We help IT Professionals succeed at work.

AWS encription while data travels in private network Hipa compalice with AWS instances

mario00 asked
Last Modified: 2017-01-20
Please see the graphic of our infrastructure. We need to look a solution that enable to encrypt the data while it travel thru the network .
We have java app Front end webservices , Business logic server c/C++ , oracle db at rest.
data need to be encrypted while it travels.
Please advice .
Watch Question

Looks like an interesting technical problem, however I just want to point out that HIPAA is mostly concerned with keeping people from outside from snooping on traffic, if you are using SSL secured traffic (https) to move data between AWS instances and things are on their own VLAN, where are you concerned about the data not being encrypted?

  • Use SSL for all web services and SOAP interfaces between the application modules. That includes RPC over HTTPS. Do not use self-signed certificates anywhere, buy cheap wildcard certs instead.
  • If you plan to use other protocols like file transfer between your servers, choose secure protocols like ssh/sftp. There are sftp services for all operating systems, including windows.
  • Do not use shared folders to transfer data between application components
  • Use SSL or Oracle NNE to secure communications with Oracle RDS.


Under the AWS BAA, you must identify each account that contains PHI as a HIPAA account. You may use any AWS service within that account; however, you may only process, store, or transmit PHI on eligible services. You can use services such as AWS Lambda, AWS OpsWorks, and Amazon EC2 Container Service (Amazon ECS) to orchestrate and schedule EC2 instances as long as the actual PHI is processed on EC2 and stored in S3 (or other eligible services). You must still ensure that EC2 instances processing, storing, or transmitting PHI are launched in dedicated tenancy and that PHI is encrypted at rest and in transit. Any application metadata stored in Lambda functions, Chef scripts, or task metadata must not contain PHI.
This one is on us!
(Get your first solution completely free - no credit card required)
David JonesSystems / Servers / Networks / Virtualization / Programmer / Developer

I've done some OTP (One Time Token) and some fun encryption / decryption with AWS Lambda. Return an OTP Token based on key salt:

Time (OTP) based Encryption system (not very secure but fun):
Outputs something like:
Encrypted: "5ea0d540fa0980c1dfb2a43ffd75" Secret: "25327332267627" Token: "166825"

To Decrypt you need the secret and OTP token, or the secret and the exact Millisecond the message is sent/processed to regenerate the token:

Better encryption systems can be built with AWS Lambda though ;-)

BTW The reason I find this system fun is that it is tied to an OTP token, so every time you try to encrypt your text, it is different as long as 15-30 seconds has passed (new OTP Token). So if someone got the message within 30 seconds they generate an OTP token on their own system and can decrypt the message, but if it's longer than 30 seconds you must have the token or the time the message was created. The longer time ticks away from the time that OTP token was generated, the more the message gets garbled. It's not very secure because if you know the time the message is encrypted plus the OTP seed and you know the secret, you can decrypt the message by regenerating / reconstructing the OTP token, but I find it amusing.

relevant answer, no response
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.