Description: 

164.312(a)(1) - Access Control Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).


Audit

As part of the Shared Responsibility Model, AWS is responsible for, and has put in place, technical safeguards within AWS facilities and the AWS environment to limit access to AWS accounts to only those persons or applications with appropriate credentials.

AWS Identity and Access Management (IAM) permits the customer to control and enforce access to the AWS infrastructure. Login/API access is restricted to those users for whom the customer has authorized and created or federated IAM user accounts, and provided IAM group and/or role membership (which specify access policies).

The customer is responsible for implementing policies and procedures to: 1) authorize users before granting system permissions, 2) ensure that only authorized persons are assigned permissions within IAM, and 3) configure access control mechanisms within applications and operating systems to enforce access authorizations.


Rationale: 

This architecture employs a baseline set of AWS Identity and Access Management (IAM) groups and roles to support alignment of user accounts to personnel roles at various levels of privilege related to infrastructure/platform management (e.g. Billing, EC2/VPC/RDS systems administration, I.T. auditing, etc.). S3 buckets in this deployment have specific policies to restrict access to appropriate roles/groups, based on various criteria and under various conditions.


Impact of Resource Type(s):

AWS::IAM::Group

AWS::IAM::Role

AWS::IAM::InstanceProfile

AWS::IAM::ManagedPolicy

AWS::S3::BucketPolicy

AWS::S3::Bucket


References: 

https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/nist80066.pdf