CloudWiki

The Health Information Trust Alliance (HITRUST) is a certifiable and recommended framework that aims to help organizations from all sectors–but especially healthcare–effectively to manage data, information risk, and compliance. HITRUST certification enables vendors and covered entities to demonstrate compliance to HIPAA requirements based on a standardized framework. HITRUST created and maintains the Common Security Framework (CSF), a certifiable framework to help healthcare organizations and their providers demonstrate their security and compliance in a consistent and streamlined manner.

Compliance checks for Amazon Web Services

Warning
Ensure Kinesis Data Stream encryption is enabled
Critical
IAM Role with Admin access (*:*)
Critical
IAM User with Admin access (*:*)
Critical
IAM user can execute a Privilege Escalation by using inline PassRole
Info
EC2 large instance create alarm
Info
Ensure IAM password policy has expiration period
Info
Internet Gateway (IGW) changes alarm
Info
Ensure RDS instances have Performance Insights feature enabled
Info
Ensure EKS Private access is enabled
Warning
Ensure RDS instances have Multi-AZ disabled in dev environments
Critical
Ensure there is no unrestricted inbound access to TCP port 22 (SSH)
Critical
Ensure there is no unrestricted inbound access to TCP port 6379 (Redis)
Info
Route Table changes alarm
Info
IAM Policy changes alarm
Info
S3 Bucket changes alarm
Info
Security Group (SG) changes alarm
Info
Network ACL (NACL) changes alarm
Info
NAT Gateway changes alarm
Info
VPC changes alarm
Critical
IAM Role with inline Admin access (*:*)
Critical
IAM user can execute a Privilege Escalation by using AttachUserPolicy
Critical
Ensure EBS snapshots are not publicly accessible
Warning
Ensure EBS snapshots are encrypted
Warning
Ensure EMR clusters are encrypted in-transit and at-rest
Info
Ensure DynamoDB Tables are encrypted with customer managed key
Critical
Ensure IAM password policy expires passwords within 90 days or less
Warning
Ensure IAM password policy requires minimum length of 14 or greater
Warning
Ensure IAM password policy require at least one symbol
Warning
Ensure IAM password policy requires at least one uppercase letter
Warning
Ensure IAM password policy require at least one number
Warning
Ensure IAM password policy require at least one lowercase letter
Warning
Ensure IAM password policy prevents password reuse
Critical
IAM Role with Admin access (*:*)
Critical
EC2 with Admin access (*:*)
Info
Ensure RDS is not using the default port 1433
Critical
IAM User with Admin access (*:*)
Warning
Ensure SNS is not publicly accessible
Warning
Ensure SQS is not publicly accessible
Warning
Ensure security groups do not have ingress open to any (0.0.0.0/0)
Warning
Ensure that EKS security groups are configured to allow incoming traffic only on TCP port 443
Warning
Ensure that S3 Buckets are configured with "Block public access"
Warning
Ensure Kubernetes API servers are not publicly accessible
Critical
Ensure Lambda functions prohibit public access
Info
Lambda functions should be in a VPC
Warning
Ensure AWS EKS cluster has secrets encryption enabled
Warning
Ensure RDS database instances are not publicly accessible
Warning
Ensure VPC flow logging is enabled in all VPCs
Warning
Ensure OpenSearch domains are configured to enforce HTTPS connections
Warning
Ensure OpenSearch data at rest encryption is enabled
Warning
IAM Group inline policy is over permissive
Warning
Ensure MSK (Kafka) clusters have encryption in transit enabled between clients and brokers using TLS
Warning
Ensure MSK (Kafka) clusters have encryption in transit enabled between brokers within a cluster
Warning
Ensure CloudFront distribution enforce HTTPS protocol for data in-transit
Critical
Ensure ElastiCache Redis clusters are encrypted in-transit
Critical
Ensure ElastiCache Redis clusters are encrypted at-rest
Warning
Ensure EC2 instances use Instance Metadata Service Version 2 (IMDSv2)
Warning
DynamoDB tables not in use
Warning
Ensure that Cloudfront distribution is not using insecure SSL protocols
Warning
VPC endpoint is publicly accessible
Info
Ensure RDS MySQL and PostgreSQL database instances have Performance Insights feature enabled
Warning
Ensure EBS volumes are encrypted
Critical
Ensure the S3 bucket for CloudTrail logs is not publicly accessible
Warning
Ensure EKS Public access is disabled
Warning
Ensure SQS encryption is enabled
Warning
Ensure SNS encryption is enabled
Warning
Ensure S3 buckets have server access logging enabled to track access requests
Warning
Ensure data stored in the S3 bucket is securely encrypted at rest
Warning
Ensure CloudFront web distributions enforce field-level encryption
Warning
Ensure RDS Instances have IAM Database Authentication enabled
Warning
Ensure DynamoDB tables have point in time recovery enabled
Warning
Ensure RDS instances are configured with Auto Minor Version Upgrade
Warning
Ensure RDS instances have Multi-AZ enabled in Production
Info
Ensure RDS is not using the default port 3306
Info
Ensure RDS is not using the default port 1521
Info
Ensure RDS is not using the default port 5432
Critical
Ensure RDS database instances have storage encryption enabled
Warning
Ensure RDS database instances have Deletion Protection enabled
Info
Ensure RDS database instances have Copy Tags to Snapshots enabled