Description: 

164.312(b) - Audit Controls - Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.


Audit

The customer's policies and procedures should ensure that information systems provide some level of audit controls while also ensuring that a workforce member reviews audit control reports on a regular basis. The AWS Business Associate Addendum (BAA) requires the customer to implement policies and procedures regarding audit controls.


Rationale: 

In this architecture, AWS CloudTrail, S3 bucket logging, and Elastic Load Balancer (ELB) logging are enabled to record security-relevant user/API activities, data access activities, and source and destination addresses. Log records are stored in an S3 bucket for access by auditors and/or log analysis tools.


Impact of Resource Type(s):

AWS::CloudTrail::Trail

AWS::S3::Bucket

AWS::RDS::DBInstance

AWS::ElasticLoadBalancing::LoadBalancer


References: 

https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/nist80066.pdf