Following with our HIPAA recommendations, another step we need to do on our cloud infrastructure to secure our data for HIPAA is data at rest encryption.
In case you are using AWS S3 buckets to store PHI data, follow the instructions below to have that data encrypted.
Enabling default encryption doesn’t change the encryption of objects that are already in the bucket. After you enable default encryption, the encryption that you set applies only to future uploads. For example, if you enable server-side encryption with AWS KMS (SSE-KMS) on the bucket, then any unencrypted objects already in the bucket remain unencrypted. Additionally, any objects already encrypted using Amazon S3-managed keys (SSE-S3) remain encrypted with SSE-S3.
To change the encryption of an existing object to SSE-KMS, you must re-upload the object. Or, you can copy the object over itself.
Using CLI the command to encrypt all existent objects would be something like this:
aws s3 cp s3://bucket-name/ s3://bucket-name/ — recursive — sse