Full infrastructure assessment, Terraform rebuild, and runbook delivery for a healthcare IT team ahead of a compliance audit.
Stack
The Problem
A healthcare IT team had accumulated an AWS environment over several years that had never been audited for HIPAA compliance. PHI was stored in unencrypted S3 buckets. CloudTrail was disabled in three of four regions. IAM roles carried AdministratorAccess assigned to application workloads. RDS instances were unencrypted and running in the default VPC. There were no runbooks for the on-call team. An upcoming compliance audit had created urgency, but the team did not know the full scope of remediation required.
The Result
Passed the HIPAA compliance audit conducted three months after handover. Client IT team operates the infrastructure independently using the Terraform state and documentation delivered at project close.
What we built
Approach
The project began with a three-week assessment phase that produced a complete inventory of every compliance gap with remediation priority and owner. Thirty-one distinct findings were documented, ranging from critical (PHI in unencrypted S3) to informational (missing resource tagging). The rebuild was executed in a parallel environment — a new VPC and account structure was built in Terraform while the production environment remained operational. Workloads were migrated service by service, with each migration including a brief maintenance window for RDS cutover. The most complex phase was IAM remediation: 40+ roles were inventoried, mapped to their consuming workloads, and replaced with least-privilege service roles. The final environment is defined entirely in Terraform, with state stored in S3 with DynamoDB locking and a dedicated IAM role for pipeline execution.
Full technical report
The full write-up includes architecture diagrams, technology selection rationale, implementation phases, and lessons learned. Available for qualified enquiries.