Amazon Elastic Container Service - Architecting for HIPAA Security and Compliance on Amazon Web Services

Amazon Elastic Container Service

Amazon Elastic Container Service (Amazon ECS) is a highly scalable, high-performance container management service that supports Docker containers and allows customers to easily run applications on a managed cluster of Amazon EC2 instances. Amazon ECS eliminates the need for customers to install, operate, and scale their own cluster management infrastructure.

With simple API calls, customers can launch and stop Docker-enabled applications, query the complete state of their cluster, and access many familiar features like security groups, Elastic Load Balancing, EBS volumes, and IAM roles. Customers can use Amazon ECS to schedule the placement of containers across their cluster based on their resource needs and availability requirements.

Using ECS with workloads that process PHI requires no additional configuration. ECS acts as an orchestration service that coordinates the launch of containers (images for which are stored in S3) on EC2, and it does not operate with or upon data within the workload being orchestrated. Consistent with HIPAA regulations and the AWS Business Associate Addendum, PHI should be encrypted in transit and at-rest when accessed by containers launched with ECS. Various mechanisms for encrypting at-rest are available with each AWS storage option (for example, S3, EBS, and KMS). Ensuring complete encryption of PHI sent between containers may also lead customers to deploy an overlay network (such as VNS3, Weave Net or similar), in order to provide a redundant layer of encryption. Nevertheless, complete logging should also be enabled (for example, through CloudTrail), and all container instance logs should be directed to CloudWatch.

Using Firelens and AWS for Fluent Bit with workloads that process PHI requires no additional configuration, unless the logs contain PHI. If logs contain PHI, then they should not be emitted to log files, unless the disk encryption is enabled. Instead, configure your application to emit logs to standard out/error which will be automatically collected by FireLens. Similarly, do not enable file buffering for Fluent Bit, unless disk encryption is also enabled. Finally, the log destination must support encryption-in-transit; all of the AWS Service output plugins in AWS for Fluent Bit will always use TLS encryption to export logs.