Cloud Security & Protection · Data Protection
0 unencrypted data stores · HIPAA-ready on deadline
A healthtech startup had S3 buckets unencrypted, RDS encryption disabled, and no visibility into where PHI lived in their infrastructure — with 4 weeks to a HIPAA audit and no dedicated security team. Adimen ran four parallel tracks and passed the audit with zero findings on data protection.
Challenge
Built fast, audited slow. S3 buckets containing PHI were unencrypted. RDS encryption was disabled. There was no mechanism to discover where PHI existed in the infrastructure, no key management policy, and 4 weeks to a HIPAA compliance audit — with no dedicated security team to run the remediation.
Approach
Four parallel tracks over three weeks: a full encryption audit across all data stores, encryption at rest and in transit enforced for every service, AWS KMS configured with automated key rotation, and Amazon Macie + GuardDuty deployed for ongoing PHI discovery and anomaly detection. Terraform-managed throughout for reproducible compliance evidence.
Outcome
Zero unencrypted data stores. All PHI-bearing services encrypted at rest with KMS-managed keys on automated rotation. Amazon Macie providing continuous PHI discovery. HIPAA audit completed with zero findings on data protection. The entire compliance posture is now codified in Terraform and auditable from a single evidence package.
The background
The startup had built their platform at speed — the product had shipped, customers were onboarding, and PHI was flowing through the system. What hadn't kept pace was the security posture. The infrastructure had been provisioned by engineers focused on shipping features, not compliance. Encryption was assumed to be "on by default" in several places where it wasn't. There was no formal inventory of which services handled PHI and no tooling to discover PHI automatically. The encryption state of data stores was unknown rather than audited.
The trigger was a HIPAA Business Associate Agreement requirement from a hospital system customer — the largest deal the startup had pursued to date. The hospital's security team required HIPAA attestation before the BAA could be signed. The startup had four weeks. They had no dedicated security team and no security engineer on staff. The CEO engaged Adimen to run the remediation and produce the audit evidence in time for the review.
What was done
A systematic scan of every AWS service in the account — S3 buckets, RDS instances, EBS volumes, DynamoDB tables, Redshift clusters, and ElasticSearch domains — for encryption state. The audit found 7 S3 buckets unencrypted (2 containing confirmed PHI), RDS encryption disabled on the primary database, and 3 EBS volumes attached to application servers without encryption. This produced the remediation list for tracks 2 and 3.
All 7 S3 buckets enabled with SSE-KMS, bucket policies updated to deny unencrypted PutObject requests. RDS encryption enabled (required a snapshot restore to a new encrypted instance — coordinated during a maintenance window with zero data loss). EBS volumes re-created as encrypted. TLS enforced for all inter-service communication. S3 bucket policies and RDS parameter groups managed as Terraform to prevent configuration drift.
Customer-managed KMS keys created for each data store category (S3, RDS, EBS) with least-privilege key policies tied to specific IAM roles. Automated annual key rotation enabled on all CMKs. Key usage logging to CloudTrail enabled and verified. A key policy review process added to the quarterly security checklist. The KMS configuration — keys, policies, aliases, grants — is fully managed in Terraform and version-controlled.
Amazon Macie enabled across all S3 buckets with a custom job configuration that ran the initial discovery scan within 48 hours of deployment. Macie findings confirmed the 2 PHI-bearing buckets and surfaced 1 additional bucket with potential PII that had been missed in the manual audit. GuardDuty enabled for ongoing anomaly detection — unusual data access patterns, API calls from unexpected locations. All Macie and GuardDuty findings routed to CloudWatch for alerting and to CloudTrail for audit evidence.
Architecture
Results