'/%3e%3cpath%20d='M534.104%20592.554C517.522%20607.15%20492.036%20605.65%20479.37%20587.55C432.827%20521.038%20409.925%20440.343%20415.135%20358.545C420.344%20276.748%20453.298%20199.61%20507.904%20139.54C522.764%20123.194%20548.234%20124.939%20562.83%20141.521L608.023%20192.862C622.619%20209.444%20620.638%20234.536%20607.101%20251.994C581.387%20285.156%20565.941%20325.498%20563.237%20367.978C560.53%20410.458%20570.733%20452.433%20592.032%20488.59C603.245%20507.624%20602.027%20532.765%20585.445%20547.361L534.104%20592.554Z'%20fill='url(%23paint1_linear_154_257)'/%3e%3cpath%20d='M404.368%20499.661L455.381%20493.203L438.013%20356L387%20362.458L404.368%20499.661Z'%20fill='white'/%3e%3cpath%20d='M349%20408.709L355.956%20459.657L492.983%20440.947L486.026%20390L349%20408.709Z'%20fill='white'/%3e%3cdefs%3e%3clinearGradient%20id='paint0_linear_154_257'%20x1='170'%20y1='492.5'%20x2='449'%20y2='508.5'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%236648E0'/%3e%3cstop%20offset='1'%20stop-color='%23413AC9'/%3e%3c/linearGradient%3e%3clinearGradient%20id='paint1_linear_154_257'%20x1='429'%20y1='384'%20x2='549.5'%20y2='380.5'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%235B51FF'/%3e%3cstop%20offset='1'%20stop-color='%233428E6'/%3e%3c/linearGradient%3e%3c/defs%3e%3c/svg%3e)
AWS HIPAA Eligible Services: Complete List and What's Not Covered
Which AWS services are covered under Amazon's HIPAA BAA, what's not on the list, and the minimum Terraform configuration for a HIPAA-compliant RDS database on AWS.
Does AWS Sign a HIPAA BAA?
Yes. Amazon Web Services signs a Business Associate Agreement at no cost, available through the AWS Artifact console. The BAA covers a defined list of HIPAA-eligible services — not all AWS services. Enabling a non-eligible service to touch PHI, even via logging, puts you in violation.
See the HIPAA BAA guide for the full vendor chain implications.
Core Eligible Services (2026)
Compute: EC2, Lambda, ECS, EKS, Fargate
Storage: S3, EBS, EFS, S3 Glacier
Database: RDS (all engines), DynamoDB, ElastiCache, Redshift, Aurora
Networking: VPC, Route 53, CloudFront, API Gateway, ALB/NLB
Security & Identity: IAM, KMS, Secrets Manager, CloudHSM, Cognito, Certificate Manager
Monitoring & Logging: CloudWatch (Logs, Metrics, Alarms), CloudTrail, Config, Security Hub, GuardDuty
Healthcare: AWS HealthLake (FHIR-native storage and querying)
What's Not Covered and Why It Trips Teams Up
- Many AI/ML services — Bedrock, Rekognition, and some SageMaker features have specific BAA requirements; verify before processing PHI
- Some email sending services — SES is eligible but requires configuration to prevent unencrypted PHI in email bodies
- Third-party tools you install into your AWS environment (Datadog agents, logging sinks) are their own Business Associates — see the vendor chain audit process in the BAA guide
The Minimum HIPAA RDS Configuration
resource "aws_db_instance" "phi_database" {
engine = "postgres"
instance_class = "db.t3.medium"
storage_encrypted = true
kms_key_id = aws_kms_key.phi.arn
multi_az = true
backup_retention_period = 7
deletion_protection = true
enabled_cloudwatch_logs_exports = ["postgresql", "upgrade"]
# No public access — private subnet only
publicly_accessible = false
db_subnet_group_name = aws_db_subnet_group.private.name
vpc_security_group_ids = [aws_security_group.db_sg.id]
}
KMS encryption, private subnets, no public access, and CloudWatch logging enabled — these four configurations are the minimum for any PHI datastore. The full HIPAA engineering checklist covers the complete architecture across compute, storage, networking, and monitoring layers.
The HIPAA & SOC 2 Cloud Architecture service handles complete AWS HIPAA infrastructure — from BAA setup to Terraform modules for every layer.
Related Service
HIPAA & SOC 2 Cloud Architecture
Deep-dive into our engineering approach, capabilities, and technical specifications.
Written by Sheharyar Amin
Founder & Lead Engineer, Opexia