# Identity and access management in Amazon Comprehend Medical Authentication and access control Access to Comprehend Medical requires credentials that AWS can use to authenticate your requests. Those credentials must have permissions to access Comprehend Medical actions. [AWS Identity and Access Management (IAM)](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) can help secure your resources by controlling who can access them. The following sections provide details on how you can use IAM with Comprehend Medical. + [Authentication](#auth-med) + [Access Control](#access-control-med) ## Authentication You must give users permissions to interact with Amazon Comprehend Medical. For users who need full access use `ComprehendMedicalFullAccess`. To provide access, add permissions to your users, groups, or roles: + Users and groups in AWS IAM Identity Center: Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*. + Users managed in IAM through an identity provider: Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*. + IAM users: + Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*. + (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*. To use Amazon Comprehend Medical's asynchronous operations you also need a service role. A service role is an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) that a service assumes to perform actions on your behalf. An IAM administrator can create, modify, and delete a service role from within IAM. For more information, see [Create a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *IAM User Guide*. To learn more about specifying Amazon Comprehend Medical as the service in principal, see [Role-based Permissions required for batch operations](security-iam-permissions.md#auth-role-permissions-med). ## Access Control You must have valid credentials to authenticate your requests. The credentials must have permissions to call an Amazon Comprehend Medical action. The following sections describe how to manage permissions for Amazon Comprehend Medical. We recommend that you read the overview first. + [Overview of managing access permissions to Amazon Comprehend Medical resources](security-iam-accesscontrol.md) + [Using Identity-Based policies (IAM policies) for Amazon Comprehend Medical](security-iam-permissions.md) **Topics** + [ ## Authentication ](#auth-med) + [ ## Access Control ](#access-control-med) + [ # Overview of managing access permissions to Amazon Comprehend Medical resources ](security-iam-accesscontrol.md) + [ # Using Identity-Based policies (IAM policies) for Amazon Comprehend Medical ](security-iam-permissions.md) + [ # Amazon Comprehend Medical API Permissions: actions, resources, and conditions reference ](security-iam-resources.md) + [ # AWS managed policies for Amazon Comprehend Medical ](security-iam-awsmanpol.md) # Overview of managing access permissions to Amazon Comprehend Medical resources Overview of managing access Permissions policies govern the access to an action. An account administrator attaches permissions policies to IAM identities to manage access to actions. IAM identities include users, groups, and roles. **Note** An *account administrator* (or administrator user) is a user with administrator privileges. For more information, see [IAM Best Practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*. When you grant permissions, you decide both who and what actions get the permissions. **Topics** + [ ## Managing access to actions ](#access-control-manage-access-intro-med) + [ ## Specifying policy elements: actions, effects, and principals ](#access-control-specify-comprehend-actions-med) + [ ## Specifying conditions in a policy ](#specifying-conditions-med) ## Managing access to actions A *permissions policy* describes who has access to what. The following section explains the options for permissions policies. **Note** This section explains IAM in the context of Amazon Comprehend Medical. It doesn't provide detailed information about the IAM service. For more about IAM, see [What Is IAM?](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) in the *IAM User Guide*. For information about IAM policy syntax and descriptions, see [AWS IAM Policy Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*. Policies attached to an IAM identity are *identity-based* policies. Policies attached to a resource are *resource-based* policies. Amazon Comprehend Medical supports only identity-based policies. ### Identity-based policies (IAM policies) You can attach policies to IAM identities. Here are two examples. + **Attach a permissions policy to a user or a group in your account**. To allow a user or a group of users to call an Amazon Comprehend Medical action, attach a permissions policy to a user. Attach a policy to a group that contains the user. + **Attach a permissions policy to a role to grant cross-account permissions**. To grant cross-account permissions, attach an identity-based policy to an IAM role. For example, the administrator in Account A can create a role to grant cross-account permissions to another account. In this example, call it Account B, which could also be an AWS service. 1. Account A administrator creates an IAM role and attaches a policy to the role that grants permissions to resources in Account A. 1. Account A administrator attaches a trust policy to the role. The policy identifies Account B as the principal who can assume the role. 1. Account B administrator can then delegate permissions to assume the role to any users in Account B. This allows users in Account B to create or access resources in Account A. If you want to grant an AWS service the permissions to assume the role, the principal in the trust policy can also be an AWS service principal. For more information about using IAM to delegate permissions, see [Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/access.html) in the *IAM User Guide*. For more information about using identity-based policies with Amazon Comprehend Medical, see [Using Identity-Based policies (IAM policies) for Amazon Comprehend Medical](security-iam-permissions.md). For more information about users, groups, roles, and permissions, see [Identities (Users, Groups, and Roles)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html) in the *IAM User Guide*. ### Resource-based policies Other services, such as AWS Lambda, support resource-based permissions policies. For example, you can attach a policy to an S3 bucket to manage access permissions to that bucket. Amazon Comprehend Medical doesn't support resource-based policies. ## Specifying policy elements: actions, effects, and principals Amazon Comprehend Medical defines a set of API operations. To grant permissions for these API operations, Amazon Comprehend Medical defines a set of actions that you can specify in a policy. The four items here are the most basic policy elements. + **Resource** – In a policy, use an Amazon Resource Name (ARN) to identify the resource to which the policy applies. For Amazon Comprehend Medical, the resource is always `"*"`. + **Action** – Use action keywords to identify operations that you want to allow or deny. For example, depending on the specified effect, `comprehendmedical:DetectEntities` either allows or denies the user permission to perform the Amazon Comprehend Medical `DetectEntities` operation. + **Effect** – Specify the effect of the action that occurs when the user requests the specific action—either allow or deny. If you don't explicitly grant access to (allow) a resource, access is implicitly denied. You can also explicitly deny access to a resource. You might do this to make sure that a user cannot access the resource, even if a different policy grants access. + **Principal** – In identity-based policies, the user that the policy is attached to is the implicit principal. To learn more about IAM policy syntax and descriptions, see [AWS IAM Policy Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*. For a table showing all of the Amazon Comprehend Medical API actions, see [Amazon Comprehend Medical API Permissions: actions, resources, and conditions reference](security-iam-resources.md). ## Specifying conditions in a policy When you grant permissions, you use the IAM policy language to specify the conditions under which a policy should take effect. For example, you might want a policy to be applied only after a specific date. For more information about specifying conditions in a policy language, see [Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Condition) in the *IAM User Guide*. AWS provides a set of predefined condition keys for all AWS services that support IAM for access control. For example, you can use the `aws:userid` condition key to require a specific AWS ID when requesting an action. For more information and a complete list of AWS keys, see [Available Keys for Conditions](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AvailableKeys) in the *IAM User Guide*. Amazon Comprehend Medical does not provide any additional condition keys. # Using Identity-Based policies (IAM policies) for Amazon Comprehend Medical This topic shows example identity-based policies. The examples show how an account administrator can attach permissions policies to IAM identities. This enables users, groups, and roles to perform Amazon Comprehend Medical actions. **Important** To understand permissions, we recommend [Overview of managing access permissions to Amazon Comprehend Medical resources](security-iam-accesscontrol.md). This example policy is required to use the Amazon Comprehend Medical document analysis actions. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowDetectActions", "Effect": "Allow", "Action": [ "comprehendmedical:DetectEntitiesV2", "comprehendmedical:DetectPHI", "comprehendmedical:StartEntitiesDetectionV2Job", "comprehendmedical:ListEntitiesDetectionV2Jobs", "comprehendmedical:DescribeEntitiesDetectionV2Job", "comprehendmedical:StopEntitiesDetectionV2Job", "comprehendmedical:StartPHIDetectionJob", "comprehendmedical:ListPHIDetectionJobs", "comprehendmedical:DescribePHIDetectionJob", "comprehendmedical:StopPHIDetectionJob", "comprehendmedical:StartRxNormInferenceJob", "comprehendmedical:ListRxNormInferenceJobs", "comprehendmedical:DescribeRxNormInferenceJob", "comprehendmedical:StopRxNormInferenceJob", "comprehendmedical:StartICD10CMInferenceJob", "comprehendmedical:ListICD10CMInferenceJobs", "comprehendmedical:DescribeICD10CMInferenceJob", "comprehendmedical:StopICD10CMInferenceJob", "comprehendmedical:StartSNOMEDCTInferenceJob", "comprehendmedical:ListSNOMEDCTInferenceJobs", "comprehendmedical:DescribeSNOMEDCTInferenceJob", "comprehendmedical:StopSNOMEDCTInferenceJob", "comprehendmedical:InferRxNorm", "comprehendmedical:InferICD10CM", "comprehendmedical:InferSNOMEDCT" ], "Resource": "*" } ] } ``` ------ The policy has one statement that grants permission to use the `DetectEntities` and `DetectPHI` actions. The policy doesn't specify the `Principal` element because you don't specify the principal who gets the permission in an identity-based policy. When you attach a policy to a user, the user is the implicit principal. When you attach a policy to an IAM role, the principal identified in the role's trust policy gets the permission. To see all the Amazon Comprehend Medical API actions and the resources that they apply to, see [Amazon Comprehend Medical API Permissions: actions, resources, and conditions reference](security-iam-resources.md). ## Permissions required to use the Amazon Comprehend Medical console The permissions reference table lists the Amazon Comprehend Medical API operations and shows the required permissions for each operation. For more information, about Amazon Comprehend Medical API permissions, see [Amazon Comprehend Medical API Permissions: actions, resources, and conditions reference](security-iam-resources.md). To use the Amazon Comprehend Medical console, grant permissions for the actions shown in the following policy. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:CreatePolicy", "iam:AttachRolePolicy" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "comprehendmedical.amazonaws.com" } } } ] } ``` ------ The Amazon Comprehend Medical console needs these permissions for the following reasons: + `iam` permissions to list the available IAM roles for your account. + `s3` permissions to access the Amazon S3 buckets and objects that contain the data. When you create an asynchronous batch job using the console, you can also create an IAM role for your job. To create an IAM role using the console, users must be granted the additional permissions shown here to create IAM roles and policies, and to attach policies to roles. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "iam:CreateRole", "iam:CreatePolicy", "iam:AttachRolePolicy" ], "Effect": "Allow", "Resource": "*" } ] } ``` ------ The Amazon Comprehend Medical console needs these permissions to create roles and policies and to attach roles and policies. The `iam:PassRole` action enables the console to pass the role to Amazon Comprehend Medical. ## AWS managed (predefined) policies for Amazon Comprehend Medical AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. These AWS managed policies grant necessary permissions for common use cases so that you can avoid having to investigate what permissions are needed. For more information, see [AWS Managed Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*. The following AWS managed policy, which you can attach to users in your account, is specific to Amazon Comprehend Medical. + **ComprehendMedicalFullAccess** – Grants full access to Amazon Comprehend Medical resources. Includes permission to list and get IAM roles. You must apply the following additional policy to any user using Amazon Comprehend Medical: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "comprehendmedical.amazonaws.com" } } } ] } ``` ------ You can review the managed permissions policies by signing in to the IAM console and searching for specific policies there. These policies work when you are using AWS SDKs or the AWS CLI. You can also create your own IAM policies to allow permissions for Amazon Comprehend Medical actions and resources. You can attach these custom policies to the IAM users or groups that require them. ## Role-based Permissions required for batch operations To use the Amazon Comprehend Medical asynchronous operations, grant Amazon Comprehend Medical access to the Amazon S3 bucket that contains your document collection. Do this by creating a data access role in your account to trust the Amazon Comprehend Medical service principal. For more information about creating a role, see [Creating a Role to Delegate Permissions to an AWS Service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *AWS Identity and Access Management User Guide*. The following is the role's trust policy. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "comprehendmedical.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } ``` ------ After you have created the role, create an access policy for it. The policy should grant the Amazon S3 `GetObject` and `ListBucket` permissions to the Amazon S3 bucket that contains your input data. It also grants permissions for the Amazon S3 `PutObject` to your Amazon S3 output data bucket. The following example access policy contains those permissions. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::input bucket/*" ], "Effect": "Allow" }, { "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::input bucket" ], "Effect": "Allow" }, { "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::output bucket/*" ], "Effect": "Allow" } ] } ``` ------ ## Customer managed policy examples In this section, you can find example user policies that grant permissions for various Amazon Comprehend Medical actions. These policies work when you are using AWS SDKs or the AWS CLI. When you are using the console, you must grant permissions to all the Amazon Comprehend Medical APIs. This is discussed in [Permissions required to use the Amazon Comprehend Medical console](#auth-console-permissions-med). **Note** All examples use the us-east-2 Region and contain fictitious account IDs. **Examples** ### Example 1: Allow all Amazon Comprehend Medical actions After you sign up for AWS, you create an administrator to manage your account, including creating users and managing their permissions. You can choose to create a user who has permissions for all Amazon Comprehend actions. Think of this user as a service-specific administrator for working with Amazon Comprehend. You can attach the following permissions policy to this user. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [{ "Sid": "AllowAllComprehendMedicalActions", "Effect": "Allow", "Action": [ "comprehendmedical:*"], "Resource": "*" } ] } ``` ------ ### Example 2: Allow only DetectEntities actions The following permissions policy grants user permissions to detect entities in Amazon Comprehend Medical, but not to detect PHI operations. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowDetectEntityActions", "Effect": "Allow", "Action": [ "comprehendmedical:DetectEntitiesV2" ], "Resource": "*" } ] } ``` ------ # Amazon Comprehend Medical API Permissions: actions, resources, and conditions reference Amazon Comprehend Medical API Permissions Reference Use the following table as a reference when setting up [Access Control](security-iam.md#access-control-med) and writing a permissions' policy that you can attach to a user. The list includes each Amazon Comprehend Medical API operation, the corresponding action for which you can grant permissions to perform the action, and the AWS resource for which you can grant the permissions. You specify the actions in the policy's `Action` field, and you specify the resource value in the policy's `Resource` field. To express conditions, you can use AWS condition keys in your Amazon Comprehend Medical policies. For a complete list of keys, see [Available Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AvailableKeys) in the *IAM User Guide*. **Note** To specify an action, use the `comprehendmedical:` prefix followed by the API operation name, for example, `comprehendmedical:DetectEntities`. Use the scroll bars to see the rest of the table. **Amazon Comprehend Medical API and Required Permissions for Actions** | Amazon Comprehend Medical API Operations | Required Permissions (API Actions) | Resources | | --- | --- | --- | | DescribeEntitiesDetectionV2Job | comprehendmedical:DescribeEntitiesDetectionV2Job | \$1 | | DescribePHIDetectionJob | comprehendmedical:DescribePHIDetectionJob | \$1 | | DetectEntities | comprehendmedical:DetectEntities | \$1 | | DetectEntitiesV2 | comprehendmedical:DetectEntitiesV2 | \$1 | | DetectPHI | comprehendmedical:DetectPHI | \$1 | | ListEntitiesDetectionV2Jobs | comprehendmedical:ListEntitiesDetectionV2Jobs | \$1 | | ListPHIDetectionJobs | comprehendmedical:ListPHIDetectionJobs | \$1 | | StartEntitiesDetectionV2Job | comprehendmedical:StartEntitiesDetectionV2Job | \$1 | | StartPHIDetectionJob | comprehendmedical:StartPHIDetectionJob | \$1 | | StopEntitiesDetectionV2Job | comprehendmedical:StopEntitiesDetectionV2Job | \$1 | | StopPHIDetectionJob | comprehendmedical:StopPHIDetectionJob | \$1 | | InferICD10CM | comprehendmedical:InferICD10CM | \$1 | | InferRxNorm | comprehendmedical:InferRxNorm | \$1 | | InferSNOMEDCT | comprehendmedical:InferSNOMEDCT | \$1 | | StartICD10CMInferenceJob | comprehendmedical:StartICD10CMInferenceJob | \$1 | | StartRxNormInferenceJob | comprehendmedical:StartRxNormInferenceJob | \$1 | | StartSNOMEDCTInferenceJob | comprehendmedical:StartSNOMEDCTInferenceJob | \$1 | | ListICD10CMInferenceJobs | comprehendmedical:ListICD10CMInferenceJobs | \$1 | | ListRxNormInferenceJobs | comprehendmedical:ListRxNormInferenceJobs | \$1 | | ListSNOMEDCTInferenceJobs | comprehendmedical:ListSNOMEDCTInferenceJobs | \$1 | | StopICD10CMInferenceJob | comprehendmedical:StopICD10CMInferenceJob | \$1 | | StopRxNormInferenceJob | comprehendmedical:StopRxNormInferenceJob | \$1 | | StopSNOMEDCTInferenceJob | comprehendmedical:StopSNOMEDCTInferenceJob | \$1 | | DescribeICD10CMInferenceJob | comprehendmedical:DescribeICD10CMInferenceJob | \$1 | | DescribeRxNormInferenceJob | comprehendmedical:DescribeRxNormInferenceJob | \$1 | | DescribeSNOMEDCTInferenceJob | comprehendmedical:DescribeSNOMEDCTInferenceJob | \$1 | # AWS managed policies for Amazon Comprehend Medical AWS managed policies An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles. Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases. You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*. **Topics** + [ ## AWS managed policy: ComprehendMedicalFullAccess ](#security-iam-awsmanpol-ComprehendMedicalFullAccess) + [ ## Amazon Comprehend Medical updates to AWS managed policies ](#security-iam-awsmanpol-updates) ## AWS managed policy: ComprehendMedicalFullAccess ComprehendMedicalFullAccess You can attach the `ComprehendMedicalFullAccess` policy to your IAM identities. This policy grants administrative permission to all Amazon Comprehend Medical actions. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement" : [ { "Action" : [ "comprehendmedical:*" ], "Effect" : "Allow", "Resource" : "*" } ] } ``` ------ ## Amazon Comprehend Medical updates to AWS managed policies Policy updates View details about updates to AWS managed policies for Amazon Comprehend Medical since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the [Document history](comprehendmedical-releases.md) page. | Change | Description | Date | | --- | --- | --- | | Amazon Comprehend Medical started tracking changes | Amazon Comprehend Medical started tracking changes for its AWS managed policies. | November 27, 2018 |