Self-Assessment · Free Tool

How audit-ready is your HIPAA-on-AWS posture?

Twelve technical controls. Three minutes. Instant score band; full breakdown and tailored next steps in your inbox. Based on the twelve-control map from our Operating Library article A Minimum-Viable HIPAA Compliance Posture for AWS.

12 questions · ~3 minutes · no signup to start

  1. 01 Legal

    BAA signed with AWS

    Have you signed the AWS Business Associate Addendum?

    Yes only if fully executed in AWS Artifact. Initiated-but-unsigned is Partial.

  2. 02 Legal

    Only HIPAA-eligible AWS services touch PHI

    Every AWS service that handles PHI is on the documented HIPAA-eligible list.

    Yes only if the eligibility list is checked as part of a runtime/review process, not a one-time decision.

  3. 03 Architecture

    Workloads, logs, and audit tooling in separate AWS accounts

    Production workloads, centralized logs, and audit tooling live in distinct AWS accounts under AWS Organizations.

    Yes only if 3+ accounts with enforced boundaries. Single-account or VPC-only separation is Partial.

  4. 04 Architecture

    Service Control Policy prevents CloudTrail removal

    An SCP denies CloudTrail trail deletion across every account in the org.

    Yes only if the SCP is deployed and you have tested it (attempted a delete and confirmed it was denied).

  5. 05 Identity

    MFA required on every human console access

    Every human accessing the AWS console has MFA enforced.

    Yes only if enforced via Identity Center or an equivalent SSO with universal MFA policy.

  6. 06 Identity

    Root account locked + monitored

    Root credentials are stored cold and a CloudWatch alarm fires on any root usage.

    Yes only if both — locked away AND alarm in place.

  7. 07 Identity

    Service roles follow least-privilege

    IAM roles attached to services use narrow action scopes — no `service:*` wildcards on production workloads.

    Yes only if you have reviewed roles recently with IAM Access Analyzer or equivalent.

  8. 08 Data

    PHI data stores encrypted at rest with KMS

    Every data store holding PHI is encrypted at rest using AWS KMS.

    AWS-managed keys are acceptable. Customer-managed keys for sensitive data is a plus, not required.

  9. 09 Data

    All external endpoints enforce TLS 1.2+

    HTTP is disabled at the load balancer; every endpoint requires TLS 1.2 minimum.

    Yes only if the load balancer / CloudFront / API Gateway listener is configured to refuse HTTP and pre-1.2 TLS.

  10. 10 Observability

    CloudTrail org-wide → log archive with Object Lock

    CloudTrail is configured organization-wide and writes to an S3 bucket with Object Lock (compliance mode).

    Yes only with Object Lock in compliance mode. CloudTrail on without Object Lock is Partial.

  11. 11 Observability

    VPC Flow Logs centralized

    VPC Flow Logs from every production VPC flow into the log archive.

    Yes only if every prod VPC. Some VPCs covered, others not is Partial.

  12. 12 Backup

    Cross-region backups + recent restore drill

    PHI-bearing data has cross-region backup copies, and a restore has been drilled in the last 12 months.

    Yes only if both — cross-region AND a documented drill within the past year.