2 Minute Read

Compliance in AWS: Logging and Configuration




June 22, 2021

AWS Logging and Configuration

My last few articles discuss architectural principles that keep AWS environments secure and compliant. These principles are examined in tandem with the Health Information Trust Alliance Certification (HITRUST) which emphasizes primary concerns related to maintaining compliance with security standards for the storage of Protected Health Information (PHI).

When the HITRUST alliance was formed in 2007, the primary mission was to provide a set of prescriptive controls to meet the HIPAA security and privacy rule. This was mainly because the HIPAA regulation was vague many times in its requirements, so HITRUST set out to establish some actual controls to make things much clearer.

The Value of HITRUST

While achieving HITRUST certification is a rigorous process, it is also why it has become a high bar of trust in the security, risk, and compliance industry. With over 20 other frameworks included in the HITRUST assessment, it is also gaining popularity outside of healthcare. Organizations dealing with multiple compliance frameworks can use HITRUST to deduplicate requirements between frameworks to have one set of controls to assess against.

HITRUST was one of the first frameworks to implement guidance around measuring and managing the continuous monitoring of controls. Here, AWS provides a lot of tools to help implement this in your environment such as config, security hub, and audit manager. Connectria uses available tools within AWS, with our customers, to make sure that they are HIPAA and HITRUST compliant and that they maintain that compliance as they move forward.

AWS Tools

AWS environments are dynamic, they will always be changing, so it’s important to continuously make changes that follow best practices as the environment evolves. Below are some of the AWS native tools that we use with our customers to help them with their compliance journey and make sure that they’re maintaining that compliance in an ongoing manner. We highly recommend that you use these as well.

Logging and Config

Global Cloudtrail

Starting off, we always enable Global Cloudtrail for our customers. This will trace API calls and help us troubleshoot issues, even in regions where you don’t normally view.  To illustrate how this can be helpful, a few years ago we had a customer who fell victim to a phishing scheme. They had their account compromised by a malicious actor who went into their account and created Lambda functions in regions where the customer didn’t normally build. We were able to identify everything that was created by this malicious actor, in part, because we had Global Cloudtrail enabled across all regions.

Cloudtrail helped us find changes that we would not have identified as easily if we’d only had it where the customer normally operated in US-East-1. This example showcases the importance of looking beyond the region where your production environment lives to make sure that you are able to see everything occurring across your AWS account.


Cloudwatch logs consolidate all your information by looking at Cloudtrail tracing, logs from different systems, applications, and centralizing all into one place so that we can find that information, sort through it, identify issues, find compliance questions, or other potential security risks that you might be open to. Having these logs is important because, without them, you cannot perform additional analysis to identify risks.

AWS Config Rules

We also have the ability within AWS to enable AWS config rules. This helps you stay compliant once you achieved all these controls. AWS config rules help ensure that as new resources are built, they’re built within your regulations and you’re not accidentally creating resources in such a way that will accidentally knock you out of compliance when an auditor comes in.

Secure Your Environment

Working with a HITRUST certified MSP, like Connectria, will make the process easier for you because we can help you configure AWS environments designed for security and compliance upfront. We make sure you have the SIEM, logging, automation, and security tooling in place in order to achieve and maintain your compliance goals. I covered logging and configuration along with other architectural considerations in a recent webinar, which you can access on-demand by filling out the form below.

Contact Connectria today to learn more about how we can help your organization with HITRUST and compliance in AWS. Connectria is a leading AWS Advanced Consulting Partner & audited managed service provider. Our comprehensive suite of AWS services has helped hundreds of organizations successfully move to the cloud and free up IT resources to focus on more strategic initiatives.

Learn how to keep your AWS environments secure and compliant

Check out our latest webinar, available on-demand

Learn how the HITRUST certification transforms HIPAA requirements into action, and discover architecture principles to keep your AWS environments secure and compliant.

Keep Reading

Prepare for the future

Tell us about your current environment and we’ll show you the best path forward.

Fast track your project. Give us a call.