Is Amazon Web Services (AWS) HIPAA compliant? (2025 update)

As previously mentioned, last week I had a call with a medical imaging startup in Honolulu. During our call, one of their key objectives was to determine what cloud vendors offer HIPAA compliant services.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud services in this sector.

In previous posts, we’ve covered email providers like Google Cloud, Gmail, Hotmail, Yahoo, Outlook, and AOL and their capabilities for HIPAA compliance.

The purpose of this post is to determine if Amazon Web Services (AWS) offers HIPAA compliance or not.

SEE ALSO: Is Google Cloud HIPAA Compliant?

About Amazon Web Services (AWS)

AWS is a secure cloud services platform. It offers computing power, database storage, content delivery and other functionality to help businesses scale and grow.

AWS operates from 16 regions across the globe. It includes popular services like Amazon Elastic Compute Cloud, also known as "EC2", and Amazon Simple Storage Service, also known as "S3".

As of today, AWS offers more than 70 services. Amazon markets AWS as a service to provide large computing capacity quicker and cheaper than a client company building an actual physical server farm. 

AWS and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.

I thought this would be fairly obvious but I was wrong: People keep asking about HIPAA Compliance and AWS.

Here is the AWS HIPAA Compliance section.

Does AWS Offer HIPAA Compliant Service?

The Business Associate Agreement is a key component to HIPAA compliance between a covered entity and a business associate.

To get a BAA with AWS, you'll need to sign in to AWS Artifact in the AWS Management Console.

Since AWS offers one, we conclude they are in fact a HIPAA compliant cloud vendor.

What's Covered Under a BAA with AWS?

Now that we've determined AWS will sign a BAA, the question is determining what cloud services provided by AWS are actually covered by their BAA.

We found the answer to that on their HIPAA Eligible Services Reference page. 

As of October 2025, the AWS BAA covers:

• Alexa for Business [for healthcare skills only – requires Alexa Skills BAA. See HIPAA whitepaper for details]
• AWS Amplify Console
• Amazon API Gateway
• AWS App Mesh
• AWS AppFabric
• Amazon AppFlow
• AWS Application Migration Service
• Amazon AppStream 2.0
• AWS AppSync
• Amazon Athena
• AWS Audit Manager
• Amazon Augmented AI [excludes Public Workforce and Vendor Workforce for all features]
• Amazon Aurora
• AWS B2B Data Interchange
• AWS Backup
• AWS Batch
• Amazon Bedrock
• AWS Certificate Manager
• Amazon Chime
• Amazon Chime SDK
• AWS Clean Rooms
• AWS Cloud 9
• Amazon Cloud Directory
• AWS Cloud Map
• AWS CloudEndure
• AWS CloudFormation
• Amazon CloudFront [excludes content delivery through Amazon CloudFront Embedded Point of Presences]
• AWS CloudHSM
• AWS CloudShell
• AWS CloudTrail
• Amazon CloudWatch
• Amazon CloudWatch Logs
• Amazon CloudWatch SDK Metrics
• AWS CodeBuild
• AWS CodeCommit
• AWS CodeDeploy
• AWS CodePipeline
• Amazon Cognito
• Amazon Comprehend
• Amazon Comprehend Medical
• AWS Config
• Amazon Connect
• AWS Control Tower
• AWS Data Exchange
• AWS Database Migration Service (DMS)
• AWS DataSync
• Amazon DataZone
• Amazon Detective
• Amazon DevOps Guru
• AWS Direct Connect
• AWS Directory Service [excludes Simple AD]
• Amazon DocumentDB [with MongoDB compatibility]
• Amazon DynamoDB
• Amazon EC2 Auto Scaling
• Amazon ElastiCache
• AWS Elastic Beanstalk
• Amazon Elastic Block Store (Amazon EBS)
• Amazon Elastic Compute Cloud (Amazon EC2)
• Amazon Elastic Container Registry (ECR)
• Amazon Elastic Container Service (ECS)
• AWS Elastic Disaster Recovery
• Amazon Elastic File System (EFS)
• Amazon Elastic Kubernetes Service (EKS)
• Elastic Load Balancing
• Amazon Elastic MapReduce (EMR)
• AWS Elemental MediaConnect
• AWS Elemental MediaConvert
• AWS Elemental MediaLive
• AWS Entity Resolution
• Amazon EventBridge [formerly Amazon Cloudwatch Events]
• AWS Fargate [ECS and EKS engines only]
• AWS Fault Injection Simulator
• AWS Firewall Manager
• Amazon Forecast
• Amazon FreeRTOS
• Amazon FSx
• AWS Global Accelerator
• AWS Glue
• AWS Glue DataBrew
• Amazon GuardDuty
• AWS HealthLake
• AWS HealthOmics
• AWS HealthImaging
• AWS IAM Identity Center
• Amazon Inspector
• AWS IoT Core
• AWS IoT Device Management
• AWS IoT Events
• AWS IoT Greengrass
• AWS IoT SiteWise
• Amazon Kendra
• AWS Key Management Service (KMS)
• Amazon Managed Service for Apache Flink
• Amazon Keyspaces [For Apache Cassandra]
• Amazon Kinesis Data Streams
• Amazon Kinesis Data Firehose
• Amazon Kinesis Video Streams
• AWS Lake Formation
• AWS Lambda
• Amazon Lex
• Amazon Location Service
• Amazon Macie
• AWS Mainframe Modernization
• AWS Managed Services [excluding Operations on Demand Services, except for the RFC Expedite feature]
• Amazon Managed Service for Prometheus
• Amazon Managed Workflow for Apache Airflow
• Amazon Managed Streaming for Apache Kafka
• Amazon MemoryDB
• Amazon MQ
• Amazon Neptune
• AWS Network Firewall
• Amazon OpenSearch Service
• AWS OpsWorks for Chef Automate
• AWS OpsWorks for Puppet Enterprise
• AWS OpsWorks Stacks
• AWS Organizations
• AWS Outposts
• Amazon Personalize
• Amazon Pinpoint and End User Messaging (formerly Amazon Pinpoint) [excluding Voice Message capabilities and WhatsApp Channel]
• Amazon Polly
• AWS Private Certificate Authority
• Amazon Q Business
• Amazon Quantum Ledger Database (QLDB)
• Amazon Quick Suite [formerly Amazon QuickSight]
• Amazon Rekognition
• Amazon Redshift
• Amazon Relational Database Service (Amazon RDS) [SQL Server, MySQL, Oracle, PostgreSQL, Db2 and MariaDB engines only]
• AWS Resilience Hub
• AWS Resource Access Manager (RAM)
• AWS Resource Explorer
• Amazon Route 53
• Amazon S3 Glacier
• Amazon SageMaker AI [formerly Amazon Sagemaker, excludes Studio Lab, Ground Truth Plus, Public Workforce and Vendor Workforce for all features]
• AWS Secrets Manager
• AWS Security Hub CSPM (formerly AWS Security Hub)
• AWS Service Catalog
• AWS Serverless Application Repository
• AWS Shield [Standard and Advanced]
• Amazon Simple Email Service (Amazon SES)
• Amazon Simple Notification Service (SNS)
• Amazon Simple Queue Service (SQS)
• Amazon Simple Storage Service (S3)
• Amazon Simple Workflow Service (SWF)
• AWS Snowball
• AWS Snowball Edge
• AWS Step Functions
• AWS Storage Gateway
• AWS Systems Manager
• Amazon Textract
• Amazon Timestream
• AWS Transcribe [Includes Healthscribe]
• AWS Transfer Family
• Amazon Translate
• AWS Verified Access
• Amazon Verified Permissions
• Amazon Virtual Private Cloud (VPC)
• AWS Web Application Firewall (WAF)
• AWS Wickr
• Amazon WorkDocs [Excluding Adding Controls for Deleting Previous File Version Feature]
• Amazon WorkLink
• Amazon WorkSpaces
• Amazon WorkSpaces Thin Client
• Amazon WorkSpaces Secure Browser
• AWS X-Ray VM Import/Export

Conclusion

Many parts of Amazon Web Services (AWS) are HIPAA Compliant. Don't forget to sign a BAA with them.

SEE ALSO: Is Microsoft Azure HIPAA Compliant?