Chapter 8: Understanding AWS Cloud Fundamentals
Amazon Web Services (AWS)
8.1 What Is the Cloud?
Basic Concept of the Cloud
Cloud computing is a service model in which IT resources such as servers, storage, and databases are used on-demand over the internet.
Comparison with On-Premises
| Aspect | On-Premises | Cloud (AWS) |
|---|---|---|
| Physical server location | Within the organization (e.g., hospital server room) | AWS data centers |
| Initial cost | High (hardware purchase required) | Low (pay-as-you-go) |
| Scaling | Time-consuming hardware expansion | Scalable in minutes |
| Operations | Self-managed maintenance (power, cooling, hardware failures) | AWS manages physical infrastructure |
| Security | Full responsibility borne by the organization | Shared Responsibility Model |
Shared Responsibility Model
AWS security is based on the "Shared Responsibility Model."
8.2 VPC Architecture
What Is a VPC?
A VPC (Virtual Private Cloud) is a virtual private network created within AWS. Similar to a physical network, it allows you to configure IP address ranges, create subnets, set up routing, and implement security controls.
Basic VPC Configuration
The Cloud Side of Smart Assist Is Also Built Within a VPC
Smart Assist servers are deployed within an AWS VPC, where subnet isolation and access controls are applied in the same manner as the hospital's internal network.
8.3 Subnets
Public Subnets and Private Subnets
| Type | Characteristics | What to Deploy |
|---|---|---|
| Public Subnet | Can communicate externally via an Internet Gateway | Load balancers, bastion hosts |
| Private Subnet | No direct internet access | Application servers, databases |
Subnet Configuration in Smart Assist (Typical Example)
Because application servers and databases are placed in private subnets, they cannot be accessed directly from the internet.
8.4 Security Group
What Is a Security Group?
A Security Group is a firewall applied to AWS instances (servers). It controls inbound and outbound traffic on a per-instance basis.
Characteristics
| Characteristic | Description |
|---|---|
| Stateful | Responses to allowed traffic are automatically permitted |
| Whitelist-based | Only explicitly allowed traffic passes through (default deny) |
| Per-instance | Individual rule sets can be applied to each server |
Example Security Group Configuration for Smart Assist Servers
Inbound Rules
| Type | Port | Source | Description |
|---|---|---|---|
| HTTPS | 443 | ALB Security Group | Accept traffic only from the ALB |
Outbound Rules
| Type | Port | Destination | Description |
|---|---|---|---|
| HTTPS | 443 | Required destinations | External APIs, etc. |
| MySQL | 3306 | DB Security Group | Database connection |
The Smart Assist application server is designed to accept only 443/tcp traffic from the ALB (Load Balancer); direct access from the internet is not permitted.
8.5 NACL
What Is a NACL?
A NACL (Network Access Control List) is a firewall applied at the subnet level. While Security Groups are applied per instance, NACLs are applied to the entire subnet.
Differences Between Security Groups and NACLs
| Item | Security Group | NACL |
|---|---|---|
| Applied to | Instance | Subnet |
| Stateful/Stateless | Stateful | Stateless |
| Default behavior | Deny all | Allow all (default NACL) |
| Rule evaluation | All rules are evaluated | Evaluated in order by rule number (first match decides) |
Defense in Depth
Using both Security Groups and NACLs together achieves defense in depth.
8.6 Load Balancer
What Is an ALB?
An ALB (Application Load Balancer) is a load balancing service provided by AWS. It distributes traffic across multiple servers, improving availability and scalability.
Role of the Load Balancer in Smart Assist
| Role | Description |
|---|---|
| Traffic distribution | Distributes load across multiple servers |
| SSL termination | TLS encryption processing is handled by the ALB |
| Health checks | Monitors server health and stops routing to unhealthy servers |
| High availability | Deployed across multiple Availability Zones (AZs) |
Connection Destination as Seen from Hospital PCs
From the perspective of hospital PCs, the connection target is the ALB's FQDN (e.g., smartassist.example.com); there is no need to be aware of the individual servers behind it.
8.7 Availability Design
What Is Availability?
Availability refers to the ability of a system to remain operational. Because Smart Assist is a system that supports medical operations, high availability is required.
Elements of Availability Design in AWS
| Element | Description |
|---|---|
| Multi-AZ deployment | Servers distributed across multiple data centers (AZs) |
| Auto Scaling | Automatic adjustment of server count based on load |
| Load Balancer | Automatic exclusion of traffic to failed servers |
| Database redundancy | Automatic failover via RDS Multi-AZ deployment |
| Backup | Regular snapshot acquisition |
Multi-AZ Deployment
Region Selection and Data Residency
The deployment region for Smart Assist is selected based on each country's regulatory requirements.
| Region | Recommended AWS Region | Data Residency Requirements |
|---|---|---|
| Japan | ap-northeast-1 (Tokyo) | The "Three-Ministry Two-Guideline" framework (Japanese government guidelines for medical information systems) recommends storing data within Japan |
| United States | us-east-1 (N. Virginia) / us-west-2 (Oregon) | HIPAA does not mandate domestic data storage, but a BAA (Business Associate Agreement) is required. GovCloud may be necessary in some cases |
| EU | eu-central-1 (Frankfurt) / eu-west-1 (Ireland) | GDPR requires data to be stored within the EEA in principle. Cross-border transfers require legal basis such as SCCs (Standard Contractual Clauses) |
Impact When Smart Assist Goes Down
| Type of Outage | Impact | Laboratory Testing Operations |
|---|---|---|
| Partial (one AZ) outage | ALB automatically fails over; no impact on users | Operations continue |
| Full (entire Smart Assist) outage | Determination of unconfirmed data temporarily unavailable | Confirmed results continue to be sent to LIS |
Even if the entire Smart Assist system goes down, results that have been confirmed by AUTION EYE's automatic classification continue to be sent to LIS as usual. Only remote determination of unconfirmed data is affected.
8.8 How to Read the Reference Material: SOC 2 Type II Report
What Is SOC 2?
SOC 2 (System and Organization Controls 2) is a framework developed by the American Institute of Certified Public Accountants (AICPA) for evaluating internal controls of service organizations. An independent audit firm verifies whether the target organization's systems meet certain security standards and issues the findings as a report.
Corresponding file:
System+and+Organization+Controls+(SOC)+2+ReportThe SOC 2 Type II report for AWS used by Smart Assist (covering the period from October 2024 to September 2025)
Difference Between Type I and Type II
| Type | What Is Evaluated | Evaluation Timing |
|---|---|---|
| SOC 2 Type I | Whether controls are designed appropriately | A specific point in time (snapshot) |
| SOC 2 Type II | Whether controls are designed and operating effectively | Over a defined period (typically 6-12 months) |
Smart Assist holds a Type II report, which is a more reliable report demonstrating that AWS controls were actually operating effectively throughout the evaluation period.
Trust Services Criteria
SOC 2 reports are evaluated based on the following five criteria. The AWS report covers Security, Availability, Confidentiality, and Privacy.
| Criterion | Content | Relevance to Smart Assist |
|---|---|---|
| Security | Protection against unauthorized access | Prevention of unauthorized intrusion into cloud infrastructure |
| Availability | System availability | Uptime guarantee for the Smart Assist service |
| Confidentiality | Protection of confidential information | Confidentiality protection for data including PHI |
| Privacy | Handling of personal information | Privacy protection for PHI |
| Processing Integrity | Completeness of data processing | (Not covered by the AWS report) |
Report Structure
| Section | Content | Key Points for IT Staff |
|---|---|---|
| Section I | AWS Management's Assertion | AWS's own declaration that "controls were operated as designed during the evaluation period" |
| Section II | Independent Auditor's Assurance Report | Verification results by a third-party audit firm. The conclusion that controls are "appropriately designed and operating" |
| Section III | Description of the AWS System | List of covered services, security policies, and control details. Includes Cognito, Lambda, S3, Aurora, and other services used by Smart Assist |
| Section IV | Control Testing Results | Testing methods and results for each control item. Pass/fail status for all items |
| Section V | Additional Information | Supplementary information regarding changes and additions to controls |
Relationship Between the Shared Responsibility Model and SOC 2
The SOC 2 report only provides assurance for the scope managed by AWS (infrastructure layer).
| Layer | Responsible Party | Covered by SOC 2? |
|---|---|---|
| Physical data center and network | AWS | Yes |
| OS, middleware, and patch management | AWS (for managed services) | Yes |
| Application (Smart Assist) | ARKRAY / UHW | No |
| Data (PHI) | ARKRAY / UHW / Hospital | No |
Application-layer security is covered by ISO 27001 certification (see Chapter 9), and PHI protection is covered by the HIPAA Risk Assessment (see Chapter 9).
How to Explain to Hospital IT Staff
Example explanations when asked about the SOC 2 report:
| Question | Suggested Response |
|---|---|
| "What is SOC 2?" | It is a report in which an independent audit firm evaluates AWS's security controls. The safety of the infrastructure on which Smart Assist runs has been verified by a third party |
| "Can we view the report?" | The report can be viewed after signing an NDA (Non-Disclosure Agreement). Distribution of reports obtained from AWS Artifact is subject to restrictions under the AWS Terms of Service |
| "Did all items pass?" | You can review the test results in Section IV; no significant nonconformities have been reported |
In the next chapter, we will understand the regulatory requirements for medical data handled by Smart Assist.