Skip to content

Nova Home Care — Infrastructure Docs

AWS-Specific

nova-infra/hipaa-compliance-aws-infra

AWS-Specific Checklist¶

Items specific to the AWS implementation, organized by service. Tick marks reflect NVS account unless otherwise noted.

AWS Organization¶

Management account used only for billing and org management (no workloads)
NVS and NHC in separate OUs
SCPs applied at OU level
SCP: deny actions without MFA
SCP: deny storage creation without encryption
SCP: deny non-HIPAA-eligible regions (if applicable)
CloudTrail enabled in management account

IAM Identity Center¶

External IdP configured (Microsoft Entra ID — SAML 2.0)
Permission sets created (DevOps-Admin, ReadOnly)
Account assignments configured for NVS and NHC
SCIM provisioning (requires Entra ID P1/P2 — currently SAML-only)
All human access via SSO (no IAM user console access)

IAM (All Accounts)¶

Root account: no access keys, MFA enabled
No IAM users with console access without MFA
IAM Access Analyzer enabled (NVS)
Password policy: min 14 chars, complexity, 90-day rotation
Roles used instead of user access keys for EC2/services (NVS — SSM instance profile)

KMS¶

EC2¶

All EBS volumes encrypted with KMS CMK (DA-14 — existing volumes pending)
No EC2 instances with public IP (DA-13 — still in Tokyo on public IP)
SSM Agent role deployed (NVS — instance profile ready)
IAM instance profile created (NVS)
Security groups: no 0.0.0.0/0 inbound rules
EC2 IMDSv2 enforced (no IMDSv1)

RDS¶

RDS MariaDB 10.11 deployed (NVS — prod-nvs-hris, Singapore)
Storage encrypted with KMS CMK
No public access
Deletion protection enabled
Automated backups: 7-day retention
Slow query + error logs to CloudWatch
Multi-AZ (not enabled — single-AZ for cost; review before PHI go-live)
RDS data migration from Tokyo Podman MariaDB (DA-11 pending step)

S3¶

Block Public Access enabled on all NVS buckets
Default encryption SSE-KMS on all NVS buckets
Versioning enabled on all NVS buckets
Bucket policies deny HTTP and unencrypted PutObject (NVS)
S3 Access Logging enabled on screenshot bucket → access logs bucket
S3 Object Lock evaluated for CloudTrail log bucket
Account-level Block Public Access setting confirmed (NVS, NHC)

VPC¶

VPC Flow Logs enabled (deferred to DA-13 — VPC being created with EC2 migration)
No default VPC in use for PHI workloads
NAT Gateway for outbound (no internet gateway directly to EC2)
VPC endpoints for S3 and SSM (planned in DA-13 VPC module)
Network ACLs reviewed

CloudTrail¶

Multi-region trail in NVS (nvs-trail)
S3 bucket: no public access, KMS encrypted (NVS)
Log file validation enabled (NVS)
CloudWatch Logs integration (NVS)
Multi-region trail in NHC (DA-15)
Data events: S3 screenshot bucket (NVS — not yet configured on trail)

GuardDuty¶

Enabled in NVS account
SNS alert on High/Critical findings (NVS)
Enabled in NHC account (DA-15)
Org-level delegated admin configured from Management account
S3 protection confirmed enabled
EKS protection (N/A — no EKS in use)

Security Hub¶

Enabled in NVS account
AWS Foundational Security Best Practices v1.0.0 (NVS)
NIST SP 800-53 Rev 5 (NVS) — HIPAA standard not available in ap-southeast-1
Enabled in NHC account (DA-15)
Aggregator configured (view all accounts from management)
SNS alert on Critical findings

AWS Config¶

Config recorder enabled (NVS)
Config delivery channel → S3 bucket (NVS, KMS encrypted)
HIPAA conformance pack deployed (NVS — 21 rules: encryption, audit, access, network, backup)
Config recorder enabled (NHC) (DA-15)
HIPAA conformance pack deployed (NHC) (DA-15)

WAF¶

WAF v2 associated with NHC Django API ALB
WAF v2 associated with NVS Laravel ALB
AWS Managed Rules: Core rule set, Known bad inputs
Rate limiting rule enabled
WAF logs → S3 or CloudWatch Logs

AWS Backup¶

Backup plan deployed for NHC (DA-15)
Backup vault encrypted with KMS CMK (DA-15)
Vault access policy restricts deletion (DA-15)
Cross-region copy rule enabled — pending DR vault bootstrap
Backup tags applied for cost tracking (DA-15)