PHI stored in Amazon DynamoDB must be encrypted at-rest consistent with the Guidance. Amazon DynamoDB customers can use the application development
Amazon Web Services – Architecting for HIPAA Security and Compliance Page 11 framework of their choice to encrypt PHI in applications before storing the data in Amazon DynamoDB. Alternatively, a client-side library for encrypting content is available from the AWS Labs GitHub repository. Customers may evaluate this implementation for consistency with the Guidance. For more information, see . Careful consideration should be taken when selecting primary keys and when creating indexes such that unsecured PHI is not required for queries and scans in Amazon DynamoDB. Amazon API Gateway Customers may use Amazon API Gateway to process and transmit PHI. While Amazon API Gateway automatically uses HTTPS endpoints for encryption in- flight, customers may also choose to encrypt payloads client-side. API Gateway passes all non-cached data through memory and does not write it to disk. Customers may use AWS Signature Version 4 for authorization with API Gateway. For more information, see the following: • • eway-control-access-to-api.html Customers may integrate with any service that is connected to API Gateway, provided that when PHI is involved, the service is configured consistent with the Guidance and BAA. For information on integrating API Gateway with back end services, see - method-settings.html . Customers can use AWS CloudTrail and Amazon CloudWatch to enable logging that is consistent with their logging requirements. Customers should ensure that any PHI sent through API Gateway (such as in headers, URLs, and request/response) is only captured by HIPAA-eligible services that have been configured to be consistent with the Guidance. For more information on logging with API Gateway, see - center/api-gateway-cloudwatch-logs/ .
Amazon Web Services – Architecting for HIPAA Security and Compliance Page 12 Using AWS KMS for Encryption of PHI Master keys in AWS KMS can be used to encrypt/decrypt data encryption keys used to encrypt PHI in customer applications or in AWS services that are integrated with AWS KMS. AWS KMS can be used in conjunction with a HIPAA account, but PHI may only be processed, stored, or transmitted in HIPAA- eligible services. KMS does not need to be a HIPAA-eligible service so long as it is used to generate and manage keys for applications running in other HIPAA- eligible services. For example, an application processing PHI in Amazon EC2 could use the GenerateDataKey API call to generate data encryption keys for encrypting and decrypting PHI in the application. The data encryption keys would be protected by customer master keys stored in AWS KMS, creating a
You've reached the end of your free preview.
Want to read all 18 pages?
- Spring '16
- Amazon Web Services, Amazon Elastic Compute Cloud