Building security into the deployment
This Quick Start gives customers the ability to launch Tableau Server in either a new Amazon Virtual Private Cloud (VPC) or an existing VPC.
Several security measures within this Quick Start help Tableau customers deploy single-node Tableau Server in their AWS environment and align with their responsibilities to the AWS Business Associates Addendum (BAA) and HIPAA in general.
Server-side encryption at rest
Tableau Server is deployed on Amazon EC2 instances backed by Amazon Elastic Block Store (EBS) volumes. Each EBS volume is encrypted at rest using envelope encryption with AWS Key Management Service (KMS).
Each Tableau Server deployment, which can be either Linux- or Windows-based, is built from a base Amazon Machine Image (AMI). These AMIs have unencrypted root volumes, which means we need to create base AMIs with encrypted EBS. For more on the series of steps detailing how to do this, read the AWS version of this announcement.
Encryption in transit
Covered entities under HIPAA are required to have a Business Associates Addendum with AWS for the analysis of Protected Health Information, or PHI. The AWS BAA mandates that all PHI on AWS be not only encrypted at rest, but also in transit. To remain consistent with the AWS BAA, PHI is first encrypted from the internet to the Application Load Balancer with a SSL certificate stored in AWS Certificate Manager, and then from the Load Balancer to Tableau Server using a self-signed certificate generated by OpenSSL.
To learn more about encryption in transit with Tableau, please see the documentation for Windows and Linux.
Logging and configuration management
AWS Config is often a key component to how healthcare organizations visualize their AWS environment. You can take your policies, translate them into technical controls, and then build AWS Config rules that map to those policies. In this Quick Start, we create several Config rules to demonstrate how one can monitor their Tableau Server environment. These rules are scoped to a specified tag so you can monitor your Tableau resources separately from your other resources.
The following screenshot shows what it looks like after the Quick Start deployment has finished. All Config Rules should show as compliant. For example, the second rule below confirms that your Tableau server deployment has Amazon EBS volumes encrypted at-rest. The fourth confirms that that your load balancer only allows for HTTPS communication. For more on the HIPAA rules this Quick Start addresses, read the Security Controls Reference.
While outside the scope of this Quick Start, you could build additional Config rules, such as checking configuration files on Tableau Server (e.g. the SSL certificate location) using a combination of AWS Lambda and AWS Systems Manager. You can also use additional tagging policies to group additional resources if you wish to broaden the scope of your checks with AWS Config.