prowler-cloud / prowler

Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more

Home Page:https://prowler.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Add HIPAA compliance checks

hhh0505 opened this issue · comments

any plan to add this?

Hi @hhh0505, do you have a sample set of checks that might be suitable for HIPPA compliance in AWS? Some might be part of the existing checks and probably some new check points.

Adding HIPAA checks is no small task and I don't believe checks for full compliance will be possible as it depends much upon how each user/application handles PHI. But a good start would be checking for encryption at rest and in transit for the major services.

That being said, here is a quick place holder of needed/desired HIPAA checks. I will try to update this periodically. @toniblyx This is just a start but...feel free to shoot all this down if it starts adding too many checks 😄

Account Security

  • MFA Enabled - check12, check113
  • Account Root User Credentials Protection check112, check113

VPC Security

  • VPC Flow Logging Used - check29
  • VPC Flow Logs are Encrypted - Needs check
  • Enable ELB Logging - Needs check extra739

EC2 Security

  • Encrypted EBS Volumes - extra729
  • Encrypted EBS Snapshots - extra740
  • Ensure EC2 Instances are launched in a VPC - (No longer need, only for pretty old accounts)

S3 Security

  • Bucket Policy, Enforce Encryption and Filter by source-ip. - extra734
  • IAM Roles, Enforce permissions - check38, extra73
  • Monitoring, Access Logs - check23 , check26 , check27, extra718, extra725

RDS Security

  • Encrypted RDS - extra735

I'll update this list with new checks soon. Most of the checks I'm writing for GDPR are valid for HIPPA.

This is already finished in devel branch. I'll merge it to master soon.