Add HIPAA compliance checks

[hhh0505]

any plan to add this?

[toniblyx]

Hi @hhh0505, do you have a sample set of checks that might be suitable for HIPPA compliance in AWS? Some might be part of the existing checks and probably some new check points.

[crashGoBoom]

Adding HIPAA checks is no small task and I don't believe checks for full compliance will be possible as it depends much upon how each user/application handles PHI. But a good start would be checking for encryption at rest and in transit for the major services.

That being said, here is a quick place holder of needed/desired HIPAA checks. I will try to update this periodically. @toniblyx This is just a start but...feel free to shoot all this down if it starts adding too many checks 😄

Account Security

• MFA Enabled - check12, check113
• Account Root User Credentials Protection check112, check113

VPC Security

• VPC Flow Logging Used - check29
• VPC Flow Logs are Encrypted - Needs check
• Enable ELB Logging - Needs check extra739

EC2 Security

• Encrypted EBS Volumes - extra729
• Encrypted EBS Snapshots - extra740
• Ensure EC2 Instances are launched in a VPC - (No longer need, only for pretty old accounts)

S3 Security

• Bucket Policy, Enforce Encryption and Filter by source-ip. - extra734
• IAM Roles, Enforce permissions - check38, extra73
• Monitoring, Access Logs - check23 , check26 , check27, extra718, extra725

RDS Security

• Encrypted RDS - extra735

[toniblyx]

I'll update this list with new checks soon. Most of the checks I'm writing for GDPR are valid for HIPPA.

[toniblyx]

This is already finished in devel branch. I'll merge it to master soon.