Vendor compliance profile

Is Amazon Aurora HIPAA compliant?

Amazon Aurora may support HIPAA-regulated database workloads only when used as an AWS HIPAA-eligible service under an accepted AWS BAA and correctly configured by the customer. Aurora eligibility does not make the application, logs, backups, exports, replicas, or connected services automatically HIPAA compliant.

Visit vendor site

Direct compliance answer

Amazon Aurora HIPAA, BAA, PHI, and SOC 2 snapshot

Last checked: 2026-07-04 | Confidence: High

Direct answerAmazon Aurora may support HIPAA-regulated database workloads only when used as an AWS HIPAA-eligible service under an accepted AWS BAA and correctly configured by the customer. Aurora eligibility does not make the application, logs, backups, exports, replicas, or connected services automatically HIPAA compliant.
BAA availabilityCustomers processing PHI in Amazon Aurora need the AWS Business Associate Addendum accepted for the relevant AWS account or organization and should verify that the selected Aurora engine, region, and surrounding services are in current HIPAA scope.
Can it handle PHI?Aurora workloads can expose PHI through schemas, free-text fields, query logs, snapshots, replicas, backups, exports, support bundles, analytics pipelines, and non-production copies.
SOC 2 caveatAWS makes compliance artifacts, including SOC reports, available through AWS compliance resources and AWS Artifact. Review report scope for Aurora, AWS account structure, regions, and related services used by the workload.
What to verifyWhether the AWS BAA is accepted for the account or organization that owns the Aurora workload. Whether the selected Aurora engine, region, snapshots, replicas, automated backups, exports, logs, monitoring, and support path remain in HIPAA-eligible scope.

HIPAA status signal

Conditional

BAA public signal

AWS BAA required

SOC 2 evidence signal

AWS public evidence

PHI warning: Aurora workloads can expose PHI through schemas, free-text fields, query logs, snapshots, replicas, backups, exports, support bundles, analytics pipelines, and non-production copies.

Search query answers

Is Amazon Aurora HIPAA compliant?

AWS lists Amazon Aurora in its HIPAA Eligible Services Reference, but Aurora is not automatically compliant for every workload. Verify AWS BAA acceptance, current service scope, selected engine, region, encryption, IAM, logs, snapshots, backups, support access, and connected services before storing PHI.

Is Amazon Aurora HIPAA eligible like Amazon RDS?

AWS lists both Amazon Aurora and Amazon RDS in HIPAA-eligible scope. Buyers should still verify the current AWS list, selected Aurora engine and region, account BAA, logging, snapshots, backups, replicas, exports, and surrounding architecture.

Can Amazon Aurora store PHI?

Potentially, but only when the AWS BAA is in place, Aurora remains in current HIPAA-eligible scope, and the customer governs encryption, access, logging, backups, retention, exports, non-production copies, monitoring, and all downstream systems that touch PHI.

Does the AWS BAA make an Aurora database HIPAA compliant?

No. The AWS BAA and Aurora service eligibility are prerequisites, not a complete compliance outcome. The customer remains responsible for application design, PHI minimization, access controls, logging, backup lifecycle, incident response, and vendor review.

HIPAA, BAA, and SOC 2 summary

HIPAAAWS's HIPAA Eligible Services Reference lists Amazon Aurora as eligible, subject to AWS covered-service scope and the shared responsibility model. This is service eligibility, not a blanket approval for every customer workload.
BAACustomers processing PHI in Amazon Aurora need the AWS Business Associate Addendum accepted for the relevant AWS account or organization and should verify that the selected Aurora engine, region, and surrounding services are in current HIPAA scope.
SOC 2AWS makes compliance artifacts, including SOC reports, available through AWS compliance resources and AWS Artifact. Review report scope for Aurora, AWS account structure, regions, and related services used by the workload.
PHI riskAurora workloads can expose PHI through schemas, free-text fields, query logs, snapshots, replicas, backups, exports, support bundles, analytics pipelines, and non-production copies.
CategoryHIPAA-Compliant Cloud, AWS, and Database Services
Last checked2026-07-04
ConfidenceHigh

Public evidence and open questions

What public sources say

  • AWS's HIPAA Eligible Services Reference lists Amazon Aurora among HIPAA-eligible services.
  • AWS states that customers should only process, store, and transmit PHI in HIPAA-eligible services defined in the AWS BAA.
  • AWS's shared responsibility model means customer-side configuration, identity, logging, encryption, backups, and connected services remain part of the review.

What remains unconfirmed

  • Whether the buyer's exact AWS account, organization, region, support plan, Aurora engine, replicas, and connected services are covered.
  • Whether application logs, query logs, snapshots, replicas, exports, backups, BI pipelines, staging databases, and support tickets can contain PHI.
  • Whether customer-side IAM, encryption, key management, monitoring, retention, deletion, incident response, and workforce policies are sufficient.

What it may be used for

  • HIPAA-regulated application databases only after AWS BAA acceptance, current Aurora eligibility, selected engine/region review, and customer-side controls are documented.
  • PHI-minimized production workloads where encryption, IAM, logging, backups, retention, deletion, and incident response are governed.
  • Architecture review for teams comparing Aurora, Amazon RDS, and other managed database options under AWS HIPAA scope.

What not to use it for

  • Storing PHI in Aurora before the AWS BAA, current eligible-service scope, selected engine, region, and support paths are verified.
  • Copying PHI into development, staging, analytics, logs, snapshots, replicas, or support tickets without the same governance as production.
  • Assuming AWS service eligibility covers the customer's application, schema, workforce access, vendors, or downstream SaaS integrations.

What to verify with the vendor

  • Whether the AWS BAA is accepted for the account or organization that owns the Aurora workload.
  • Whether the selected Aurora engine, region, snapshots, replicas, automated backups, exports, logs, monitoring, and support path remain in HIPAA-eligible scope.
  • Whether encryption at rest, TLS, KMS key ownership, IAM, MFA, network isolation, database users, audit logging, retention, deletion, and break-glass access are governed.
  • Whether PHI can appear in query text, slow logs, CloudWatch logs, performance traces, object names, BI exports, staging data, support screenshots, or third-party tools.

Safer alternatives and related profiles

Safer alternatives to consider

  • Amazon RDS only after current AWS HIPAA eligibility, BAA, engine, region, logs, backups, and surrounding architecture are verified.
  • A healthcare-specific hosting or managed database provider when the team cannot operate AWS shared-responsibility controls directly.
  • A HIPAA-focused application platform where database, logs, backups, support, and operational controls are covered together.

FAQ

Is Amazon Aurora HIPAA compliant?

AWS lists Amazon Aurora in its HIPAA Eligible Services Reference, but Aurora is not automatically compliant for every workload. Verify AWS BAA acceptance, current service scope, selected engine, region, encryption, IAM, logs, snapshots, backups, support access, and connected services before storing PHI.

Is Amazon Aurora HIPAA eligible like Amazon RDS?

AWS lists both Amazon Aurora and Amazon RDS in HIPAA-eligible scope. Buyers should still verify the current AWS list, selected Aurora engine and region, account BAA, logging, snapshots, backups, replicas, exports, and surrounding architecture.

Can Amazon Aurora store PHI?

Potentially, but only when the AWS BAA is in place, Aurora remains in current HIPAA-eligible scope, and the customer governs encryption, access, logging, backups, retention, exports, non-production copies, monitoring, and all downstream systems that touch PHI.

Does the AWS BAA make an Aurora database HIPAA compliant?

No. The AWS BAA and Aurora service eligibility are prerequisites, not a complete compliance outcome. The customer remains responsible for application design, PHI minimization, access controls, logging, backup lifecycle, incident response, and vendor review.

Will Amazon Aurora sign a BAA?

Customers processing PHI in Amazon Aurora need the AWS Business Associate Addendum accepted for the relevant AWS account or organization and should verify that the selected Aurora engine, region, and surrounding services are in current HIPAA scope.

Can Amazon Aurora be used with PHI?

Do not use this vendor with PHI until your organization verifies BAA scope, covered services, configuration, access controls, data retention, and connected integrations.

Does SOC 2 mean Amazon Aurora is HIPAA compliant?

No. SOC 2 evidence can support security diligence, but it does not prove HIPAA compliance, confirm BAA coverage, or approve PHI use. Review HIPAA terms, BAA scope, covered services, configuration, and intended workflow separately.

What should buyers verify before using Amazon Aurora with PHI?

Whether the AWS BAA is accepted for the account or organization that owns the Aurora workload. Whether the selected Aurora engine, region, snapshots, replicas, automated backups, exports, logs, monitoring, and support path remain in HIPAA-eligible scope. Whether encryption at rest, TLS, KMS key ownership, IAM, MFA, network isolation, database users, audit logging, retention, deletion, and break-glass access are governed. Whether PHI can appear in query text, slow logs, CloudWatch logs, performance traces, object names, BI exports, staging data, support screenshots, or third-party tools.

Last checked and source notes

Last checked
2026-07-04
Confidence
High
Dataset rows
269 vendors
  • Reviewed AWS HIPAA compliance materials and HIPAA Eligible Services Reference on 2026-07-04.
  • AWS's HIPAA Eligible Services Reference should be re-checked before implementation because service scope and names can change.
  • ComplySaaS did not verify a private AWS account, AWS Artifact agreement, architecture, or customer-specific BAA status.
  • AWS HIPAA compliance
  • AWS HIPAA Eligible Services Reference
  • Amazon Aurora security