Turbot Controls for HIPAA and PHI


Turbot can automatically ensure compliance to HIPAA (Health Insurance Portability and Accountability Act) Privacy and Security Rules for protecting Protected Health Information (PHI).

Through Turbot Enterprise Guardrails, customers can comply with their AWS Business Associate Addendum (BAA) to use only HIPAA-eligible AWS services and securely process, store, and transmit PHI data. Below are various Turbot feature to support customers ensuring compliance with their HIPAA-eligible workloads.

Whitelist only HIPAA-eligible Services

Turbot offers IAM guardrails to whitelist specific AWS Services, AMIs, RDS Engine Types, etc. When using Turbot’s IAM guardrails, users are prevented from using any services not enabled / whitelisted. These preventative controls will ensure compliance to only using HIPAA-eligible AWS services

As of March 9th, 2017, the following AWS Services are eligible for HIPAA workloads:

  • Amazon API Gateway excluding the use of Amazon API Gateway caching
  • Amazon Aurora
  • Amazon Direct Connect
  • Amazon DynamoDB
  • Amazon Elastic Block Store (Amazon EBS)
  • Amazon Elastic Compute Cloud (Amazon EC2)
  • Elastic Load Balancing (ELB)
  • Amazon Elastic MapReduce (Amazon EMR)
  • Amazon Glacier
  • Amazon Redshift
  • Amazon Relational Database Service (Amazon RDS) for MySQL
  • Amazon RDS for Oracle
  • Amazon RDS for PostgreSQL
  • Amazon Simple Storage Service (Amazon S3)
  • Amazon Snowball

To only allow the above services and RDS engine types to be whitelisted, the following Turbot options can be enabled:

  • AWS > API Gateway > Enabled = “Enabled”
  • AWS > Direct Connect > Enabled = “Enabled”
  • AWS > DynamoDB > Enabled = “Enabled”
  • AWS > EC2 > Enabled = “Enabled” (includes ELB and EBS)
  • AWS > EMR > Enabled = “Enabled”
  • AWS > Glacier > Enabled = “Enabled”
  • AWS > KMS > Enabled = “Enabled”
  • AWS > Redshift > Enabled = “Enabled”
  • AWS > RDS > Enabled = “Enabled”
  • AWS > RDS > Aurora Enabled = “Enabled”
  • AWS > RDS > MySQL Enabled = “Enabled”
  • AWS > RDS > Oracle Enabled = “Enabled”
  • AWS > RDS > Postgres Enabled = “Enabled”
  • AWS > S3 > Enabled = “Enabled”
  • AWS > Snowball > Enabled = “Enabled”

All other services can be set to disabled to ensure no use of non-HIPAA supported services are used.

Enforce Encryption Standards

Turbot offers Encryption at Rest and Encryption in Transit guardrails that can be enforced across various HIPAA-eligible AWS services. To enforce various encryption guardrails, the following Turbot options can be enabled:

  • EC2 > Encryption at Rest = “Check: KMS encryption required”
  • AWS > RDS > Encryption at Rest = “AWS KMS” or “KMS” (AWS KMS = default AWS RDS KMS key, KMS = customer defined KMS key)
  • Redshift > Encryption at Rest = “AWS KMS” or “KMS” (AWS KMS = default AWS RDS KMS key, KMS = customer defined KMS key). Note: Redshift encryption degrades performance by 20-40%.
  • Redshift > Encryption in Transit = “Enabled”
  • S3 > Encryption at Rest = “AWS SSE” or “AWS KMS” (AWS SSE = AWS Server Side Encryption, AWS KMS = AWS Server Side Encryption or default AWS S3 KMS key or customer defined KMS key will be allowed)
  • S3 > Encryption in Transit = “Enabled”

Enforce Dedicated Instances

To ensure tenancy compliance of HIPAA Privacy and Security Rules for protecting PHI, Turbot can enforce that only dedicated hardware is used for any applicable VPC services (e.g. EC2, RDS, etc.) when provisioned in a HIPAA applicable account / VPC. To enforce dedicated instances in the applicable VPC(s), Cluster Level Turbot/Admins can set the following VPC configuration in the Turbot Admin Networks page: Instance Tenancy in VPC = “Allow dedicated instances only”

Audit Trail

Turbot provides full transparency of configuration history of all AWS and Turbot configurations and events.

Turbot’s Central Log Management capabilities aggregates all AWS and Turbot activity logs to regional logging buckets per account.

Users can view log details through raw logs located in S3, and through the Turbot Console can view current and prior event history per various levels of the resource hierarchy.

To ensure Turbot is logging and capturing various events, the following options can be enabled:

  • Config > Configuration Recording = “Enforce: Enabled to Turbot logs”
  • Events > Notify Turbot of API Events = “Enabled”
  • Events > Notify Turbot of Console Events = “Enabled”
  • AWS > RDS > Audit Logging = “Enabled”
  • Redshift > Audit Logging = “Enabled”
  • S3 > Access Logging = “Enforce: Enabled to Turbot logs”

Backup / Snapshot Automation

Turbot provides operational guardrails to ensure appropriate backups / snapshots are occurring on a periodic basis. Turbot helps enforce backups and retain backups per customer retention periods. The following Turbot options can be enabled to enforce backups/snapshots:

  • EC2 > Snapshot Period Hours (How often Turbot snapshots EBS volumes)
  • EC2 > Snapshot Retention Days (How many days does Turbot retain snapshots)
  • AWS > RDS > Snapshot Period Days (How many days does Turbot create secondary manual backups to protect against accidental automated snapshot deletion)
  • AWS > RDS > Snapshot Retention Days (How many days to retain snapshots)
  • Redshift > Backup Retention Period (How many days to retain snapshots)
Was this article helpful?
0 out of 0 found this helpful