How to Achieve HIPAA Compliance in Amazon Redshift

Galaxy Glossary

How do I make my Amazon Redshift cluster HIPAA compliant?

Steps and SQL settings required to store Protected Health Information (PHI) securely in Amazon Redshift.

Welcome to the Galaxy, Guardian!
You'll be receiving a confirmation email

Follow us on twitter :)

Oops! Something went wrong while submitting the form.

Description

Example H2

Example H3

What makes a Redshift cluster HIPAA-eligible?

HIPAA eligibility requires encryption at rest and in transit, audit logging, least-privilege IAM, and execution within an AWS HIPAA Account with a signed BAA.

How do I encrypt data at rest?

Enable AWS-managed KMS encryption when creating the cluster or run ALTER CLUSTER to rotate keys. All tables and snapshots inherit encryption.

Example

CREATE CLUSTER my_hipaa_cluster
KMS_KEY_ID 'arn:aws:kms:us-east-1:123:key/abcd'
ENCRYPTED;

How do I enforce SSL in transit?

Set the parameter group value require_ssl=true.Client connections must include sslmode=require.

How do I mask PHI in query results?

Create views that exclude or hash PHI columns. Grant users access to the views, not the base tables.

Example

CREATE VIEW v_customers_public AS
SELECT id,
sha256(email) AS email_hash,
created_at
FROM customers;

How do I audit every query?

Turn on useractivitylog and export to S3.Configure lifecycle rules to retain logs for six years.

Example

ALTER SYSTEM SET enable_user_activity_logging = true;

How do I configure least-privilege access?

Assign users to groups with only required permissions. Remove default CREATE and ALTER rights.

Example

CREATE GROUP analysts;
REVOKE ALL ON SCHEMA public FROM GROUP analysts;
GRANT SELECT ON v_customers_public TO GROUP analysts;

Best practices summary

Encrypt everywhere, log everything, restrict access, rotate keys, test disaster recovery, and document compliance controls.

Why How to Achieve HIPAA Compliance in Amazon Redshift is important

How to Achieve HIPAA Compliance in Amazon Redshift Example Usage


-- Import encrypted PHI data from S3 into an encrypted table
COPY Customers(id,name,email,created_at)
FROM 's3://hipaa-bucket/customers/'
CREDENTIALS 'aws_iam_role=arn:aws:iam::123:role/RedshiftCopy'
FORMAT AS CSV
TIMEFORMAT 'auto'
ENCRYPTED
KMS_KEY_ID 'arn:aws:kms:us-east-1:123:key/abcd';

How to Achieve HIPAA Compliance in Amazon Redshift Syntax


-- Create encrypted HIPAA-eligible cluster
CREATE CLUSTER my_hipaa_cluster
  NODE_TYPE dc2.large
  NODE_COUNT 2
  DATABASE_NAME prod
  MASTER_USERNAME admin
  MASTER_USER_PASSWORD 'StrongP@ssw0rd'
  PORT 5439
  KMS_KEY_ID 'arn:aws:kms:us-east-1:123:key/abcd'
  ENCRYPTED;

-- Force SSL for all sessions
ALTER SYSTEM SET require_ssl = true;

-- Mask PHI using views
CREATE VIEW v_customers_public AS
SELECT id,
       sha256(email) AS email_hash,
       created_at
FROM   Customers;

-- Grant least-privilege access
CREATE GROUP analyst_ro;
GRANT SELECT ON v_customers_public TO GROUP analyst_ro;

-- Enable audit logging
a) In AWS Console → Cluster → Properties → Enable user activity logging
b) Or via API: modify-cluster --enable-user-activity-logging

Common Mistakes

Ignoring SSL: Many teams encrypt at rest but forget to force SSL. Set require_ssl=true and validate clients use sslmode=require.
Granting SELECT on entire schemas: This exposes PHI. Instead, create masked views and grant access only to those views.