Deploy now

View guide — HTML | PDF
View security controls reference

Quick Start architecture for HIPAA on the AWS Cloud

Quick Start reference architecture for HIPAA workloads on AWS (view production VPC details)


This Quick Start is part of a set of AWS Enterprise Accelerator - Compliance solutions. For additional AWS Quick Starts, see the complete catalog.

hipaa-logo

This Quick Start deploys a model environment that can help organizations with workloads that fall within the scope of the U.S. Health Insurance Portability and Accountability Act (HIPAA). The Quick Start architecture maps to certain technical requirements imposed by HIPAA regulations.

The Quick Start includes AWS CloudFormation templates, which automatically configure the AWS resources and deploy an example multi-tier, Linux-based web application in a few simple steps, in about 30 minutes. The security controls reference shows how Quick Start architecture decisions, components, and configurations map to HIPAA regulatory requirements. The Quick Start also includes a deployment guide, which describes the reference architecture in detail and provides step-by-step instructions for deploying, configuring, and validating the AWS environment.

  • What you'll build

    The Quick Start deployment includes the following components and features:

    • Basic AWS Identity and Access Management (IAM) configuration with custom (IAM) policies, with associated groups, roles, and instance profiles
    • Standard, external-facing Amazon Virtual Private Cloud (Amazon VPC) Multi-AZ architecture with separate subnets for different application tiers and private (back-end) subnets for application and database 
    • Amazon Simple Storage Service (Amazon S3) buckets for encrypted web content, logging, and backup data
    • Standard Amazon VPC security groups for Amazon Elastic Compute Cloud (Amazon EC2) instances and load balancers used in the sample application stack 
    • Three-tier Linux web application using Auto Scaling and Elastic Load Balancing, which can be modified and/or bootstrapped with customer application
    • A secured bastion login host to facilitate command-line Secure Shell (SSH) access to EC2 instances for troubleshooting and systems administration activities
    • Encrypted, Multi-AZ Amazon Relational Database Service (Amazon RDS) MySQL database
    • Logging, monitoring, and alerts using AWS CloudTrail, Amazon CloudWatch, and AWS Config rules
    • Encrypted secondary EBS volumes on all EC2 instances


    For details, see the Quick Start deployment guide.

  • Deployment details

    Before deploying the Quick Start with protected health information (PHI), you must accept the AWS Business Associate Addendum (BAA) and configure your AWS account(s) as required by the BAA. You also need to confirm that your AWS account is set up correctly by checking service limits and SSH key pairs, and setting up AWS Config. After you complete these prerequisites, you can build the Quick Start reference environment in about 30 minutes:

    1. Sign in to your AWS account.
    2. Launch the Quick Start and set the required parameters. If you have an AWS GovCloud (US) account, you can deploy the Quick Start in the AWS GovCloud Region.
    3. Test your deployment.  


    For detailed instructions, see the Quick Start deployment guide.

    The Quick Start is modular and customizable. It includes nested AWS CloudFormation templates that automate deploying and configuring resources for IAM, logging, production VPC, management VPC, AWS Config rules, NAT, and the web application. You can deploy the entire architecture, or customize or omit resources; see template details.

  • Cost and licenses

    You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start.

    The AWS CloudFormation template for this Quick Start includes configuration parameters that you can customize. Some of these settings, such as instance type and storage, will affect the cost of deployment. See the pricing pages for each AWS service you will be using for cost estimates.