reference deployment


Deploy a cloud architecture that helps support your HITRUST compliance program

This Quick Start deploys a model environment on the Amazon Web Services (AWS) Cloud that can help organizations with workloads that fall within the scope of the Health Information Trust Alliance Common Security Framework (HITRUST-CSF). Its architecture maps to certain technical requirements imposed by HITRUST controls.

The Quick Start includes AWS CloudFormation templates to automate building a baseline architecture that fits within your organization’s larger HITRUST program. It also includes a security controls reference, which maps HITRUST controls to architecture decisions, features, and configuration of the baseline.

Certain AWS services have been assessed under the HITRUST CSF Assurance Program by an approved HITRUST CSF Assessor as meeting the HITRUST CSF v9.1 Certification Criteria. Please note that deploying this architecture alone will not guarantee HITRUST certification. Rather, this architecture is designed to fit within your organization’s broader HITRUST program.

This Quick Start is for health IT infrastructure architects, administrators, compliance professionals, and DevOps professionals who plan to implement or extend HITRUST workloads to the AWS Cloud. It's part of a set of AWS compliance offerings, which provide security-focused architecture solutions to help Managed Service Providers (MSPs), cloud provisioning teams, developers, integrators, and information security teams follow strict security, compliance, and risk management controls. For more Quick Starts in this category, see the Quick Start catalog.

Deploying this Quick Start does not guarantee an organization’s compliance with any laws, certifications, policies, or other regulations.

This Quick Start was developed by AWS.

  •  What you'll build
  • Use this Quick Start to automatically set up the following environment on AWS:

    • A highly available architecture that spans two Availability Zones.
    • A management virtual private cloud (VPC) and production VPC configured with public and private subnets according to AWS best practices, to provide you with your own virtual network on AWS. The management and production VPCs have VPC peering enabled.
    • In the public subnets:
      • Managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.
      • In the management VPC, a Linux bastion host in an Auto Scaling group to allow inbound Secure Shell (SSH) access to Amazon Elastic Compute Cloud (Amazon EC2) instances in private subnets.
    • Standard Amazon Virtual Private Cloud (Amazon VPC) security groups for EC2 instances and load balancers used in the sample application stack. The security groups limit access to only necessary services and disallow unencrypted traffic (e.g., HTTP port 80).
    • An Amazon Simple Storage Service (Amazon S3) bucket for encrypted log content.
    • Production VPC - In the private subnets:
      • An encrypted Multi-AZ Amazon Relational Database Service (Amazon RDS) MySQL database and a standby instance in a second private subnet.
      • A three-tier Linux web application using Auto Scaling and Elastic Load Balancing, which can be modified or bootstrapped with customer applications, such as WordPress. 
    • A Secure Sockets Layer (SSL) certificate managed by AWS Certificate Manager (ACM) on the load balancer to encrypt all traffic between the internet and the load balancer. Separate self-signed certificates are generated on the EC2 instances to encrypt traffic between the load balancer and the application instances.
    • AWS Config rules to monitor the deployment configuration. If you haven’t created a configuration recorder and delivery channel, the Quick Start will create those also.
    • An Amazon Route 53 record set that maps the fully qualified domain name (FQDN) to the load balancer Domain Name System (DNS).
    • Logging, monitoring, and alerts using AWS CloudTrail, Amazon CloudWatch, and AWS Config rules.
  •  How to deploy
  • To deploy the HITRUST environment in your AWS account, follow the instructions in the deployment guide. The deployment process takes about 30 minutes and includes these steps:

    1. Sign in to your AWS account at
    2. Launch the Quick Start
    3. Test your deployment by connecting to the WordPress site built by the Quick Start.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on this solution.  

  •  Cost and licenses
  • You are responsible for the cost of the AWS services and any third-party licenses used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start. 

    The AWS CloudFormation template for this Quick Start includes configuration parameters that you can customize. Some of these settings, such as instance type and storage, will affect the cost of deployment. See the pricing pages for each AWS service you will be using for cost estimates.

    Tip: After you deploy the Quick Start, create  AWS Cost and Usage Reports to track costs associated with the Quick Start. These reports deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. They provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information about the report, see  What are AWS Cost and Usage Reports?