Storage¶
S3 Buckets¶
All S3 buckets are encrypted with KMS CMKs and have versioning enabled.
| Bucket | Purpose | Encryption | Access Logs | HIPAA |
|---|---|---|---|---|
prod-nhc-s3-access-logs-* |
S3 access logs receiver | KMS CMK | Self | ✅ |
prod-nhc-django-public-* |
Django static files (CSS/JS/images) | KMS CMK | ✅ | ❌ |
prod-nhc-django-private-* |
Django media uploads (PHI documents) | KMS CMK | ✅ | ✅ |
prod-nhc-wpcms-* |
WP CMS assets (DB seeds, media) | KMS CMK | ✅ | ❌ |
PHI Bucket
prod-nhc-django-private-* contains PHI (patient documents, uploads). Access is logged and retention is set to 365 days for noncurrent versions.
EBS Volumes¶
All EBS volumes are encrypted at rest with the prod-nhc-kms-ebs KMS CMK.
| Instance | Volume Size | Encrypted | KMS Key |
|---|---|---|---|
| ec2-django | 30 GB | ✅ | prod-nhc-kms-ebs |
| ec2-app | 40 GB | ✅ | prod-nhc-kms-ebs |
| ec2-foursites | 30 GB | ✅ | prod-nhc-kms-ebs |
| ec2-runner | 50 GB | ✅ | prod-nhc-kms-ebs |
KMS Keys¶
| Key Alias | Purpose | Rotation |
|---|---|---|
prod-nhc-kms-ebs |
EBS volume encryption | ✅ Annual |
prod-nhc-kms-rds |
RDS + ElastiCache encryption | ✅ Annual |
prod-nhc-kms-s3 |
S3 bucket encryption | ✅ Annual |
prod-nhc-dr-backup |
DR vault encryption (us-west-2) | ✅ Annual |