Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

Our ClearDATA Solution for AWS allows healthcare and life science organizations to innovate safely in the cloud by leveraging our Automated Safeguards and additional guidance covering commonly used AWS products.

Automated Safeguards

Our safeguards ensure Healthcare and Life Sciences organizations can use native AWS cloud services in a safe and compliant manner, as introduced in our CTO Matt Ferrari's blog post Click on the Automated Safeguard Name for more information.

Automated Safeguard NameQuick DescriptionKey ControlsRemediation ActionIdentity and Access Management - Group & User Self ServiceAllows a customer to create and manage AWS users that can have specific access to AWS features
  • Customer can define Administrators
  • Administrators can create additional users and assign them to ClearDATA approved groups
Security GroupsAllows a customer to manage the rules that make use of their Security Groups
  • Ports and port ranges are in our standard whitelist
  • Ports and port ranges are in pre-approved customer-specific whitelist
Security Group rules are removedAPI GatewayAllows a customer to deploy APIs
  • Access Logs are enabled for all API Stages
Access logs are configured to log to CloudWatch at each API StageApplication Load Balancer (ALB)Allows a customer create Application Load Balancers front of EC2 instances
  • HTTPS protocol and/or port 443
  • Access logging enabled
  • Appropriate TLS version

ALB listener is deleted immediately after creation.

Access logging is enabled transparently after ALB is provisioned.

AthenaAllows a customer to query S3 buckets
  • Encryption in motion when connecting to S3
Automatically configuredDynamoDBAllows a customer to create DynamoDB tables
  • Encryption at rest with a KMS key
  • Point-in-time backups are enabled

Tables encrypted with the DEFAULT key are deleted.

Backups are enabled if not enabled

Elastic Compute Service (EC2)(a.k.a. DPHI) Allows a customer to manage the lifecycle of EC2 instances
  • CIS hardened OS
  • Malware Protection
  • Log Management
  • Encryption at rest
EC2 instances are not allowed to be createdEC2 Container Service (ECS)(a.k.a. PHI Containers) Allows a customer to manage the lifecycle of containerized applications
  • Encryption at rest
  • Encryption in motion
  • Vulnerability Scanning
  • Audit Logging
ECS clusters are not allowed to be created by customers.  Please contact ClearDATA Support for more information.EKS (Elastic Container Service for Kubernetes)Allows the customer to create a managed Kubernetes platform
  • Encryption at rest
  • Vulnerability Scanning
  • Audit Logging
EKS Worker Nodes are terminated if they are not compliantElastiCache - RedisAllows a customer to create ElastiCache clusters
  • Encryption at rest
  • Encryption in motion between cluster nodes
  • Cluster is not publicly available
ElastiCache clusters are deleted immediately after creationElasticsearchAllows a customer to create Elasticsearch domains
  • Encryption at rest
  • Encryption in motion between cluster nodes
  • Cluster is not publicly available
Elasticsearch clusters are deleted immediately after creationElastic File System (EFS)Allow customers to create encrypted EFS file systems
  • Encryption at rest
EFS volumes are deleted immediately after creationKinesis Data & Video StreamsAllows customers to create Kinesis Data & Video streams
  • Encryption at rest
Encryption is automatically enabled after the stream is createdKinesis FirehoseAllows customers to create Firehose streams
  • Encryption at rest
  • Splunk is not allowed as a destination
Encryption is enabled transparently on all Firehose streams. If Splunk is selected as a destination, the Firehose will be removed.RedshiftAllow a customer to deploy and manage Redshift clusters
  • Encryption at rest
  • Encryption in motion, via a parameter group
  • Backups are enabled with at least 14 day retention
  • Audit logs are enabled
  • Cluster is not publicly available
All configurations are modified after the cluster is deployed. Many items, such as encryption at rest, can take a significant amount of time to remediate.Relational Database Service (RDS)Allows a customer to create RDS database instances
  • Instance deployed in private subnet
  • Encryption at rest
  • Encryption in Motion (where applicable)
  • Backups enabled
RDS instances are immediately deleted after creationSagemakerAllows customers to create Sagemaker notebooks
  • Encryption in motion for Hyperparameter Tuning jobs
If the VPC and encryption in motion is not selected in the job settings, the job will be stopped.Simple Queuing Service (SQS)Allows customers to create queues
  • Encryption at rest
Encryption is automatically enabled after the queue is createdSimple Storage Service (S3)Allows a customer to create S3 buckets
  • Log Monitoring Status
  • Versioning Enabled Status
  • Static Webhosting Status
  • Bucket Policy Status
  • Buckets ACL Status
  • Policy PUT Encryption
  • Secure Transport
S3 settings, bucket policies, and ACL policies are updated to ensure complianceTransfer for SFTPAllow a customer to create SFTP servers
  • Access Logs are enabled for all SFTP Servers
Access logs are configured to log to CloudWatch for all SFTP Servers

Automated Safeguards Alerting

ClearDATA Automated Safeguards both alert and remediate when a compliance violation is detected.  Customers can subscribe to the alerts by following the article Automated Safeguards - Subscribe to Compliance Alerts.

Automated Safeguards

AWS Services

ClearDATA provides access to AWS services that can be used to host and process PHI through a defined set of controls for each service.  See AWS Compliance Reference for a list of all available services.

Automated Safeguards Evaluation & Remediation

ClearDATA Automated Safeguards perform an automated remediation to either fix a violation, or remove the offending service to ensure there is no compliance concerns.  The remediation actions are unique to each Automated Safeguard and documented within each Automated Safeguard detailed page.  Customers can exclude both individual services, and entire AWS accounts (such as dev and test) from automated remediation by following the appropriate article:

Automated Safeguards - Exclude an AWS Account From Automated Remediation

Automated Safeguards - Exclude an AWS Object from Automated Remediation

Alerts are sent to a common SNS topic in each account and region.  ClearDATA recommends that customers subscribe to each SNS topic to receive alerts of non-compliant resources.

Platform Features

ClearDATA Solution for AWS also includes features for customers to take advantage of that are focused on helping our customers effectively consume the AWS platform.  Click on the Feature Name for more information.

Feature NameAWS TechnologyQuick DescriptionBlog Post
Custom AMIAmazon Machine ImagesSupplements our EC2 Safeguards by allowing customers to create their own images

“Have It Your Way” With AMI Customization

Additional Guidance

Additional AWS products can also be used by our customers using appropriate guidance that can be provided when requested from our Customer Success Managers.  See ClearDATA Supported Services for a full list of those services.

Access to additional Amazon products can also be reviewed on case by case basis to ensure compliance is always achieved.

Table of Contents