Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add HIPAA compliance checks #227

Closed
hhh0505 opened this issue Jul 23, 2018 · 4 comments
Closed

Add HIPAA compliance checks #227

hhh0505 opened this issue Jul 23, 2018 · 4 comments
Labels
feature-request New feature request for Prowler. need information new check idea

Comments

@hhh0505
Copy link

hhh0505 commented Jul 23, 2018

any plan to add this?
@toniblyx
Copy link
Member

Hi @hhh0505, do you have a sample set of checks that might be suitable for HIPPA compliance in AWS? Some might be part of the existing checks and probably some new check points.

@crashGoBoom crashGoBoom mentioned this issue Oct 2, 2018
Merged
@toniblyx toniblyx added the feature-request New feature request for Prowler. label Oct 2, 2018
@crashGoBoom
Copy link
Contributor

crashGoBoom commented Oct 2, 2018
edited by toniblyx
Loading

Adding HIPAA checks is no small task and I don't believe checks for full compliance will be possible as it depends much upon how each user/application handles PHI. But a good start would be checking for encryption at rest and in transit for the major services.

That being said, here is a quick place holder of needed/desired HIPAA checks. I will try to update this periodically. @toniblyx This is just a start but...feel free to shoot all this down if it starts adding too many checks 😄

Account Security

  • MFA Enabled - check12, check113
  • Account Root User Credentials Protection check112, check113

VPC Security

  • VPC Flow Logging Used - check29
  • VPC Flow Logs are Encrypted - Needs check
  • Enable ELB Logging - Needs check extra739

EC2 Security

  • Encrypted EBS Volumes - extra729
  • Encrypted EBS Snapshots - extra740
  • Ensure EC2 Instances are launched in a VPC - (No longer need, only for pretty old accounts)

S3 Security

  • Bucket Policy, Enforce Encryption and Filter by source-ip. - extra734
  • IAM Roles, Enforce permissions - check38, extra73
  • Monitoring, Access Logs - check23 , check26 , check27, extra718, extra725

RDS Security

  • Encrypted RDS - extra735

@toniblyx
Copy link
Member

toniblyx commented Nov 8, 2018

I'll update this list with new checks soon. Most of the checks I'm writing for GDPR are valid for HIPPA.

@toniblyx
Copy link
Member

This is already finished in devel branch. I'll merge it to master soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request New feature request for Prowler. need information new check idea
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@toniblyx @hhh0505 @crashGoBoom