|   Trend Micro Cloud One™
Open menu

Check for non-compliant HIPAA AWS resources

Cloud Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 500 automated best practice checks.

Last updated: 10 March 2019

Ensure that all the resources created within your AWS account are HIPAA compliant (i.e. are covered in the HIPAA BAA) in order to be able to run HIPAA-regulated workloads on AWS cloud. Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive patient data. HIPAA legislation includes procedures to protect the security and privacy of Protected Health Information (PHI). PHI includes a wide set of personally identifiable health and health-related data, including diagnosis data, clinical care data, lab results such as images and test results, insurance and billing information. The HIPAA security rules apply to covered entities, which include hospitals, medical services providers, employer sponsored health plans, research facilities and insurance companies that manage patient data. Any resource provisioned within your AWS account, designated as a HIPAA account, can be used but you can only process, store and transmit Protected Health Information (PHI) using the HIPAA-eligible services and resources covered under the AWS Business Associate Addendum (BAA).

To qualify as a HIPAA compliant resource, an Amazon Web Services resource must meet the HIPAA requirements for auditing, back-ups and disaster recovery, and must include implementation specifications for the protection and encryption of PHI in transit and at rest. For example, Amazon EC2 resources are HIPAA eligible. You can use EC2 instances to store and analyze Protected Health Information (PHI) and build HIPAA compliant applications. Researchers, healthcare providers, hospital administrators and other users can use Amazon EC2 instances to analyze, visualize or process PHI data in compliance with the HIPAA standard. Cloud Conformity strongly recommends that you process, store and transmit Protected Health Information using only HIPAA eligible services and resources, as defined in the AWS BAA:


AWS Amplify Console

Amazon API Gateway

AWS AppSync

Amazon Athena

Amazon Aurora (MySQL, PostgreSQL)

Amazon Auto Scaling

AWS Batch

AWS Certificate Manager

AWS CloudFormation

Amazon CloudFront (including Lambda@Edge)


AWS CloudTrail

Amazon CloudWatch

Amazon CloudWatch Events

Amazon CloudWatch Logs

AWS CodeBuild

AWS CodeCommit

AWS CodeDeploy

Amazon Cognito

Amazon Comprehend

AWS Config

Amazon Connect

AWS Database Migration Service

AWS DataSync

AWS Direct Connect

AWS Directory Services (excluding Simple AD and AD Connector)

Amazon DynamoDB

Amazon ElastiCache (Redis)

Amazon Elasticsearch Service

AWS Elastic Beanstalk

Amazon EBS

Amazon EC2

Amazon Elastic Container Registry (ECR)

Amazon Elastic Container Service (ECS)

Amazon Elastic Container Service for Kubernetes

Amazon Elastic File System (EFS)

Elastic Load Balancing

Amazon Elastic MapReduce (EMR)

AWS Elemental MediaConnect

AWS Elemental MediaConvert

AWS Elemental MediaLive

AWS Firewall Manager

Amazon FreeRTOS

Amazon FSx

Amazon Glacier

AWS Global Accelerator

AWS GreenGrass

Amazon GuardDuty

Amazon Inspector

AWS IoT (Core and Device Management)

AWS Key Management Service

Amazon Kinesis Analytics

Amazon Kinesis Data Streams

Amazon Kinesis Firehose

Amazon Kinesis Video Streams

AWS Lambda

Amazon Macie

AWS Managed Services

Amazon MQ

AWS OpsWorks

Amazon Polly

Amazon QuickSight

Amazon Rekognition

Amazon Redshift

Amazon RDS (SQL Server, MySQL, Oracle, PostgreSQL and MariaDB database engines)

AWS RoboMaker

Amazon Route 53

Amazon SageMaker (excluding Public Workforce and Vendor Workforce)

AWS Secrets Manager

AWS Security Hub

AWS Service Catalog

AWS Serverless Application Repository

AWS Server Migration Service

AWS Shield

Amazon Simple Notification Service (SNS)

Amazon Simple Queue Service (SQS)

Amazon S3 (including S3 Transfer Acceleration)

Amazon Simple Workflow

AWS Snowball

AWS Snowball Edge

AWS Snowmobile

AWS Step Functions

AWS Storage Gateway

AWS Systems Manager

Amazon Transcribe

AWS Transfer for SFTP

Amazon Translate

Amazon Virtual Private Cloud (VPC)

AWS VM Import/Export

AWS Web Application Firewall (WAF)

Amazon WorkDocs

Amazon WorkSpaces


The most current list of HIPAA-eligible services and resources can be found at this URL. Consult this list before you design, create or upgrade your HIPAA compliant environment within your AWS account. An example of non-compliant HIPAA resource is an Neptune database instance, as Amazon Neptune services and its resources are not HIPAA eligible at this moment. Because these types of resources are not yet compliant (i.e. not HIPAA eligible), your organization can be fined if does makes use of AWS Neptune database instances to process, store or transmit PHI data such as patient identification numbers and demographic information like birth dates, gender, ethnicity, contact and emergency contact information, as well as patient diagnoses, treatment information, medical test results and any prescription information that is considered protected health information under HIPAA. That being said, Cloud Conformity strongly recommends to terminate any non-compliant HIPAA resources (e.g. AWS Neptune database instances) in order to avoid any penalties and fines applied for failing to comply with the HIPAA security rules. To help your organization maintain HIPAA compliance, Cloud Conformity monitors your Amazon Web Services account in real time and sends notification alerts as soon as an AWS resource is created outside the HIPAA standard.

Remediation / Resolution

Amazon Web Services provides all the protections necessary to satisfy the HIPAA security requirements, so you can use AWS cloud services and resources to build applications that store, process and transmit sensitive health-related information, consistent with your organization privacy and security obligations. AWS will also sign a Business Associate Agreement (BAA) with your healthcare organization, which represents a contract that outlines how your company is going to handle the Protected Health Information (PHI), the types of responsibilities that the organization takes on and some of the very specific rules around its obligations with regards to HIPAA standard. All AWS components can be used with a healthcare application, but only services and resources covered by the AWS BAA can be used to store, process and transmit Protected Health Information under HIPAA. That being said, using services and resources that are not included within the AWS BAA will fail to comply with the HIPAA regulations and this can lead to losing the trust of your customers, exposing your healthcare organization to legal actions or get fined for violating HIPAA security rules.


Publication date Dec 14, 2018

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base

Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Check for non-compliant HIPAA AWS resources

Risk level: