View a markdown version of this page

Actions, resources, and condition keys for AWS HealthLake - Service Authorization Reference

Actions, resources, and condition keys for AWS HealthLake

AWS HealthLake (service prefix: healthlake) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by AWS HealthLake

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

CreateFHIRDatastore

healthlake:CreateFHIRDatastore

Write

healthlake:TagResource

Tagging, Write

DeleteFHIRDatastore

healthlake:DeleteFHIRDatastore

Write

DescribeFHIRDatastore

healthlake:DescribeFHIRDatastore

Read

DescribeFHIRExportJob

healthlake:DescribeFHIRExportJob

Read

DescribeFHIRImportJob

healthlake:DescribeFHIRImportJob

Read

ListFHIRDatastores

healthlake:ListFHIRDatastores

List

ListFHIRExportJobs

healthlake:ListFHIRExportJobs

List

ListFHIRImportJobs

healthlake:ListFHIRImportJobs

List

ListTagsForResource

healthlake:ListTagsForResource

List

StartFHIRExportJob

healthlake:StartFHIRExportJob

Write

iam:PassRole

iam:PassedToService

healthlake.amazonaws.com

Write

StartFHIRImportJob

healthlake:StartFHIRImportJob

Write

iam:PassRole

iam:PassedToService

healthlake.amazonaws.com

Write

TagResource

healthlake:TagResource

Tagging, Write

UntagResource

healthlake:UntagResource

Tagging, Write

UpdateFHIRDatastore

healthlake:UpdateFHIRDatastore

Write

Actions defined by AWS HealthLake

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

CancelFHIRExportJobWithDelete

Grants permission to cancel an on going FHIR Export job with Delete

datastore*

aws:ResourceTag/${TagKey}

Write

ConfirmAttributionList

Grants permission to allow customers to indicate to a Producer that the Consumer does not have any more changes to be made to the Attribution List

datastore*

aws:ResourceTag/${TagKey}

Write

CreateFHIRDatastore

Grants permission to create a datastore that can ingest and export FHIR data

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

CreateResource

Grants permission to create resource

datastore*

aws:ResourceTag/${TagKey}

Write

DeleteFHIRDatastore

Grants permission to delete a datastore

datastore*

aws:ResourceTag/${TagKey}

Write

DeleteResource

Grants permission to delete resource

datastore*

aws:ResourceTag/${TagKey}

Write

DescribeFHIRBulkDeleteJob

Grants permission to describe a FHIR Bulk Delete Job

datastore*

aws:ResourceTag/${TagKey}

Read

DescribeFHIRBulkMemberMatchJob

Grants permission to describe a FHIR Bulk Member Match Job

datastore*

aws:ResourceTag/${TagKey}

Read

DescribeFHIRDatastore

Grants permission to get the properties associated with the FHIR datastore, including the datastore ID, datastore ARN, datastore name, datastore status, created at, datastore type version, and datastore endpoint

datastore*

aws:ResourceTag/${TagKey}

Read

DescribeFHIRExportJob

Grants permission to display the properties of a FHIR export job, including the ID, ARN, name, and the status of the datastore

datastore*

aws:ResourceTag/${TagKey}

Read

DescribeFHIRExportJobWithGet

Grants permission to display the properties of a FHIR export job, including the ID, ARN, name, and the status of the datastore with Get

datastore*

aws:ResourceTag/${TagKey}

Read

DescribeFHIRImportJob

Grants permission to display the properties of a FHIR import job, including the ID, ARN, name, and the status of the datastore

datastore*

aws:ResourceTag/${TagKey}

Read

ExpandValueSetWithGet

Grants permission to search and expand ValueSet resource

datastore*

aws:ResourceTag/${TagKey}

Read

ExpandValueSetWithPost

Grants permission to search and expand ValueSet resource

datastore*

aws:ResourceTag/${TagKey}

Read

GenerateDocumentWithGet

Grants permission to generate a clinical document resource

datastore*

aws:ResourceTag/${TagKey}

Write

GenerateDocumentWithPost

Grants permission to generate a clinical document resource

datastore*

aws:ResourceTag/${TagKey}

Write

GetCapabilities

Grants permission to get the capabilities of a FHIR datastore

datastore*

aws:ResourceTag/${TagKey}

Read

GetExportedFile

Grants permission to access exported files from a FHIR Export job initiated with Get

datastore*

aws:ResourceTag/${TagKey}

Read

GetHistoryByResourceId

Grants permission to read resource history

datastore*

aws:ResourceTag/${TagKey}

Read

InquirePreAuthClaim

Grants permission to inquire about the status of a prior authorization Claim

datastore*

aws:ResourceTag/${TagKey}

Read

ListFHIRDatastores

Grants permission to list all FHIR datastores that are in the user's account, regardless of datastore status

List

ListFHIRExportJobs

Grants permission to get a list of export jobs for the specified datastore

datastore*

aws:ResourceTag/${TagKey}

List

ListFHIRImportJobs

Grants permission to get a list of import jobs for the specified datastore

datastore*

aws:ResourceTag/${TagKey}

List

ListTagsForResource

Grants permission to get a list of tags for the specified datastore

datastore

aws:ResourceTag/${TagKey}

List

LookupCodeSystemWithGet

Grants permission to retrieve Codes for a CodeSystem resource

datastore*

aws:ResourceTag/${TagKey}

Read

LookupCodeSystemWithPost

Grants permission to retrieve Codes for a CodeSystem resource

datastore*

aws:ResourceTag/${TagKey}

Read

MemberAdd

Grants permission to attribute a member with a specific provider group

datastore*

aws:ResourceTag/${TagKey}

Write

MemberMatch

Grants permission to enable cross-system patient matching

datastore*

aws:ResourceTag/${TagKey}

Write

MemberRemove

Grants permission to remove a member from a group

datastore*

aws:ResourceTag/${TagKey}

Write

PatchResource

Grants permission to patch a resource

datastore*

aws:ResourceTag/${TagKey}

Write

ProcessBundle

Grants permission to bundle multiple resource operations

datastore*

aws:ResourceTag/${TagKey}

Write

QuestionnairePackage

Grants permission to retrieve Questionnaire packages with dependency Library and ValueSet resources

datastore*

aws:ResourceTag/${TagKey}

Read

ReadResource

Grants permission to read resource

datastore*

aws:ResourceTag/${TagKey}

Read

RetrieveAttributionStatus

Grants permission to retrieve member attribution status

datastore*

aws:ResourceTag/${TagKey}

Write

SearchEverything

Grants permission to search all resources related to a patient

datastore*

aws:ResourceTag/${TagKey}

Read

SearchWithGet

Grants permission to search resources with GET method

datastore*

aws:ResourceTag/${TagKey}

Read

SearchWithPost

Grants permission to search resources with POST method

datastore*

aws:ResourceTag/${TagKey}

Read

StartFHIRBulkDeleteJob

Grants permission to begin a FHIR Bulk Delete Job

datastore*

aws:ResourceTag/${TagKey}

Write

StartFHIRBulkMemberMatchJob

Grants permission to begin a FHIR Bulk Member Match Job

datastore*

aws:ResourceTag/${TagKey}

Write

StartFHIRExportJob

Grants permission to begin a FHIR Export job

datastore*

aws:ResourceTag/${TagKey}

Write

StartFHIRExportJobWithGet

Grants permission to begin a FHIR Export job with Get

datastore*

aws:ResourceTag/${TagKey}

Write

StartFHIRExportJobWithPost

Grants permission to begin a FHIR Export job with Post

datastore*

aws:ResourceTag/${TagKey}

Write

StartFHIRImportJob

Grants permission to begin a FHIR Import job

datastore*

aws:ResourceTag/${TagKey}

Write

SubmitPreAuthClaim

Grants permission to submit a prior authorization Claim request

datastore*

aws:ResourceTag/${TagKey}

Write

TagResource

Grants permission to add tags to a datastore

datastore

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

UntagResource

Grants permission to remove tags associated with a datastore

datastore

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

UpdateFHIRDatastore

Grants permission to update the configuration of a datastore

datastore*

aws:ResourceTag/${TagKey}

Write

UpdateResource

Grants permission to update resource

datastore*

aws:ResourceTag/${TagKey}

Write

ValidateResource

Grants permission to validate a resource

datastore*

aws:ResourceTag/${TagKey}

Read

VersionReadResource

Grants permission to read version of a resource

datastore*

aws:ResourceTag/${TagKey}

Read

Resource types defined by AWS HealthLake

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

datastore

arn:${Partition}:healthlake:${Region}:${Account}:datastore/fhir/${DatastoreId}

aws:ResourceTag/${TagKey}

Condition keys for AWS HealthLake

AWS HealthLake defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

aws:RequestTag/${TagKey}

Filters access by the presence of tag key-value pairs in the request

String

aws:ResourceTag/${TagKey}

Filters access by the presence of tag key-value pairs attached to the resource

String

aws:TagKeys

Filters access by the presence of tag keys in the request

ArrayOfString