AWS - Healthcare

Eduardo Van Cauteren

Last Update a year ago

StackZone Healthcare Services Setup includes the necessary components enabled to support and build compliance according to this industry vertical.

Components Created:

  • Shared Services Account:
    • Amazon VPC including Private and Public Subnets distributed in 2 availability zones in the primary region
  • Log-Archive Account:
    • Shared Amazon S3 Bucket with a lifecycle policy to store logs up to 7 years
  • Security Account:
    • Aggregated SNS Security Topic (your email distribution list or account must be configured after the initial setup to start receiving the notifications)
    • Central Amazon GuardDuty detector
    • Central AWS Config global aggregator to visualize your compliance from a single place for your entire Organization
  • Primary Account:
    • Security Services Delegation to the Security Account
      • Amazon S3 Storage Lens
      • AWS License Manager
      • AWS Systems Manager
      • Amazon Macie
      • AWS IAM Access Analyzer


  • Service Control Policies:
    • Core OU Mandatory Preventive GuardRails
    • Non Core Mandatory Preventive Guardrails
    • StackZone Deny Mandatory Preventive Guardrails
    • StackZone Allowed Regions Preventive Guardrails
    • StackZone Tagging Preventive Guardrails
    • StackZone Networking Preventive Guardrails
    • StackZone HIPAA Preventive Guardrails
    • StackZone PCI Preventive Guardrails
    • StackZone SOC Preventive Guardrails
    • StackZone Restrict All Guardrails
    • StackZone Machine Learning Ops Guardrails


  • Baseline Services (Applied to every account managed by StackZone):
    • Lambda Helper (required Lambda functions for StackZone to operate)
    • SNS Helper (required to forward Security SNS Notifications from all accounts to the Security Account)
    • Key Management Service: Creates AWS KMS Keys for Amazon EBS Volumes, CloudWatch Logs and SNS Topics to be encrypted to maintain compliance.
    • Amazon CloudTrail: Enables a multi-region, encrypted Trail in every account in the primary region that logs every action to the Amazon S3 Bucket in the Log-Archive Account and locally to an Amazon CloudWatch LogGroup.
    • AWS Config:
      • Creates an AWS IAM Role to run AWS Config Rules and Remediations.
      • Enables AWS Config local aggregator in each account in the primary region.
      • Enables these global AWS Config rules in all accounts:
        • No Inline Policy
        • IAM Policy no statements with full access
        • Root MFA Enabled (24 hours)
        • IAM Password Policy (24 hours)
        • IAM User MFA Enabled (1 hour)
        • IAM User Console MFA Enabled (1 hour)
        • IAM User Unused Credential (12 hours)
        • IAM Access keys Rotated (12 hours)
        • IAM Root Access Key Check (12 hours)
        • Root Account Hardware MFA Enabled (12 hours)
        • IAM User No Policies Attached
        • IAM Policy No Admin Permissions
      • Enables these regional AWS config Rules in all accounts
        • AWS Key Management Service
          • CMK Not Scheduled For Deletion (24 hours)
        • Amazon GuardDuty
          • GuardDuty Enabled
        • Data Security Standard Compliance
          • Database Migration Service Replication Not Public
          • Security Hub Enabled
          • EBS Snapshot Not Public Restorable
          • EC2 Instance No Public IP
          • OpenSearch in VPC Only
          • OpenSearch HTTPS Required
          • Elasticsearch Logs to CloudWatch
          • OpenSearch Encrypted at Rest
          • OpenSearch Logs to CloudWatch
          • OpenSearch Node to Node Encryption
          • Elastic Beanstalk Managed Updates
          • EC2 Instances in VPC
          • RDS Snapshot Public Access Prohibited
          • Secrets Manager Rotation Enabled
          • Secrets Manager Using CMK
        • Amazon ElastiCache
          • Elasticache Redis Backup enabled (24 hours)
        • Amazon EC2 AutoScaling Group
          • AutoScaling Group Launch Configuration Public IP Disabled
          • AutoScaling Group Using ELB Healthcheck
        • Amazon RDS
          • RDS Encryption Enabled
          • RDS Public Access Disabled
          • RDS Snapshots Encrypted
          • RDS in Backup Plan
          • RDS Instances Backup Enabled
          • RDS Enhanced Monitoring Enabled
          • RDS Logging Enabled
          • RDS Multi AZ Enabled
          • RDS Cluster Deletion Protection Enabled
          • RDS Minor Version Upgrade Enabled
        • Development
          • CodeBuild OAuth Check
          • CodeBuild Plaintext Credentials in Environment Variables
          • Lambda Function Public Access Prohibited
          • API Gateway Associated with WAF
          • API Gateway Execution Logging Enabled
          • API Gateway SSL Enabled
        • Amazon EBS
          • ES Encrypted at Rest
          • ES Node to Node Encryption
          • EBS Attached Volumes Encrypted
          • EBS Volumes Encrypted
          • EBS in Backup Plan
        • AWS Systems Manager
          • SSM Document Not Public
        • Amazon S3
          • S3 Public Read Prohibited
          • S3 Public Write Prohibited
          • S3 Bucket Server Side Encryption
          • S3 Bucket KMS Encryption
          • S3 Bucket Level Public Access Prohibited
          • S3 Bucket ACL Prohibited
          • S3 Bucket Logging Enabled
          • S3 Bucket SSL Requests Only
          • S3 Bucket Versioning Enabled
          • S3 Bucket Replication Enabled
          • S3 Bucket Lock Enabled By Default
          • S3 Bucket Lifecycle Policy Enabled
        • Amazon EC2
          • EC2 Instance Managed by SSM
          • EC2 Instance Patch Compliance Status
          • EC2 Instance Association Compliance Status
          • EC2 Stopped Instance
          • ELB SSL ACM Certificate Required
          • ELB Cross Zone Load Balancing Enabled
          • EC2 Instance IMDS v2 Enabled
          • EC2 Instance Profile Attached
        • Amazon Redshift
          • Cluster Maintenance Settings Check
          • Redshift Cluster Public Access Prohibited
          • Cluster Configuration Check
          • Cluster Require TLS SSL
          • Cluster Backup Enabled
        • AWS Backup
          • EC2 Instances protected by Backup Plan (MAXIMUM EXECUTION FREQUENCY 24 hs)
          • Aurora Cluster RDS protected by Backup Plan (MAXIMUM EXECUTION FREQUENCY 24 hs)
          • Recovery Point encrypted
          • Recovery Point manual deletion disabled
          • Recovery Point minimum frequency and retention (1 day frequency - 35 retention days)
        • Amazon CloudWatch
          • CloudWatch Alarm Action Check
        • Network
          • WAF V2 Logging Enabled
          • VPC Subnet Auto Assign Public IP Disabled
          • Certificate Manager Certificate Expire
          • Elastic Load Balancer http to https Redirect
          • Application Load Balancer ACM Certificate Required
          • Classic Load Balancer Predefined Security Policy (ELBSecurityPolicy-TLS-1-2-2017-01)
          • VPC Flowlogs Enabled
          • Elastic Load Balancer Logging
          • VPC Security Group Restricted SSH Policy
          • Elastic Load Balancer Deletion Protection
          • VPC Default Security Group Closed
          • VPC VPN 2 Tunnels Up
          • Elastic Load Balancer WAF Enabled
          • Elastic Load Balancer TLS https Listener Only
        • Amazon EFS
          • EFS Encrypted
        • Amazon EMR
          • EMR Kerberos Enabled
          • EMR Master Node No Public IP
        • Amazon Sagemaker
          • Notebook No Direct Internet Access
          • Endpoint Config KMS Key Configured
          • Notebook Instance KMS Key Configured
        • AWS CloudTrail
          • CloudTrail Enabled
          • Multi Region CloudTrail Enabled (MAXIMUM EXECUTION FREQUENCY 24 hours)
          • CloudTrail Amazon CloudWatch Logs Enabled (MAXIMUM EXECUTION FREQUENCY 24 hours)
          • CloudTrail Encryption Enabled (MAXIMUM EXECUTION FREQUENCY 24 hours)
          • CloudTrail S3 Dataevents Enabled
        • Amazon DynamoDB
          • DynamoDB Autoscaling Enabled (MAXIMUM EXECUTION FREQUENCY 6 hours)
          • DynamoDB Throughput Limit Check (MAXIMUM EXECUTION FREQUENCY 6 hours)
          • DynamoDB in Backup Plan (MAXIMUM EXECUTION FREQUENCY 24 hours)
        • Amazon SNS
          • SNS Topic Encrypted
        • Enables Automatic Remediation for:
          • AWS CloudTrail
            • CloudTrail Log File Validation Remediation



Was this article helpful?

0 out of 0 liked this article

Still need help? Message Us