HITRUST on the AWS Cloud

Quick Start Reference Deployment

QS

January 2022
AWS Healthcare and AWS Infrastructure & Automation teams

Visit our GitHub repository for source files and to post feedback, report bugs, or submit feature ideas for this Quick Start.

This Quick Start was created by Amazon Web Services (AWS). Quick Starts are automated reference deployments that use AWS CloudFormation templates to deploy key technologies on AWS, following AWS best practices.

Overview

AWS compliance architectures

AWS compliance solutions help streamline, automate, and implement secure baselines in AWS, from initial design to operational security readiness. They incorporate the expertise of AWS solutions architects and security and compliance personnel to help you build an automated architecture.

This Quick Start includes AWS CloudFormation templates to automate building a baseline architecture that fits within your organization’s larger Health Information Trust Alliance Common Security Framework (HITRUST-CSF) program. It also includes HITRUST CSF security controls mapping, which maps HITRUST controls to architecture decisions, features, and the baseline configuration.

This deployment is for health IT infrastructure architects, administrators, compliance professionals, and DevOps professionals who want to implement or extend HITRUST workloads to the AWS Cloud.

HITRUST on AWS

HITRUST CSF (Health Information Trust Alliance Common Security Framework) is a security framework that incorporates security requirements into existing frameworks that originate from global entities, such as the following:

  • General Data Protection Regulation (GDPR)

  • International Organization for Standardization (ISO)

  • Federal Financial Institutions Examination Council (FFIEC)

  • Health Insurance Portability and Accountability Act (HIPAA)

  • Health Information Technology for Economic and Clinical Health Act (HITECH)

  • Projects of Common Interest (PCI)

  • Control Objectives for Information and Related Technologies (COBIT)

  • National Institute of Standards and Technology (NIST)

  • Fair Trade Commission (FTC)

  • Centers for Medicare and Medicaid Services (CMS)

HITRUST developed the CSF Assurance Program, which comprises the requirements, methods, and tools that let organizations incrementally manage their compliance requirements. It also allows business partnerships and vendors to assess and report against multiple sets of requirements.

Security and Compliance is a shared responsibility between AWS and its customers. This shared responsibility model can help lessen the customer’s operational burden as AWS operates, manages, and controls the OS components and virtualization layer down to the physical security of the facilities in which the service operates. AWS customers can design and implement an AWS environment and use AWS services in a manner that satisfies HITRUST CSF requirements. Customers can also use certain controls established under the HITRUST CSF validated assessment of AWS services.

AWS services have been assessed under the HITRUST CSF Assurance Program by an approved HITRUST CSF assessor to meet HITRUST CSF v9.1 certification criteria. The HITRUST CSF certification of AWS is valid for two years and can be accessed at https://console.aws.amazon.com/artifact/. For more information, see Compliance Resources.

AWS costs

You are responsible for the cost of the AWS services and any third-party licenses used while running this Quick Start. There is no additional cost for using the Quick Start.

The AWS CloudFormation templates for Quick Starts include configuration parameters that you can customize. Some of the settings, such as the instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

After you deploy the Quick Start, create AWS Cost and Usage Reports to deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. These reports provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, see What are AWS Cost and Usage Reports?

Software licenses

There are no additional license requirements to use this Quick Start.

Architecture

Deploying this Quick Start with default parameters builds the following HITRUST environment in the AWS Cloud.

Architecture
Figure 1. Quick Start architecture for HITRUST on AWS

As shown in Figure 1, the Quick Start sets up the following:

  • A highly available architecture that spans two Availability Zones.

  • A management VPC and production VPC configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS. The management and production VPCs have VPC peering enabled.

  • In the public subnets:

    • Managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.

    • In the management VPC, a Linux bastion host in an Auto Scaling group to allow inbound Secure Shell (SSH) access to Amazon Elastic Compute Cloud (Amazon EC2) instances in the private subnets.

  • Security groups for Amazon EC2 instances and load balancers, used in the sample application stack. The security groups limit access to only necessary services and disallow unencrypted traffic (for example, HTTP port 80).

  • An Amazon Simple Storage Service (Amazon S3) bucket for encrypted log content.

  • In the private subnets in the production VPC:

    • An encrypted Multi-AZ Amazon Relational Database Service (Amazon RDS) MySQL database and a standby instance in a second private subnet.

    • A three-tier Linux web application in an Auto Scaling group and an Application Load Balancer, which can be modified or bootstrapped with customer applications, such as WordPress.

  • A Secure Sockets Layer (SSL) certificate, managed by AWS Certificate Manager (ACM), on the load balancer to encrypt all traffic between the internet and load balancer. Separate self-signed certificates are generated on the Amazon EC2 instances to encrypt traffic between the load balancer and application instances.

  • AWS Config rules to monitor the deployment configuration. If you haven’t created a configuration recorder and delivery channel, this deployment creates them.

  • An Amazon Route 53 record set that maps the fully qualified domain name (FQDN) to the load balancer Domain Name System (DNS).

  • Logging, monitoring, and alerts using AWS CloudTrail, Amazon CloudWatch, and AWS Config rules.

Planning the deployment

Specialized knowledge

This deployment requires a moderate level of familiarity with AWS services. If you’re new to AWS, see Getting Started Resource Center and AWS Training and Certification. These sites provide materials for learning how to design, deploy, and operate your infrastructure and applications on the AWS Cloud.

This deployment requires a moderate level of familiarity with AWS services. If you’re new to AWS, see Getting Started with AWS and Training and Certification.

For information about HITRUST on AWS, see HITRUST CSF.

AWS account

If you don’t already have an AWS account, create one at https://aws.amazon.com by following the on-screen instructions. Part of the sign-up process involves receiving a phone call and entering a PIN using the phone keypad.

Your AWS account is automatically signed up for all AWS services. You are charged only for the services you use.

Technical requirements

Before you launch the Quick Start, review the following information and ensure that your account is properly configured. Otherwise, deployment might fail.

Resource quotas

If necessary, request service quota increases for the following resources. You might need to request increases if your existing deployment currently uses these resources and if this Quick Start deployment could result in exceeding the default quotas. The Service Quotas console displays your usage and quotas for some aspects of some services. For more information, see What is Service Quotas? and AWS service quotas.

Resource This deployment uses

VPCs

2

Elastic IP addresses

5

Security groups

6

AWS Identity and Access Management (IAM) roles

8

Auto Scaling groups

2

Application Load Balancers

1

Amazon S3 buckets

2

t3.small instances

3–5

EC2 key pairs

2

Supported AWS Regions

For any Quick Start to work in a Region other than its default Region, all the services it deploys must be supported in that Region. You can launch a Quick Start in any Region and see if it works. If you get an error such as “Unrecognized resource type,” the Quick Start is not supported in that Region.

For an up-to-date list of AWS Regions and the AWS services they support, see AWS Regional Services.

Certain Regions are available on an opt-in basis. For more information, see Managing AWS Regions.

Amazon EC2 key pairs

Ensure that at least one Amazon EC2 key pair exists in your AWS account in the Region where you plan to deploy the Quick Start. Note the key-pair name because you will use it during deployment. To create a key pair, see Amazon EC2 key pairs and Linux instances.

For testing or proof-of-concept purposes, we recommend creating a new key pair instead of using one that’s already being used by a production instance.

IAM permissions

Before launching the Quick Start, you must sign in to the AWS Management Console with IAM permissions for the resources that the templates deploy. The AdministratorAccess managed policy within IAM provides sufficient permissions, although your organization may choose to use a custom policy with more restrictions. For more information, see AWS managed policies for job functions.

Deployment options

This Quick Start provides the following deployment option:

  • Deploy HITRUST into new VPCs. This builds a new AWS environment consisting of the VPCs, subnets, NAT gateways, security groups, bastion hosts, and other infrastructure components. It then deploys an example WordPress site into a new production VPC.

Prepare your AWS account

To deploy this Quick Start, you must have your own domain name, and it must be managed by Amazon Route 53.

Deployment steps

Confirm your AWS account configuration

  1. Sign in to your AWS account at https://aws.amazon.com with an IAM user role that has the necessary permissions. For more information, see Planning the deployment, earlier in this guide.

  2. Ensure that your AWS account is configured correctly, as discussed in the Technical requirements section.

Launch the Quick Start

If you deploy HITRUST into an existing VPC, ensure that your VPC has two private subnets in different Availability Zones for the workload instances and that the subnets are not shared. This Quick Start does not support shared subnets. The subnets require NAT gateways in their route tables to allow instances to download packages and software without exposing the instances to the internet. Also ensure that the domain name in the DHCP options is configured, as explained in DHCP options sets. Provide your VPC settings when you launch the Quick Start.

Each deployment takes about 30 minutes to complete.

  1. Sign in to your AWS account, and choose one of the following options to launch the AWS CloudFormation template. For help with choosing an option, see Deployment options, earlier in this guide.

    Deploy HITRUST into new VPCs on AWS

    View templates

  2. Check the AWS Region that’s displayed in the upper-right corner of the navigation bar, and change it if necessary. This Region is where you build the infrastructure. The template launches in the us-east-1 Region by default. For more information, see Supported AWS Regions, earlier in this guide.

  3. On the Create stack page, keep the default setting for the template URL, then choose Next.

  4. On the Specify stack details page, change the stack name if needed. Review the parameters for the template. Provide values for any parameters that require input. For all other parameters, review the default settings, and customize them as necessary. When you finish reviewing and customizing the parameters, choose Next.

  5. On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you finish, choose Next.

  6. On the Review page, review and confirm the template settings. Under Capabilities, select the two check boxes to acknowledge that the template creates IAM resources and might require the ability to automatically expand macros.

  7. Choose Create stack to deploy the stack.

  8. Monitor the status of the stack. When the status is CREATE_COMPLETE, the HITRUST deployment is ready.

  9. To view the created resources, see the values displayed in the Outputs tab for the stack.

Test the deployment

  1. Navigate to the landing page. In the Outputs tab shown in the previous figure, choose LandingPageURL. The following webpage appears:

test1
Figure 2. Confirmation on webpage after successful launch
  1. Confirm that WordPress is installed correctly. Note the application’s URL, and navigate to ApplicationURL/wordpress/. If you want to set up the site, enter the requisite information.

  2. Navigate to the AWS Config console, where you can see the configuration status. Note that AWS Config monitors all resources in the AWS Region you deploy in, not just what’s from this deployment. For example, an Amazon Elastic Block Store (Amazon EBS) volume may not be encrypted elsewhere.

test2
Figure 3. Resource monitoring
  1. Disable read access for your Amazon S3 buckets.

test3
Figure 4. S3 buckets with public read access disabled

FAQ

Q. I encountered a CREATE_FAILED error when I launched the Quick Start.

A. If AWS CloudFormation fails to create the stack, relaunch the template with Rollback on failure set to Disabled. This setting is under Advanced in the AWS CloudFormation console on the Configure stack options page. With this setting, the stack’s state is retained, and the instance continues running so that you can troubleshoot the issue. (For Windows, review the log files in %ProgramFiles%\Amazon\EC2ConfigService and C:\cfn\log.)

When you set Rollback on failure to Disabled, you continue to incur AWS charges for the stack. Delete the stack when you finish troubleshooting.

For more information, see Troubleshooting AWS CloudFormation.


Q. I encountered a size-limitation error when I deployed the AWS CloudFormation templates.

A. Launch the Quick Start templates from the links in this guide or from another S3 bucket. If you deploy the templates from a local copy on your computer or from a location other than an S3 bucket, you might encounter template-size limitations. For more information, see AWS CloudFormation quotas.

Q. The DNS validation for the SSL certificate times out.

A. You might encounter this issue if your DNS provider is not Amazon Route 53. In this case, you must add DNS records to your DNS registrar for the routing to work. For more information, see the following pages:

Q. The DNS validation appears to have completed successfully, but the Quick Start errors out during the ACM certificate DNS step.

A. If you run into this issue:

  • If you already have a wildcard ACM certificate in the AWS Region where you deployed the Quick Start, you can skip the ACM certificate DNS step by supplying the ARN of your preexisting certificate in the SSLCertificateARN parameter. You can also import certificates in the ACM console and use the ARN of your uploaded certificate.

  • Alternatively, ensure that DNS validation is working by provisioning certificates outside the Quick Start by following the instructions in the links provided for the previous bullet point. Use the certificate you created in the SSLCertificateARN parameter to skip the ACM certificate DNS step.

Customer responsibility

After you successfully deploy this Quick Start, confirm that your resources and services are updated and configured — including any required patches — to meet your security and other needs. For more information, see the AWS Shared Responsibility Model.

Send us feedback

To post feedback, submit feature ideas, or report bugs, use the Issues section of the GitHub repository for this Quick Start. To submit code, see the Quick Start Contributor’s Guide.

Quick Start reference deployments

GitHub repository

Visit our GitHub repository to download the templates and scripts for this Quick Start, to post your comments, and to share your customizations with others.


Notices

This document is provided for informational purposes only. It represents AWS’s current product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS’s products or services, each of which is provided “as is” without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at http://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either expressed or implied. See the License for specific language governing permissions and limitations.