How do I work around the fact that AWS SQS is not HIPAA compliant?



I have a use case where data from S3 is queued into AWS SQS, which is in turn connected to CloudWatch, whose metrics will be triggering AWS Lambda.

However, I want the architecture to be HIPAA compliant. So, I have come up with this idea:

  1. Once my S3 bucket gets a file,
  2. Fire up a Lambda function, which does hashing/name scrambling of the files, and copies to another S3 bucket (via aws cp)
  3. Connect the bucket with the hashed/scrambled names to the SQS queue

Is this a good and secure practice? Or is there a better workaround? (Would be more than happy if I can send encrypted keys of S3 to SQS. But not sure if I can or if it is possible)


Posted 2017-03-01T01:44:24.227

Reputation: 2 554



According to Amazon AWS

Customers may use any AWS service in an account designated as a HIPAA account, but they should only process, store and transmit PHI in the HIPAA-eligible services defined in the BAA. There are ten HIPAA-eligible services today, including AWS Snowball, Amazon DynamoDB, Amazon EBS, Amazon EC2, Amazon Elastic MapReduce (EMR), Amazon Elastic Load Balancing (ELB), Amazon Glacier, Amazon Relational Database Service (RDS) [MySQL, Oracle, and PostgreSQL engines only], Amazon Aurora [MySQL-compatible edition only], Amazon Redshift, and Amazon S3.


This means that as long as you are not storing or transmitting PHI in SQS, just the information about where this PHI is being stored - you probably can pass an audit reg. HIPAA compliance.

In the architecture you describe, the SQS queue does not need to include any PHI content. This would make it comply with the above statement.

More information about HIPAA compliance on AWS is available in this whitepaper from January 2017 -

Specifically SQS is mentioned and explained in the HIPAA FAQ -

update: As of May 1st 2017, SQS is now HIPAA compliant.


Posted 2017-03-01T01:44:24.227

Reputation: 7 247