Why VPN is not in the HIPAA compliant services while Transit Gateway is?

Question

A customer is going through the HIPAA compliance audit is asking why VPN is not listed under HIPAA eligible services where as TGW is:

https://aws.amazon.com/transit-gateway/faqs/

Q: With which compliance programs does AWS Transit Gateway conform?

A: AWS Transit Gateway inherits compliance from Amazon Virtual Private Cloud (Amazon VPC) and meets the standards for PCI DSS Level 1, ISO 9001, ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3, FedRAMP Moderate, FedRAMP High and HIPAA eligibility.

Accepted Answer

S2S VPN or Client VPN? S2S VPN also inherits from VPC.

ETA:
https://docs.aws.amazon.com/vpn/latest/s2svpn/security.html

> Security of the cloud – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the AWS Compliance Programs. To learn about the compliance programs that apply to Site-to-Site VPN, see AWS Services in Scope by Compliance Program.

>Site-to-Site VPN is part of the Amazon VPC service. For more information about security in Amazon VPC, see Security in the Amazon VPC User Guide. "

Why VPN is not in the HIPAA compliant services while Transit Gateway is?

相關內容