AWS Database Encryption & HIPAA Compliance

TL;DR

Yes, encrypting your database in AWS is almost certainly required for HIPAA compliance if it holds Protected Health Information (PHI). This guide explains what you need to do.

Understanding the Requirements

1. HIPAA Security Rule: The HIPAA Security Rule demands you protect electronic PHI. Encryption, both in transit and at rest, is a key way to meet this requirement.
2. Encryption ‘At Rest’: This means encrypting the data when it’s stored on disks.
3. Encryption ‘In Transit’: This means encrypting the data as it moves between systems (e.g., your application server and database).

Step-by-Step AWS Database Encryption

These steps focus on common scenarios using RDS (Relational Database Service), but principles apply to other AWS database services like DynamoDB.

1. Choose an Encryption Method

• AWS Key Management Service (KMS): The recommended approach. KMS manages encryption keys for you, simplifying key rotation and access control.
• Database Native Encryption: Some database engines offer their own encryption features. This can be complex to manage securely.

2. Enable Encryption at Rest (RDS Example)

1. During Database Creation: When creating a new RDS instance, select the ‘Enable encryption’ option. Choose a KMS key.
2. For Existing Databases: You can encrypt an existing database using the AWS Management Console or the AWS CLI.

   aws rds modify-db-instance --db-instance-identifier your-database-name --encryption-key-id arn:aws:kms:your-region:your-account-id:key/your-kms-key-id

3. Verify Encryption: Check the RDS console. The ‘Encryption’ status should show ‘Enabled’.

3. Enable Encryption in Transit (RDS Example)

1. Require SSL/TLS Connections: Configure your database to only accept connections over SSL/TLS.
   • In the RDS console, edit the DB instance configuration and ensure ‘Require SSL’ is enabled.
   • Download the appropriate root certificate for your database engine and install it on all client machines connecting to the database.
2. Application Configuration: Update your application code to use SSL/TLS when connecting to the database.

   # Example Python using psycopg2 (PostgreSQL)
   conn = psycopg2.connect(host='your-database-endpoint', database='your-database-name', user='your-username', password='your-password', sslmode='require' )

4. Key Management

• KMS Key Rotation: KMS automatically rotates keys periodically (default is one year). Ensure this rotation is enabled.
• Access Control: Use IAM policies to strictly control who can access the KMS key used for encryption. Grant only necessary permissions.

  # Example IAM policy snippet allowing decryption
  {
   "Effect": "Allow",
   "Action": [
   "kms:Decrypt"
   ],
   "Resource": "arn:aws:kms:your-region:your-account-id:key/your-kms-key-id" 
  }
  

5. Auditing and Monitoring

• CloudTrail: Enable AWS CloudTrail to log all API calls made to your RDS instances and KMS keys. This provides an audit trail of encryption-related activity.
• RDS Logs: Review database logs for any connection attempts that fail due to SSL/TLS issues.

Important Considerations

• Data Backups: Ensure your backups are also encrypted using KMS. RDS automatically encrypts backups when encryption is enabled on the primary instance.
• Snapshots: Snapshots should be encrypted as well.
• Regular Reviews: Periodically review your encryption configuration and access controls to ensure they remain appropriate.