top of page

AWS Control Tower and Landing Zone simplifies HIPAA Compliance

Problem statement

Since the introduction of HIPAA in 1996, healthcare providers have invested in different solutions to secure sensitive patient data. These providers are increasingly turning to the cloud, which has quickly become a low-cost way to develop the complex infrastructure required to support their critical organizational activities. The most important items for HIPAA compliance are:

  • Encryption at rest and in transit

  • Strict access policies and limited access to PHI

  • Activity logs and audit controls

  • Reporting security incidents

Multi-account AWS infrastructure makes it easier to manage protected health information (PHI) and improve overall security and accountability by isolation of different environments.

This post will cover the use of AWS Control Tower to provide an easy way to set up and govern a new, secure, multi-account AWS environment based on best practices established through AWS’ experience working with thousands of enterprises as they move to the cloud.

Solution overview

AWS Landing zone contains several accounts for every application for different environment and management purposes:

  • Root account is used for consolidated billing, managing service control policies (SCP), pipeline for the Control Tower Customization solution and SSO configuration for an external identity provider as G-Suite.

  • Logging account is used for storing logs from all accounts within AWS organization and services such as CloudTrail, AWS Config, GuardDuty, VPC FlowLogs, ELB access logs, API Gateway and Lambda logs.

  • Audit account is used for GuarDuty master and SNS notifications for the security team. It gives security and compliance teams read and write access to all accounts in a landing zone.

  • Networking account is used for central management VPC, Transit Gateway, VPN connections and Serverless Transit Network Orchestrator which allows to automate connecting new VPCs to the central Transit Gateway and manage routing for different environments.

  • Application accounts are separate for every application environment such as Prod, Stage, Dev.

Service control policies (SCP) are used to prevent application accounts using AWS resources in regions other than US-EAST-1 (Northern Virginia).

The diagram below describes high-level design of a multi-account AWS environment for healthcare application.

Solution design


Network segmentation is an important part of a cloud infrastructure security and highly effective strategy to limit the impact of network intrusion. AWS Transit Gateway (TGW) is used for a solution for secure network traffic in multi-VPC environments.

Management VPC is a core of network infrastructure. It contains AWS Transit Gateway, Serverless Transit Network Orchestrator and VPN connections for technical staff. Once a new VPC is created in an application account, CloudWatch event triggers Lambda function that attaches VPC to the central Transit Gateway and appropriate routes are propagated. Despite the fact that VPCs are connected to the Transit Gateway, networks are isolated from each other, for example, Dev resources can not access Prod. Environments are isolated and the only way to access an application environment is through the Management VPC in the Networking account. For the audit and monitoring purposes VPC Flow Logs are being sent to the Log Archive account.

The diagram below describes network interconnection between central management VPC and application VPC.

Threat detection

Logs collected from different AWS services such as CloudTrail event logs, VPC Flow Logs and DNS logs can be used by the AWS GuardDuty to analyze tens of billions of events across multiple AWS data sources. GuardDuty uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats.

To manage multiple accounts in Amazon GuardDuty, AWS recommends to choose a single AWS account to be the master account for GuardDuty, this is the Audit account in our case. Other accounts are then associated with the master account as member accounts. There are many types of threats that GuardDuty is able to detect:

  • Port scanning.

  • SSH/WinRM/RDP bruteforce.

  • Denial of service TCP/UDP/DNS. Outbound traffic from EC2.

  • Bitcoin tools on EC2 or other cryptocurrency-related activity.

  • Spam bots on EC2.

  • Penetration tests using Kali/Parrot/Pentoo Linux.

  • Using AWS Root credentials.

  • Change of IAM password policy.

  • Trojans on EC2.

  • EC2 as a client on a Tor network.

  • Unusual traffic volume.

  • and many more