Healthtech

AWS configuration evidence for healthtech teams.

Kulshan is a read-only CLI you run with your own AWS credentials. It surfaces AWS configuration signals (encryption posture, audit-log coverage, MFA enforcement, public-exposure gaps, IAM hygiene) that healthtech teams typically need to inspect when preparing for a security review.

It does not certify, validate, or attest to anything. It points at things you can verify yourself.

What it helps surface.

Each line below maps to a category of AWS configuration the security pack inspects. Kulshan reads the configuration; you read the report; your reviewer decides what matters.

at rest
Helps inspect encryption settings on S3 buckets, RDS instances, EBS volumes, DynamoDB tables, Lambda environment variables, and EFS file systems. Flags resources where bucket-level or storage-level encryption is off or weakly configured.
in transit
Helps surface ELB / ALB / NLB plaintext listeners, CloudFront distributions allowing HTTP, API Gateway stages without HTTPS-only enforcement, and RDS instances accepting non-SSL connections.
mfa
Points to IAM users without MFA, the root account's MFA status, and IAM policies that do not require MFA for sensitive actions.
audit log
Helps inspect whether CloudTrail is enabled across all regions, whether trail logs are encrypted, whether log-file integrity validation is on, and where S3 bucket access logging has gaps.
iam hygiene
Surfaces inactive users, unused access keys, broad privilege grants, and role trust relationships open to other accounts or to the public.
public exposure
Points to S3 buckets allowing public read or write, RDS instances reachable from the public internet, security groups open to the internet (0.0.0.0/0) on sensitive ports.

The published IAM policy includes read-only coverage for cost and several AWS configuration areas. Treat non-cost diagnostics as evidence-gathering signals, not a complete security review. The full read-only IAM policy is at /policy.

What this is not.

Read this before you forward the page to anyone.

Kulshan is not a compliance certification, legal opinion, or substitute for a security/compliance officer. It checks AWS configuration signals from a read-only account scan.

Specifically, Kulshan does not:

  • Validate your HIPAA program, certify your environment, or produce an attestation.
  • Constitute legal advice or a legal opinion on any framework.
  • Replace your security officer, compliance officer, or external auditor.
  • Assess controls outside AWS (workforce training, BAAs, written policies, physical safeguards).
  • Handle PHI. Do not send PHI. Kulshan does not need PHI to inspect AWS configuration.

How teams use it.

Four steps. No vendor in the loop, no data leaving the account.

  1. Attach the read-only IAM policy. The full policy with SHA256 and per-pack files is at /policy. Every action is Get, List, or Describe.
  2. Run locally. Kulshan talks to AWS APIs from your machine and produces local evidence for review. Nothing transits a third party.
  3. Hand the report to your reviewer. A security or compliance officer reads the configuration findings, asks follow-up questions, and decides what matters in the context of your program.
  4. Remediate on your own terms. Each finding includes the AWS resource it points to and a remediation hint. You decide what to fix and when.

If you want a founder-led pass

If your team is preparing for a security review and would benefit from a founder-led pass over the AWS posture, send a two-sentence description of the workload shape and the timeline you are working against.

Email [email protected] with subject "Healthtech review."