Overview

We led a full compliance remediation program for a healthcare nonprofit operating a multi‑region AWS environment (us-east-1 and us-east-2) connected via VPC peering. The objective was to harden the platform and implement continuous compliance against HIPAA, PCI DSS, and SOC controls while enabling secure developer access to private resources for day-to-day work.

What we implemented (high level):

• Centralized, multi-region security visibility and findings triage
• Continuous configuration compliance with auto-remediation
• Threat detection across network, DNS, CloudTrail, S3, and compute
• Vulnerability management with golden AMI patching workflow
• S3 data classification for PII/PHI detection and governance
• IAM hardening, MFA enforcement, and access key lifecycle automation
• Web application protection using AWS WAF to mitigate OWASP risks and block malicious traffic
• Secure developer access to private resources via OpenVPN with strict controls

Apart from that

• Implemented centralized logging and SIEM integration for CloudTrail, VPC Flow Logs, ALB/ELB logs, and S3 access logs to provide a consolidated audit trail and support forensic investigations.
• Deployed automated alerting and incident ticketing via EventBridge -> SNS -> Teams/Slack for critical security findings.
• Built reporting and analytics for compliance dashboards (Security Hub insights, Config aggregator views) and monthly/quarterly audit packages.
• Performed periodic access reviews and evidence collection for audit purposes, including proof of encryption-at-rest/in-transit and key management via KMS.
• VPN authentication and connection logging were captured via OpenVPN server logs

Client Profile

• Industry: Non-Profit / Healthcare Patient Assistance
• Region: North America

1. 1. HQ: Southern USA (Texas)
   2. Operations: Nationwide

• Company Size: Major Charitable Organization
• Revenue: Approx. $450M – $500M annually
• Staff: ~35–60 employees (High revenue-to-employee ratio due to pass-through grant model)

Key Services:

• Co-Pay Assistance: They pay for insurance co-pays, deductibles, and premiums to ensure patients can afford access to expensive life-saving medications.
• Travel Funding: They cover travel costs for patients requiring specialized treatment far from home.
• Patient Advocacy: They provide “Care Navigators” to help patients maneuver through the healthcare system.
• Operational Model: They function similarly to a payer or claims processor, managing complex eligibility data and reimbursing pharmacies and healthcare providers directly for patient care costs. They pride themselves on high efficiency, ensuring over 90% of donations go directly to patient care.

AWS services implemented:

• AWS Security Hub

1. 1. Enabled Security Hub in both regions with a delegated administrator account
   2. Activated standards: AWS Foundational Security Best Practices, CIS AWS Foundations, PCI DSS, NIST SP 800-53 (HIPAA alignment handled via Config conformance packs; Security Hub does not have a native HIPAA standard)
   3. Integrated findings from GuardDuty, Inspector, Macie, WAF (via Amazon CloudWatch logs/managed rules), and Config
   4. Built custom insights (e.g., critical findings on internet-facing assets; unenforced encryption)
   5. Routed high-severity findings to Amazon EventBridge -> SNS email/SMS for on-call alerts

• AWS Config

1. 1. Enabled Config recorders and delivery channels in both regions; set up an Aggregator for a single compliance view
   2. Deployed AWS Config Conformance Packs for HIPAA Security and PCI DSS-aligned rules, plus targeted NIST mappings
   3. Implemented auto-remediation via SSM Automation (e.g., enable S3 Block Public Access, enforce EBS encryption by default, require CloudTrail, remediate open security groups)
   4. Created playbooks for manual remediation where automation isn’t safe; enforced re-evaluation after changes

• Amazon GuardDuty

1. 1. Enabled GuardDuty organization-wide in both regions
   2. Turned on S3 protection and EBS malware scan for EC2 findings enrichment
   3. Tuned trusted IP lists and threat lists; suppressed known-benign patterns
   4. Forwarded findings to Security Hub and alerted via EventBridge/SNS for medium/high severity

• Amazon Inspector

1. 1. Activated Inspector v2 for EC2 instances (via SSM Agent) with continuous vulnerability assessment
   2. Mapped CVEs to patch baselines; integrated remediation into a golden AMI pipeline
   3. Established a recurring rebuild/rollout cadence for hardened images informed by Inspector findings
   4. Consolidated Inspector findings in Security Hub for unified triage

• Amazon Macie

1. 1. Inventoried S3 buckets and created scheduled classification jobs for PII/PHI (managed and custom data identifiers)
   2. Scoped jobs to compliance-critical buckets (logs, exports, analytics) to optimize cost
   3. Routed Macie findings to Security Hub; set up SNS alerts for high-severity exposure risks
   4. Used results to refine bucket policies, encryption (SSE-KMS), and lifecycle/retention settings

• AWS WAF (Web Application Firewall)

1. 1. Deployed AWS WAF in front of internet-facing Application Load Balancers and API Gateway endpoints
   2. Implemented managed rule sets (AWS Managed Rules, OWASP Top 10) plus custom rules to block known malicious patterns, SQLi, XSS, and bad bots
   3. Configured rate-based rules and IP reputation lists to mitigate brute-force and DDoS layer-7 attempts
   4. Integrated WAF logs with Amazon Kinesis/CloudWatch and forwarded relevant alerts to Security Hub and SIEM for incident correlation
   5. Implemented automated rule updates and change management processes to ensure minimal false positives while maintaining protection

• IAM Hardening and Access Governance

1. 1. Implemented role-based access via IAM groups and least-privilege policies; applications shifted from IAM users to instance roles/assume-role patterns
   2. Enforced MFA for all IAM users and root, disabled root access keys
   3. Built CloudTrail + CloudWatch + SNS alerting for any root activity
   4. Applied strict password policy with rotation; monitored IAM access keys via Lambda, auto-disabled unused keys, and notified owners via SES

• OpenVPN for Secure Developer Access

  1. Deployed OpenVPN on hardened EC2 in private subnets with routes to RDS, Redshift, OpenSearch, ElastiCache, and RabbitMQ
  2. Enforced full-tunnel routing (no split tunneling) and security group-level access controls per developer group
  3. VPN authentication and connection events were logged to OpenVPN server logs were forwarded to CloudWatch Logs for audit and retention
  4. Limited subnet access based on least privilege and provided developers secure development/testing access without exposing data publicly

Features

This solution focuses on hardening security, automating compliance, and ensuring secure access. Key features include:

• Centralized Security Visibility: A unified view of security findings across multiple regions (us-east-1 & us-east-2) via AWS Security Hub, aggregating alerts from GuardDuty, Inspector, Macie, and WAF.
• Automated Compliance & Remediation: Continuous monitoring of configuration drift against HIPAA, PCI DSS, and NIST standards. Auto-remediation actions triggers via SSM for critical issues (e.g., blocking public S3 buckets, enforcing encryption).
• Web Application Defense: Layer-7 protection using AWS WAF to block OWASP Top 10 threats, SQL injection, XSS, and malicious bot traffic before they reach application endpoints.
• Vulnerability Management: Automated vulnerability scanning for EC2 instances using Inspector v2, linked to a “Golden AMI” pipeline for regular patching and rebuilding.
• Sensitive Data Discovery: Automated classification of S3 data to detect PII and PHI, ensuring strict governance over sensitive healthcare records.
• Secure Remote Access: A secure, full-tunnel OpenVPN solution allowing developers to access private resources (RDS, Redshift, etc.) without exposing ports to the public internet.
• Identity Hardening: Enforcement of Multi-Factor Authentication (MFA), removal of root access keys, and automated rotation/lifecycle management for IAM user keys.
• Real-time Incident Alerting: Integration of critical security alerts into communication channels (Teams/Slack) via EventBridge and SNS for immediate triage.

Technologies

The project utilizes a cloud-native AWS stack focused on security, networking, and automation.

• Core Security Services:

1. 1. AWS Security Hub: Delegated administrator for centralized findings.
   2. Amazon GuardDuty: Threat detection (Malware protection, S3 logs, DNS logs).
   3. Amazon Inspector (v2): EC2 vulnerability scanning and software inventory.
   4. Amazon Macie: Sensitive data discovery (PII/PHI) in S3.
   5. AWS WAF: Web Application Firewall with Managed and Custom Rules.

• Governance & Compliance:

1. 1. AWS Config: Conformance Packs (HIPAA, PCI DSS), Config Recorders, and Aggregators.
   2. AWS Systems Manager (SSM): Automation documents for auto-remediation and Patch Manager.
   3. AWS CloudTrail: API auditing and governance logging.

• Compute & Networking:

1. 1. Amazon EC2: Hardened instances for VPN and application workloads.
   2. OpenVPN: Open-source VPN software deployed on EC2.
   3. VPC: VPC Peering, Public/Private Subnets, Security Groups, NACLs.
   4. Elastic Load Balancing (ALB): Protected by WAF.

• Automation & Integration:

1. 1. Amazon EventBridge: Event routing for security findings.
   2. Amazon SNS: Notification delivery (Email/SMS).
   3. AWS Lambda: Custom automation logic for IAM key rotation.
   4. SIEM Integration: Centralized logging for forensic analysis.

Security Model

The architecture follows a Defense-in-Depth and Least Privilege strategy tailored for healthcare compliance.

• Zero Trust Network Access: Direct access to private databases and compute resources is blocked. Access is only permitted via an authenticated OpenVPN tunnel with strict security group referencing.
• Perimeter Protection: AWS WAF sits at the edge to filter malicious traffic and DDoS attempts before they touch the infrastructure.
• Encryption Everywhere:

1. 1. At Rest: Enforced via KMS for S3, EBS, and RDS.
   2. In Transit: TLS enforcement for data in motion; full-tunnel routing for VPN users.

• Identity-Centric Security: Shift from long-term IAM users to IAM Roles/Assume-Role patterns. Strict password policies and MFA enforcement prevent credential compromise.
• Reactive & Proactive Posture:

1. 1. Proactive:Auto-remediation (Config/SSM) fixes misconfigurations instantly.
   2. Reactive:GuardDuty and Macie alert on active threats or data leakage.

Data Types & Standards

The system is designed to handle highly sensitive data subject to strict regulatory frameworks.

• Compliance Standards:

1. 1. HIPAA (Health Insurance Portability and Accountability Act): For handling PHI.
   2. PCI DSS (Payment Card Industry Data Security Standard): For handling payment data.
   3. SOC 2: For service organization controls.
   4. NIST SP 800-53: For comprehensive security control mapping.
   5. CIS AWS Foundations Benchmark: For baseline infrastructure hardening.

• Data Types Handled:

1. 1. PHI (Protected Health Information): Medical records, patient identifiers.
   2. PII (Personally Identifiable Information): Names, addresses, contact details.
   3. Telemetry & Audit Data: CloudTrail logs, VPC Flow Logs, WAF logs, VPN connection logs.

Infrastructure

The infrastructure is designed for high availability and strict network segmentation.

• Multi-Region Strategy:

1. 1. Primary regions: us-east-1 and us-east-2.
   2. interconnected via VPC Peering to allow secure cross-region communication.

• Network Topology:

1. 1. Public Subnets:Only for Load Balancers (ALB), NAT Gateways, and Bastion/VPN endpoints.
   2. Private Subnets:Host all critical data stores (RDS, Redshift, OpenSearch, ElastiCache) and application logic.

• Logging Architecture:

1. 1. Centralized logging bucket/destination collecting logs from CloudTrail, VPC Flow Logs, ALB/ELB, S3 Access Logs, and WAF Logs.

• Golden Image Pipeline:

1. 1. An automated build process that creates hardened EC2 AMIs (Amazon Machine Images) pre-patched based on Inspector findings.

Outcomes

• Continuous compliance posture tracking across regions/accounts
• Reduced manual remediation through targeted automation
• Stronger detective and preventive controls aligned to HIPAA, PCI DSS, and SOC controls
• Secure, auditable developer access to private data services
• Application-layer protection reducing web-application attack surface and lowering false-positive incident volume

Skills

• AWS Security Hub, AWS Config (Conformance Packs, Auto-Remediation)
• Amazon GuardDuty, Amazon Inspector (v2), Amazon Macie
• AWS WAF (Managed Rules, Custom Rules, Logging)
• IAM Hardening, MFA, Least Privilege, Access Key Lifecycle Automation
• CloudTrail, CloudWatch, EventBridge, SNS, Lambda, SES
• VPC Peering, OpenVPN, Private Networking to Managed Data Services
• Compliance: HIPAA, PCI DSS, SOC 2, NIST SP 800-53, AWS Foundation Best Practices
• Secure SDLC/DevSecOps, Golden AMI Patching, Audit Readiness