This session explores how a serverless approach simplifies the effort to meet compliance needs. After an introduction to the PCI standard, we look at how to build an e-commerce solution using Amazon API Gateway and AWS Lambda. Then, we explore how we can expand that system to include the handling of Protected Health Information (PHI) to achieve HIPAA compliance.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS re:INVENT
How to Handle PC I and HI PAA C omp liance with
Se rve rle ss Archite ctu re
M a y a n k T h a k k a r - H e a l t h c a r e a n d L i f e S c i e n c e s S o l u t i o n s A r c h i t e c t
R y a n K o l a k - S e n i o r S o l u t i o n s A r c h i t e c t
S R V 2 1 4

2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Agenda
• Security within AWS
• PCI DSS and AWS Serverless Services
• HIPAA and AWS Serverless Services
• Q & A

3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS - Security Model

4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Core Security Services
AWS
CloudTrail
AWS
Config
AWS
KMS
AWS ArtifactAWS
Certificate
Manager
IAM AWS
CloudHSM

5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Shared Responsibility Model

6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Shared Responsibility Model - Serverless

7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS and PCI-DSS

8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
‘Serverless’ Services in Scope – PCI DSS
Amazon
S3
AWS
Lambda
Amazon
Kinesis
Amazon API
Gateway
Amazon
DynamoDB
Amazon
SQS
Amazon
CloudFront
Amazon
Cognito
And many more…

9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Serverless Architecture – eCommerce website
Amazon
S3 bucket
Website
Assets
Amazon
DynamoDB
Amazon
Cognito
Amazon API
Gateway
AWS
Lambda
Users
Browser
Amazon
S3 bucket
encrypted
objects
Amazon
Kinesis

10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Implementing Controls
Requirement 10: Track and monitor all access to network resources and cardholder data.
IAM Policy to limit access to sensitive attributes in DynamoDB
Encrypt sensitive data in DynamoDB with KMS
CloudTrail produces log entries when encrypted data is accessed
Enable log file integrity in CloudTrail to ensure logs are not modified
IAM
AWS KMS
Amazon
DynamoDB
AWS
CloudTrail

11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS and HIPAA

12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The basics
• Build HIPAA-eligible applications that store, process and transmit PHI
• Business Associate Agreement (BAA) addendum available
• Required if you are Covered Entity or Business Associate as defined by HIPAA
• Broad range of HIPAA-eligible services (36+) under the AWS BAA addendum
StorageCompute Database Managed
Big Data
Archiving Data
Warehousing
Networking

13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
‘Serverless’ Services in Scope – HIPAA
Amazon S3
(including S3 Transfer
Acceleration)
AWS
Lambda
Amazon Kinesis
Streams
Amazon API
Gateway
(excluding
Amazon API
Gateway caching)
Amazon
DynamoDB
Amazon
SQS
Amazon
CloudFront
(including
Lambda@Edge)
Amazon
Cognito
Amazon
SNS
AWS WAFAWS Batch
And many more…
AWS
CloudHSM
AWS KMS
Amazon
Inspector

14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Medical Data Telemetry (Mobile Devices)
Mobile
Device
AWS Lambda
Amazon S3 – raw
data
Medical
Sensor
Amazon Kinesis
Streams
Amazon
DynamoDB
Amazon SNS
Amazon API
Gateway
AWS Lambda
Amazon
Cognito

15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Meeting Compliance Objectives
Objective AWS Services
Encryption in transit • Use https endpoints
Encrypt data at rest • Amazon S3, Amazon Kinesis: Native encryption
• Amazon DynamoDB: Client Side encryption
• AWS Lambda: encrypt sensitive information in Lambda
environment variables
Enforcing least
privilege
• Use IAM roles and policies to achieve segregation of control
Auditing • Amazon S3: Enable access logging to audit GET requests
• Amazon CloudTrail, Amazon CloudWatch Logs and S3
(custom logs)

16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Meeting Compliance Objectives
Objective AWS Services
Data Backup • S3 & Glacier
High Availability &
Disaster Recovery
• Regional services, use multiple Availability Zones
(within a region) by default
• Use DynamoDB cross region replication solution
• Use S3 cross region replication feature to migrate
data to another region
Logging and logs
integrity
• S3 and CloudTrail for logging. Enable log file
integrity in CloudTrail

17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Q & A

18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
References
• Services in scope by program here
• PCI – DSS
• FAQs
• Quickstart
• Case studies: Simple, Stripe, PaymentSpring and many more…
• HIPAA
• Compliance
• Quickstart
• Case studies

19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
THANK YOU!