How audit-ready is your HIPAA-on-AWS posture?
Twelve technical controls. Three minutes. Instant score band; full breakdown and tailored next steps in your inbox. Based on the twelve-control map from our Operating Library article A Minimum-Viable HIPAA Compliance Posture for AWS.
-
01 Legal BAA signed with AWS
Have you signed the AWS Business Associate Addendum?
Yes only if fully executed in AWS Artifact. Initiated-but-unsigned is Partial.
-
02 Legal Only HIPAA-eligible AWS services touch PHI
Every AWS service that handles PHI is on the documented HIPAA-eligible list.
Yes only if the eligibility list is checked as part of a runtime/review process, not a one-time decision.
-
03 Architecture Workloads, logs, and audit tooling in separate AWS accounts
Production workloads, centralized logs, and audit tooling live in distinct AWS accounts under AWS Organizations.
Yes only if 3+ accounts with enforced boundaries. Single-account or VPC-only separation is Partial.
-
04 Architecture Service Control Policy prevents CloudTrail removal
An SCP denies CloudTrail trail deletion across every account in the org.
Yes only if the SCP is deployed and you have tested it (attempted a delete and confirmed it was denied).
-
05 Identity MFA required on every human console access
Every human accessing the AWS console has MFA enforced.
Yes only if enforced via Identity Center or an equivalent SSO with universal MFA policy.
-
06 Identity Root account locked + monitored
Root credentials are stored cold and a CloudWatch alarm fires on any root usage.
Yes only if both — locked away AND alarm in place.
-
07 Identity Service roles follow least-privilege
IAM roles attached to services use narrow action scopes — no `service:*` wildcards on production workloads.
Yes only if you have reviewed roles recently with IAM Access Analyzer or equivalent.
-
08 Data PHI data stores encrypted at rest with KMS
Every data store holding PHI is encrypted at rest using AWS KMS.
AWS-managed keys are acceptable. Customer-managed keys for sensitive data is a plus, not required.
-
09 Data All external endpoints enforce TLS 1.2+
HTTP is disabled at the load balancer; every endpoint requires TLS 1.2 minimum.
Yes only if the load balancer / CloudFront / API Gateway listener is configured to refuse HTTP and pre-1.2 TLS.
-
10 Observability CloudTrail org-wide → log archive with Object Lock
CloudTrail is configured organization-wide and writes to an S3 bucket with Object Lock (compliance mode).
Yes only with Object Lock in compliance mode. CloudTrail on without Object Lock is Partial.
-
11 Observability VPC Flow Logs centralized
VPC Flow Logs from every production VPC flow into the log archive.
Yes only if every prod VPC. Some VPCs covered, others not is Partial.
-
12 Backup Cross-region backups + recent restore drill
PHI-bearing data has cross-region backup copies, and a restore has been drilled in the last 12 months.
Yes only if both — cross-region AND a documented drill within the past year.
See your full breakdown.
Your score band is visible above. Enter your email to unlock the per-category breakdown, the specific controls to fix first, and the recommended next step for your band. We email you the same report so it's there when you're ready to act.