AWS Standard: OpenEMR 5.0.1(7) -> upgraded to 5.0.2: Cloud Trail Not Encrypted properly

(Ralf Lukner MD PhD) #1

I am starting to look closer at the AWS OpenEMR Standard’s Security by running built-in AWS security checks. I plan to post a few issues to provide information where AWS’s security checks recommend improvements for enhanced security. I realize that this is a very broad and complex topic … one on which I am still learning a lot. Hopefully, I can contribute a few things to improve the security of this system in the process for everyone who uses the AWS OpenEMR hosted versions.

Here is a simple issue to start with:

AWS Subscription Security Issues


Rule details

Checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The rule is compliant if the KmsKeyId is defined.
Config rule ARN

Trigger type
Periodic: 24 hours
Scope of changes

Resource types

Last successful invocation
August 25, 2019 11:17 PM
Last successful evaluation
August 25, 2019 11:17 PM

More Information:
S3 Bucket Name

OpenEMR Version
I’m using OpenEMR version 5.0.2 (install was originally 5.0.1x and then upgraded to patch 7)

Browser: Not relevant to this.

Operating System
I’m using: AWS Ubuntu

Description: Ubuntu 16.04.6 LTS
Release: 16.04
Codename: xenial

Logs: Not relevant to this issue.

(Asher Densmore-Lynn) #2

Huh, I can see that. I think “not encrypted properly” overstates the case, HIPAA doesn’t have anything to say about encrypting these resources, but I do have a managed key for Standard and I guess I’ve got no reason not to allow it.

It won’t be addressed in the next (initial) release of Standard 5.0.2 – that’s already in the pipeline – but by the time Standard gets the first patch this should be rolled in. Can you open a ticket on -devops to remind me?

(Ralf Lukner MD PhD) #3

Hello @jesdynf
That makes sense.
How do I open a ticket on -devops?

(Stephen Waite) #4

pretty sure @jesdynf means Issues · openemr/openemr-devops · GitHub

(Ralf Lukner MD PhD) #5

Thank you @stephenwaite! I created an open issue as requested.