Actions, resources, and condition keys for AWS HealthLake
AWS HealthLake (service prefix: healthlake) provides the following
service-specific operations, resources, actions, and condition keys for use in IAM permission
policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
-
View the programmatic service authorization reference
for this service.
Topics
API operations defined by AWS HealthLake
The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.
| Operation | IAM action | Condition key | Possible value(s) | Access level |
|---|---|---|---|---|
|
CreateFHIRDatastore |
Write |
|||
Tagging, Write |
||||
|
DeleteFHIRDatastore |
Write |
|||
|
DescribeFHIRDatastore |
Read |
|||
|
DescribeFHIRExportJob |
Read |
|||
|
DescribeFHIRImportJob |
Read |
|||
|
ListFHIRDatastores |
List |
|||
|
ListFHIRExportJobs |
List |
|||
|
ListFHIRImportJobs |
List |
|||
|
ListTagsForResource |
List |
|||
|
StartFHIRExportJob |
Write |
|||
iam:PassedToService |
healthlake.amazonaws.com |
Write |
||
|
StartFHIRImportJob |
Write |
|||
iam:PassedToService |
healthlake.amazonaws.com |
Write |
||
|
TagResource |
Tagging, Write |
|||
|
UntagResource |
Tagging, Write |
|||
|
UpdateFHIRDatastore |
Write |
Actions defined by AWS HealthLake
You can specify the following actions in the Action element of an IAM
policy statement. Use policies to grant permissions to perform an operation in AWS. When
you use an action in a policy, you usually allow or deny access to the API operation or CLI
command with the same name. However, in some cases, a single action controls access to more
than one operation. Alternatively, some operations require several different actions.
| Actions | Description | Resource types (*required) | Condition keys | Access level |
|---|---|---|---|---|
Grants permission to cancel an on going FHIR Export job with Delete |
Write |
|||
Grants permission to allow customers to indicate to a Producer that the Consumer does not have any more changes to be made to the Attribution List |
Write |
|||
Grants permission to create a datastore that can ingest and export FHIR data |
Write |
|||
Grants permission to create resource |
Write |
|||
Grants permission to delete a datastore |
Write |
|||
Grants permission to delete resource |
Write |
|||
Grants permission to describe a FHIR Bulk Delete Job |
Read |
|||
Grants permission to describe a FHIR Bulk Member Match Job |
Read |
|||
Grants permission to get the properties associated with the FHIR datastore, including the datastore ID, datastore ARN, datastore name, datastore status, created at, datastore type version, and datastore endpoint |
Read |
|||
Grants permission to display the properties of a FHIR export job, including the ID, ARN, name, and the status of the datastore |
Read |
|||
Grants permission to display the properties of a FHIR export job, including the ID, ARN, name, and the status of the datastore with Get |
Read |
|||
Grants permission to display the properties of a FHIR import job, including the ID, ARN, name, and the status of the datastore |
Read |
|||
Grants permission to search and expand ValueSet resource |
Read |
|||
Grants permission to search and expand ValueSet resource |
Read |
|||
Grants permission to generate a clinical document resource |
Write |
|||
Grants permission to generate a clinical document resource |
Write |
|||
Grants permission to get the capabilities of a FHIR datastore |
Read |
|||
Grants permission to access exported files from a FHIR Export job initiated with Get |
Read |
|||
Grants permission to read resource history |
Read |
|||
Grants permission to inquire about the status of a prior authorization Claim |
Read |
|||
Grants permission to list all FHIR datastores that are in the user's account, regardless of datastore status |
List |
|||
Grants permission to get a list of export jobs for the specified datastore |
List |
|||
Grants permission to get a list of import jobs for the specified datastore |
List |
|||
Grants permission to get a list of tags for the specified datastore |
List |
|||
Grants permission to retrieve Codes for a CodeSystem resource |
Read |
|||
Grants permission to retrieve Codes for a CodeSystem resource |
Read |
|||
Grants permission to attribute a member with a specific provider group |
Write |
|||
Grants permission to enable cross-system patient matching |
Write |
|||
Grants permission to remove a member from a group |
Write |
|||
Grants permission to patch a resource |
Write |
|||
Grants permission to bundle multiple resource operations |
Write |
|||
Grants permission to retrieve Questionnaire packages with dependency Library and ValueSet resources |
Read |
|||
Grants permission to read resource |
Read |
|||
Grants permission to retrieve member attribution status |
Write |
|||
Grants permission to search all resources related to a patient |
Read |
|||
Grants permission to search resources with GET method |
Read |
|||
Grants permission to search resources with POST method |
Read |
|||
Grants permission to begin a FHIR Bulk Delete Job |
Write |
|||
Grants permission to begin a FHIR Bulk Member Match Job |
Write |
|||
Grants permission to begin a FHIR Export job |
Write |
|||
Grants permission to begin a FHIR Export job with Get |
Write |
|||
Grants permission to begin a FHIR Export job with Post |
Write |
|||
Grants permission to begin a FHIR Import job |
Write |
|||
Grants permission to submit a prior authorization Claim request |
Write |
|||
Grants permission to add tags to a datastore |
Tagging, Write |
|||
Grants permission to remove tags associated with a datastore |
Tagging, Write |
|||
Grants permission to update the configuration of a datastore |
Write |
|||
Grants permission to update resource |
Write |
|||
Grants permission to validate a resource |
Read |
|||
Grants permission to read version of a resource |
Read |
Resource types defined by AWS HealthLake
The following resource types are defined by this service and can be used in the
Resource element of IAM permission policy statements.
| Resource types | ARN | Condition keys |
|---|---|---|
arn:${Partition}:healthlake:${Region}:${Account}:datastore/fhir/${DatastoreId} |
Condition keys for AWS HealthLake
AWS HealthLake defines the following condition keys that can be used in the
Condition element of an IAM policy.
| Condition keys | Description | Type |
|---|---|---|
Filters access by the presence of tag key-value pairs in the request |
String |
|
Filters access by the presence of tag key-value pairs attached to the resource |
String |
|
Filters access by the presence of tag keys in the request |
ArrayOfString |