CloudWiki
Compliance

HITRUST

resize
Visit website

The Health Information Trust Alliance (HITRUST) is a certifiable and recommended framework that aims to help organizations from all sectors–but especially healthcare–effectively to manage data, information risk, and compliance. HITRUST certification enables vendors and covered entities to demonstrate compliance to HIPAA requirements based on a standardized framework. HITRUST created and maintains the Common Security Framework (CSF), a certifiable framework to help healthcare organizations and their providers demonstrate their security and compliance in a consistent and streamlined manner.

Compliance checks for Amazon Web Services

Low
Ensure Amazon MQ brokers Log Exports feature is enabled
APRA
CSA CCM
GDPR
HITRUST
ISO 27001
Low
Ensure Amazon MQ brokers are using the latest engine version
APRA
HITRUST
MAS
PCI-DSS
Medium
Ensure Amazon MQ brokers are not publicly accessible
APRA
CCPA
CIS 8
GDPR
HIPAA
Medium
Ensure Amazon MQ brokers Auto Minor Version Upgrade feature is enabled
APRA
CCPA
HITRUST
ISO 27001
MAS
Critical
Ensure Amazon MQ brokers are not publicly accessible
APRA
CCPA
CIS 8
GDPR
HIPAA
Low
Ensure Redshift clusters are not using default endpoint port
APRA
CCPA
GDPR
HITRUST
ISO 27001
Low
Ensure Redshift clusters automated snapshot retention period is enabled
CCPA
CIS 8
CSA CCM
GDPR
HITRUST
Low
Ensure Redshift clusters are using a custom master user name instead of the default master user name
APRA
CCPA
CIS 8
GDPR
HITRUST
Medium
Ensure Redshift clusters are provisioned within a VPC
APRA
CCPA
GDPR
HIPAA
HITRUST
Medium
Ensure Redshift clusters Deferred Maintenance feature is enabled
CCPA
GDPR
HITRUST
ISO 27001
NIST4
High
Ensure Redshift clusters are not publicly accessible
APRA
GDPR
HIPAA
MAS
NIST4
Critical
Ensure Redshift is not accessible via Internet
CCPA
GDPR
HITRUST
ISO 27001
NIST 800-53
Low
CloudTrail changes alarm
CIS
CISAWSF
APRA
MAS
NIST4
High
Ensure CloudTrail trails have multi-region enabled
APRA
MAS
CISAWSF
PCI-DSS
HIPAA
Critical
Ensure DocumentDB database instances have storage encryption enabled
GDPR
NIST4
NIST 800-53
HIPAA
MAS
Critical
Ensure access keys are rotated every 90 days or less
CIS
APRA
MAS
NIST4
NIST 800-53
Medium
Ensure Kinesis Data Stream encryption is enabled
APRA
AWS Well-Architected Framework
GDPR
HIPAA
MAS
Critical
IAM User with Admin access (*:*)
SOC2
CIS
CIS 8
NIST 800-53
CSA CCM
Critical
IAM user can execute a Privilege Escalation by using inline PassRole
CIS 8
NIST 800-53
CSA CCM
HITRUST
GDPR
Low
EC2 large instance create alarm
PCI-DSS
APRA
MAS
NIST4
AWS Well-Architected Framework
Low
Ensure IAM password policy has expiration period
CIS 8
NIST 800-53
GDPR
HITRUST
CSA CCM
Low
Internet Gateway (IGW) changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
Ensure RDS instances have Performance Insights feature enabled
HITRUST
NIST 800-53
GDPR
CSA CCM
Low
Ensure EKS Private access is enabled
APRA
CIS
CISAWSF
CIS EKS
GDPR
Medium
Ensure RDS instances have Multi-AZ disabled in dev environments
SOC2
NIST4
NIST 800-53
HITRUST
GDPR
Critical
Ensure there is no unrestricted inbound access to TCP port 22 (SSH)
ISO 27001
PCI-DSS
HITRUST
NIST 800-53
CIS
Critical
Ensure there is no unrestricted inbound access to TCP port 6379 (Redis)
AWS Well-Architected Framework
CSA CCM
HITRUST
NIST 800-53
CIS 8
Low
Route Table changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
IAM Policy changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
S3 Bucket changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
Security Group (SG) changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
Network ACL (NACL) changes alarm
CIS
CIS 8
GDPR
CSA CCM
HITRUST
Low
NAT Gateway changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
VPC changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Critical
IAM Role with inline Admin access (*:*)
CIS
CISAWSF
APRA
AWS Well-Architected Framework
NIST 800-53
Critical
IAM user can execute a Privilege Escalation by using AttachUserPolicy
CIS 8
NIST 800-53
GDPR
HITRUST
CSA CCM
Critical
Ensure EBS snapshots are not publicly accessible
GDPR
NIST4
PCI-DSS
AWS Well-Architected Framework
HITRUST
Medium
Ensure EBS snapshots are encrypted
PCI-DSS
GDPR
HIPAA
NIST4
HITRUST
Medium
Ensure EMR clusters are encrypted in-transit and at-rest
APRA
AWS Well-Architected Framework
GDPR
HIPAA
MAS
Low
Ensure DynamoDB Tables are encrypted with customer managed key
APRA
AWS Well-Architected Framework
GDPR
NIST4
HITRUST
Critical
Ensure IAM password policy expires passwords within 90 days or less
ISO 27001
CSA CCM
SOC2
PCI-DSS
APRA
Medium
Ensure IAM password policy requires minimum length of 14 or greater
CISAWSF
SOC2
PCI-DSS
GDPR
HIPAA
Medium
Ensure IAM password policy require at least one symbol
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
GDPR
Medium
Ensure IAM password policy requires at least one uppercase letter
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
HIPAA
Medium
Ensure IAM password policy require at least one number
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
GDPR
Medium
Ensure IAM password policy require at least one lowercase letter
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
ISO 27001
Medium
Ensure IAM password policy prevents password reuse
CIS
ISO 27001
SOC2
GDPR
PCI-DSS
Critical
IAM Role with Admin access (*:*)
CISAWSF
APRA
MAS
NIST4
AWS Well-Architected Framework
Critical
EC2 with Admin access (*:*)
CIS
GDPR
HITRUST
NIST 800-53
ISO 27701
Low
Ensure RDS is not using the default port 1433
APRA
AWS Well-Architected Framework
NIST4
PCI-DSS
NIST 800-53
Critical
IAM User with Admin access (*:*)
SOC2
CIS
CIS 8
NIST 800-53
CSA CCM
Medium
Ensure SNS is not publicly accessible
HITRUST
ISO 27701
GDPR
Medium
Ensure SQS is not publicly accessible
HITRUST
GDPR
ISO 27701
Medium
Ensure security groups do not have ingress open to any (0.0.0.0/0)
CIS
PCI-DSS
APRA
MAS
NIST4
Medium
Ensure security groups do not have all ports open
APRA
AWS Foundational Security Best Practices Controls
AWS Well-Architected Framework
HIPAA
HITRUST
Medium
Ensure that EKS security groups are configured to allow incoming traffic only on TCP port 443
NIST 800-53
CSA CCM
HITRUST
Medium
Ensure that S3 Buckets are configured with "Block public access"
GDPR
ISO 27001
PCI-DSS
SOC2
HITRUST
Medium
Ensure Kubernetes API servers are not publicly accessible
CIS EKS
HITRUST
GDPR
ISO 27701
Critical
Ensure Lambda functions prohibit public access
PCI-DSS
HITRUST
ISO 27701
AWS Foundational Security Best Practices Controls
Low
Lambda functions should be in a VPC
PCI-DSS
CIS 8
NIST 800-53
HITRUST
Medium
Ensure AWS EKS cluster has secrets encryption enabled
CIS
CISAWSF
CIS EKS
HITRUST
NIST 800-53
Medium
Ensure RDS database instances are not publicly accessible
NIST 800-53
HITRUST
GDPR
CSA CCM
ISO 27701
Medium
Ensure VPC flow logging is enabled in all VPCs
CIS
SOC2
GDPR
ISO 27001
PCI-DSS
Medium
Ensure OpenSearch domains are configured to enforce HTTPS connections
NIST 800-53
HITRUST
GDPR
AWS Foundational Security Best Practices Controls
Medium
Ensure OpenSearch data at rest encryption is enabled
AWS Foundational Security Best Practices Controls
PCI-DSS
CIS 8
NIST 800-53
CSA CCM
Medium
IAM Group inline policy is over permissive
PCI-DSS
FTR
CIS 8
NIST 800-53
HITRUST
Medium
Ensure MSK (Kafka) clusters have encryption in transit enabled between clients and brokers using TLS
CIS 8
NIST 800-53
CSA CCM
HITRUST
GDPR
Medium
Ensure MSK (Kafka) clusters have encryption in transit enabled between brokers within a cluster
CIS 8
NIST 800-53
CSA CCM
HITRUST
GDPR
Medium
Ensure CloudFront distribution enforce HTTPS protocol for data in-transit
AWS Well-Architected Framework
HIPAA
NIST4
PCI-DSS
CIS 8
Critical
Ensure ElastiCache Redis clusters are encrypted in-transit
HIPAA
GDPR
HITRUST
NIST 800-53
APRA
Critical
Ensure ElastiCache Redis clusters are encrypted at-rest
HIPAA
GDPR
NIST4
APRA
HITRUST
Medium
Ensure EC2 instances use Instance Metadata Service Version 2 (IMDSv2)
AWS Foundational Security Best Practices Controls
NIST 800-53
HITRUST
Medium
DynamoDB tables not in use
AWS Well-Architected Framework
CIS 8
HITRUST
GDPR
Medium
Ensure that Cloudfront distribution is not using insecure SSL protocols
APRA
HIPAA
MAS
NIST4
PCI-DSS
Medium
VPC endpoint is publicly accessible
APRA
AWS Well-Architected Framework
GDPR
MAS
NIST4
Low
Ensure RDS MySQL and PostgreSQL database instances have Performance Insights feature enabled
AWS Well-Architected Framework
HITRUST
NIST 800-53
Medium
Ensure OpenSearch domains are in a VPC
APRA
AWS Foundational Security Best Practices Controls
AWS Well-Architected Framework
PCI-DSS
GDPR
Medium
Ensure EBS volumes are encrypted
APRA
MAS
NIST4
CIS
ISO 27001
Critical
Ensure the S3 bucket for CloudTrail logs is not publicly accessible
CIS
HIPAA
GDPR
APRA
MAS
Medium
Ensure EKS Public access is disabled
APRA
CIS
CISAWSF
CIS EKS
GDPR
Medium
Ensure SQS encryption is enabled
APRA
AWS Well-Architected Framework
PCI-DSS
GDPR
HIPAA
Medium
Ensure SNS encryption is enabled
APRA
AWS Well-Architected Framework
GDPR
HIPAA
MAS
Medium
Ensure S3 buckets have server access logging enabled to track access requests
GDPR
PCI-DSS
APRA
MAS
NIST4
Medium
Ensure data stored in the S3 bucket is securely encrypted at rest
CIS
SOC2
PCI-DSS
GDPR
APRA
Medium
Ensure CloudFront web distributions enforce field-level encryption
APRA
AWS Well-Architected Framework
GDPR
HIPAA
NIST4
Medium
Ensure RDS Instances have IAM Database Authentication enabled
APRA
AWS Foundational Security Best Practices Controls
AWS Well-Architected Framework
HITRUST
MAS
Medium
Ensure DynamoDB tables have point in time recovery enabled
SOC2
GDPR
HITRUST
NIST 800-53
NIST4
Medium
Ensure RDS instances are configured with Auto Minor Version Upgrade
AWS Foundational Security Best Practices Controls
SOC2
HITRUST
NIST 800-53
GDPR
Medium
Ensure RDS instances have Multi-AZ enabled in Production
SOC2
NIST4
NIST 800-53
HITRUST
GDPR
Low
Ensure RDS is not using the default port 3306
APRA
AWS Well-Architected Framework
NIST4
PCI-DSS
NIST 800-53
Low
Ensure RDS is not using the default port 1521
APRA
AWS Well-Architected Framework
NIST4
PCI-DSS
NIST 800-53
Low
Ensure RDS is not using the default port 5432
APRA
AWS Well-Architected Framework
NIST4
PCI-DSS
NIST 800-53
Critical
Ensure RDS database instances have storage encryption enabled
GDPR
NIST4
HIPAA
MAS
PCI-DSS
Low
Ensure RDS database instances have Copy Tags to Snapshots enabled
APRA
AWS Well-Architected Framework
MAS
CIS 8
NIST 800-53
Medium
Ensure RDS database instances have Deletion Protection enabled
NIST4
NIST 800-53
HITRUST
GDPR
AWS Foundational Security Best Practices Controls
All Compliances
APRA
AWS Foundational Security Best Practices Controls
AWS Well-Architected Framework
CCPA
CIS
CIS 8
CIS EKS
CISAWSF
CSA CCM
FTR
FedRAMP
GDPR
HIPAA
HITRUST
ISO 27001
ISO 27701
MAS
NIST 800-53
NIST4
PCI-DSS
SOC2