AWS Health Tech Audit Checklist
For a 10–80 person health tech team on AWS, it’s common to save $2k–$15k/month from a focused pass on: cost optimization, security hardening, and HIPAA and SOC 2 readiness.
Manan Qayas
Fractional CTO · Transivone
For a 10–80 person health tech team on AWS, it’s common to save $2k–$15k/month from a focused pass on: cost optimization, security hardening, and HIPAA and SOC 2 readiness. This 14‑point checklist is a quick, practical review you (or your engineering team) can run to spot high‑impact fixes, reduce risk, and confirm your cloud setup is audit‑friendly—without getting lost in long reports.
Cost Optimization
01 - RDS Right-Sizing
WHY IT MATTERS
Over-provisioned RDS instances are the top hidden cost leak in health tech — idle CPU and unused memory burn budget that could fund growth.
HOW TO VERIFY
Console → RDS → Databases → select instance → Monitoring tab; review CPU & FreeableMemory (14-day window). Cross-check via Cost Explorer → Service: RDS.
02 - NAT Gateway Audit
WHY IT MATTERS
NAT Gateways charge per GB processed; routing S3 traffic through NAT instead of VPC endpoints inflates bills by hundreds of dollars monthly.
HOW TO VERIFY
Console → VPC → NAT Gateways → check BytesOutToDestination; then Cost Explorer → filter Service: EC2-VPCEndpoints to compare NAT vs endpoint spend.
03 - EBS Volume Cleanup
WHY IT MATTERS
Orphaned EBS volumes (unattached after instance termination) accumulate gp2/gp3 costs indefinitely - a common post-sprint cleanup miss.
HOW TO VERIFY
Console → EC2 → Elastic Block Store → Volumes → filter State = available; snapshot or delete unneeded volumes.
04 - EC2 Right-Sizing
WHY IT MATTERS
Default instance types rarely match steady-state workloads; Compute Optimizer typically surfaces 20-40% savings in health tech environments.
HOW TO VERIFY
Console → Compute Optimizer → EC2 Instances → filter Finding = Over-provisioned; review recommendations.
05 - S3 Lifecycle Policies
WHY IT MATTERS
Health tech generates large volumes of logs and media; without lifecycle rules, Standard storage costs compound as data ages unaccessed.
HOW TO VERIFY
Console → S3 → bucket → Management tab → Lifecycle rules; verify transitions to IA / Glacier after 30 / 90 days.
Security & HIPAA
06 - S3 Public Access Block
WHY IT MATTERS
A single misconfigured bucket can expose PHI publicly - one of the most common HIPAA breach vectors and a mandatory Security Rule control.
HOW TO VERIFY
Console → S3 → Block Public Access (account settings) → confirm all 4 toggles ON; audit per-bucket via S3 → bucket → Permissions tab.
07 - IAM Wildcard Permissions
WHY IT MATTERS
Policies with Action: ‘*’ violate least-privilege, creating wide blast radius on credential compromises - a critical HIPAA access-control gap.
HOW TO VERIFY
Console → IAM → Policies → Type = Customer managed → review JSON for '*' in Action or Resource; use IAM Access Analyzer for automated flagging.
08 - MFA on Root Account
WHY IT MATTERS
The root account has unrestricted access to all AWS resources, without MFA, a leaked password grants full account takeover with no audit trail.
HOW TO VERIFY
Console → account menu (top-right) → Security credentials → Multi-factor authentication (MFA) → confirm device is assigned and active.
09 - Encryption at Rest (RDS / EBS / S3)
WHY IT MATTERS
HIPAA requires PHI encryption at rest; unencrypted resources are a direct compliance gap and liability in any breach investigation.
HOW TO VERIFY
RDS: Console → RDS → Databases → Configuration (Encryption: Enabled).
EBS: EC2 → Volumes → Encrypted column.
S3: bucket → Properties → Default encryption.
10 - VPC Flow Logs Enabled
WHY IT MATTERS
VPC Flow Logs provide the network-level audit trail required for HIPAA breach detection - without them, lateral movement goes undetected.
HOW TO VERIFY
Console → VPC → Your VPCs → select VPC → Flow logs tab; confirm active log delivering to CloudWatch Logs or S3.
Compliance and SOC 2
11 - CloudTrail Multi-Region Logging
WHY IT MATTERS
SOC 2 CC7 and HIPAA require a complete, tamper-evident API audit trail; single-region trails miss activity in other regions.
HOW TO VERIFY
Console → CloudTrail → Trails → select trail → confirm 'Apply to all regions' ON and log file validation enabled.
12 - GuardDuty Enabled
WHY IT MATTERS
GuardDuty provides continuous threat detection (credential theft, crypto mining, C2 beaconing) required under SOC 2 CC6/CC7 and HIPAA threat management.
HOW TO VERIFY
Console → GuardDuty → Summary dashboard; confirm status = Enabled and review active findings regularly.
13 - AWS Config Rules Active
WHY IT MATTERS
AWS Config provides continuous compliance monitoring - the evidence auditors request to prove SOC 2 change management and HIPAA safeguard controls.
HOW TO VERIFY
Console → AWS Config → Rules; confirm managed rules exist (e.g. s3-bucket-public-read-prohibited, encrypted-volumes) and compliance is green.
14 - IAM Access Analyzer
WHY IT MATTERS
Access Analyzer identifies resources shared externally or with unintended principals - a SOC 2 CC6 control that catches misconfigs before auditors do.
HOW TO VERIFY
Console → IAM → Access Analyzer; confirm analyzer exists for account/org and review active findings for unintended external access.