Most health tech engineering teams I audit have the same problem with their PHI buckets. They don't know it's a problem until the SOC 2 auditor flags it, or until they're trying to reconstruct what happened during an incident.
The pattern is one of three things.
Scenario A. S3 server access logging is disabled entirely on the bucket holding PHI. The team's argument is usually that CloudTrail covers it. CloudTrail doesn't cover it. CloudTrail logs the API calls. Server access logs capture object-level access: who downloaded what, when, from where. For HIPAA, you need both. The technical safeguards in §164.312(b) require audit controls that record activity in systems containing ePHI. Object-level access is activity. CloudTrail alone won't pass scrutiny.
Scenario B. Logging is enabled, but it's writing to the same bucket it's logging. This one makes me wince. It creates a recursive logging loop that inflates your storage costs (I've seen this add $400 to $800 a month on a single bucket). More importantly, the logs themselves live in the same blast radius as the data they're auditing. If someone compromises the bucket, they compromise the audit trail.
Scenario C. Logging is enabled, writing to a separate bucket, but the logging bucket has no lifecycle policy and no access controls of its own. So you have four years of access logs sitting in Standard storage, and the dev team has read access to the audit trail of their own activity. Both are findings.
The fix takes about 30 minutes.
First, create a dedicated logging bucket. Naming convention: {company}-audit-logs-{region}. Block public access, enable default encryption with a separate KMS key, restrict access to a logging IAM role only.
Second, enable S3 server access logging on every bucket containing ePHI, pointing to that logging bucket. AWS Console, bucket, Properties, Server access logging, Enable.
Third, add a lifecycle policy on the logging bucket. Transition to Glacier Instant Retrieval after 90 days, expire after six years. HIPAA's retention requirement is six years from creation date or last effective date of the document.
Fourth, add CloudTrail data events for S3 on the PHI buckets. This catches the API-level access that server access logs miss, specifically presigned URL generation. Yes, this costs money. Usually $30 to $80 a month for a typical health tech workload. It's non-negotiable for a clean SOC 2.
The combined cost of doing this right is typically $40 to $120 a month depending on access volume. The cost of not doing it is harder to price. A single audit finding can delay a SOC 2 report by six to eight weeks, and during procurement that delay can kill enterprise deals.
If you want a full pass on your S3, IAM, and CloudTrail configuration for HIPAA and SOC 2 readiness, the 2-week Transivone audit covers exactly this. Every bucket, every IAM role, every gap, with a remediation plan you can ship. 20% AWS savings guaranteed or it's free. Reply to this email if you want to talk.
— Manan