligible

Amazon Lambda is listed on the AWS HIPAA Eligible Services List. This means that organizations that sign Amazon’s Business Associates Agreement (BAA) and fulfill the AWS shared responsibility model may use Lambda with protected health information (PHI). In order to utilize Lambda, you must implement administrative and technical requirements of shared responsibilities.

What is AWS Lambda?

AWS Lambda is a serverless computing platform provided by Amazon Web Services. It is an event-driven computing service that runs code in response to events. As a serverless offering, Lambda requires no server configuration and automatically scales. Lambda can be used for virtually any application or backend service, with little administration. Cloud users only pay when code in Lambda is running. Users can configure Lambda code to be automatically triggered from other AWS services or called from applications.

AWS Lambda Compliance Requirements

AWS Lambda can be utilized for creating HIPAA compliant serverless applications. In order to utilize AWS Lambda in a HIPAA compliant manner, organizations must account for all technical safeguards regarded Lambda access, data storage, transmission. AWS Lambda is based on a fleet of highly available Amazon EC2 instances which addresses many security protects. Cloud users must still manage how Lambda interacts with other AWS services and protected health information (PHI). Administrative policies should be in place to dictate who can access Lambda services and how they are updated. Access to Lambda procedures that utilize PHI should be limited to only necessary users.

Encryption and AWS Lambda

HIPAA requires that organization implement “all necessary” security requirements for encrypting PHI at-rest and in-transit. To ensure that PHI remains encrypted while using AWS Lambda, connections to external resources should use an encrypted protocol such as HTTPS or SSL/TLS.

  • Use SSL/TLS when connecting to other AWS services. For example, when S3 is accessed from a Lambda procedure, it should be addressed with https://bucket.s3-aws-region.amazonaws.com.
  • If any PHI is placed at rest or idled within a running procedure, it should be encrypted client-side or server-side with keys obtained from AWS KMS or AWS CloudHSM.

Audit Logging and AWS Lambda

HIPAA requires that organizations collect and analyze audit logs related to PHI access. For Lambda protocols, cloud customers should generate logs about access to PHI. Collecting logs allows security teams the ability to detect suspicious activity and respond to potential security threats. Audit logging should be dictated alongside an Audit Logging Policy, with logs being reviewed periodically to analyze compliance issues.

  • Security teams should collect key Lambda logs using Cloudwatch or an appropriate 3rd party solution.
  • Audit logs should be reviewed quarterly to analyze suspicious activity.

Potential Threats to Compliance

  • AWS Lambda connections to unencrypted (non-SSL/TLS) services could lead to PHI being leaked.
  • Event data that is used with Lambda and contains PHI could be accessed by unauthorized users.
  • Security and compliance controls for AWS services connected to Lambda (S3, RDS, etc) must be implemented in-order to build a HIPAA compliant solution. Technical safeguards such as encryption, audit logging, and backup and disaster recovery must be addressed.

Security and HIPAA Compliance Controls

 

Dash Compliance Automation – Lambda Security Controls

HIPAA Safeguards

164.308(a)(5)(ii)(B) – Protection from Malicious Software

164.312(a)(2)(iv) – Encryption and Decryption

164.312(b) – Audit Controls

164.312(c)(1) – Integrity

Dash Administrative Controls

System Access Policy

Configuration Management Policy

Auditing Policy

Dash Technical Controls

S3 Bucket: Access Logging Disabled

S3 Bucket: Default Encryption Disabled

Security Group: All ports open to all

Security Group: Unrestricted network traffic within security group

Security Group: DB ports open to all

Security Group: Large port range(s) open to all

EBS volume is unencrypted

VPC Flow Logs are not enabled

VPC Network ACLs allow all egress

VPC Network ACLs allow all ingress

dash complyops hipaa

See how Dash ComplyOps streamlines HIPAA management in AWS.
Configure, monitor, and maintain administrative and technical controls in the cloud.