164.308(a)(6)(ii) - Security Incident Procedures — Response and Reporting - Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.


Under the AWS Business Associate Addendum (BAA), AWS agrees to report to the customer any successful security incident involving HIPAA accounts of which AWS becomes aware. The customer is also responsible for detecting security incidents involving ePHI on AWS by appropriately reviewing audit logs, and for taking appropriate action upon identifying a security incident.


In this architecture, AWS CloudTrail is enabled, which provides audit trail capability for the organization to monitor the use of AWS Identity and Access Management (IAM) accounts. An Amazon S3 bucket centrally contains the CloudTrail audit logs. An Amazon CloudWatch alarm is configured to send an alert via Amazon SNS when Root user activity detected, when multiple API actions or login attempts fail, when IAM Configuration changes are detected, when new IAM access key was created and when changes to the CloudTrail log configuration is detected.

Impact of Resource Type(s):