EXAMPLE: HIPAA and Lambda — Logging and Ephemeral Storage

Example post — This is placeholder content to preview how a post in this space would look. Not a real article.

If you’re building something that touches PHI and runs on Lambda, you already know you need a BAA, encryption in transit and at rest, and strict access controls. The easy stuff. The stuff that bites people is logging and ephemeral storage.

Logging

Lambda writes logs to CloudWatch by default. Log streams and log groups are often wide open for anyone with logs:GetLogEvents in the same account. If your code ever logs a request body, an identifier, or an error message that includes PHI, you’ve just put it in a log that may outlive your retention settings and be visible to more people than you think.

Practical steps:

  • Never log PHI. Sanitize or redact before console.log or your logger.
  • Use structured logging and a small allow-list of non-PHI fields (e.g. request ID, duration, status).
  • Restrict CloudWatch log group access with IAM so only the roles that need them can read.
  • Set retention on log groups so they’re not kept forever.

Ephemeral storage (/tmp)

Lambda’s /tmp is local to the execution environment and can be reused across invocations. If you write PHI to disk (e.g. parsing a file, generating a report), that data can sit there until the execution environment is recycled. That’s a risk if you’re not treating /tmp as sensitive.

Practical steps:

  • Prefer streaming or in-memory processing when you can.
  • If you must write to /tmp, clear or overwrite the file as soon as you’re done (e.g. truncate and unlink, or write zeros).
  • Consider Lambda’s ephemeral storage size and lifetime in your threat model; document the controls in your security docs.

Why it matters

HIPAA isn’t just “encrypt the database.” It’s about where PHI can land and who can see it. Lambda and CloudWatch are part of that surface. Locking down logging and ephemeral storage is the kind of thing auditors and security reviewers actually look at.

When you’re ready to go live, replace this example with a real post or remove it.