Encryption Policy¶
HIPAA Rule: §164.312(a)(2)(iv), §164.312(e)(2)(ii)
Purpose¶
Ensure PHI is encrypted at rest and in transit at all times within the NVS/NHC environments.
Encryption at Rest¶
All storage containing PHI or adjacent to PHI must use AWS KMS Customer Managed Keys (CMKs).
| Resource | Encryption Standard | Key |
|---|---|---|
| EC2 EBS volumes | AES-256 via KMS CMK | Per-account CMK |
| S3 buckets (all) | SSE-KMS | Per-account CMK |
| RDS instances (NHC) | AES-256 via KMS CMK | NHC RDS CMK |
| CloudTrail logs (S3) | SSE-KMS | Per-account CMK |
| AWS Backup vault | KMS CMK | NHC Backup CMK |
| NVS Screenshot bucket | SSE-KMS | NVS CMK |
KMS Key Policy Requirements¶
- Key deletion requires 30-day waiting period
- Key rotation enabled (annual automatic rotation)
- Key usage logged via CloudTrail
- Key access restricted to authorized IAM roles only
S3 Bucket Policy (Deny Unencrypted Uploads)¶
All HIPAA-scoped S3 buckets must include a bucket policy that denies PutObject requests without x-amz-server-side-encryption header set to aws:kms.
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::BUCKET_NAME/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
}
Encryption in Transit¶
| Connection | Standard |
|---|---|
| All HTTP traffic | Redirected to HTTPS (301) |
| TLS minimum version | TLS 1.2 |
| ALB listeners | HTTPS only on port 443 |
| Internal EC2 to RDS | SSL required |
| NVS → NHC API calls | HTTPS (TLS 1.2+) |
| S3 access | HTTPS only (bucket policy denies HTTP) |
S3 HTTPS-Only Policy¶
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": ["arn:aws:s3:::BUCKET_NAME", "arn:aws:s3:::BUCKET_NAME/*"],
"Condition": {
"Bool": {"aws:SecureTransport": "false"}
}
}
Exceptions¶
No exceptions are permitted for PHI in scope. If a technical constraint prevents encryption, it must be escalated and documented as a risk finding.
Verification¶
- AWS Config rule
ENCRYPTED_VOLUMESmonitors EBS encryption - AWS Config rule
S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLEDmonitors S3 encryption - Security Hub HIPAA standard includes encryption checks
- Terraform plan will fail if
encrypted = falseon any managed EBS or RDS resource