Description:
164.312(b) - Audit Controls - Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
Audit:
The customer's policies and procedures should ensure that information systems provide some level of audit controls while also ensuring that a workforce member reviews audit control reports on a regular basis. The AWS Business Associate Addendum (BAA) requires the customer to implement policies and procedures regarding audit controls.
Rationale:
In this architecture, AWS CloudTrail, S3 bucket logging, and Elastic Load Balancer (ELB) logging are enabled to record security-relevant user/API activities, data access activities, and source and destination addresses. Log records are stored in an S3 bucket for access by auditors and/or log analysis tools.
Impact of Resource Type(s):
AWS::CloudTrail::Trail
AWS::S3::Bucket
AWS::RDS::DBInstance
AWS::ElasticLoadBalancing::LoadBalancer
References:
https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/nist80066.pdf