AWS healthlake documentation change
Summary
Added two JSON policy examples: 1) Secrets Manager access policy 2) HealthLake service role trust policy with source conditions
Security assessment
Adds security documentation for IAM policies related to secret retrieval and service role trust. No evidence of fixing a specific vulnerability, but demonstrates security best practices for least privilege access.
Diff
diff --git a/healthlake/latest/devguide/reference-smart-on-fhir-token-validation.md b/healthlake/latest/devguide/reference-smart-on-fhir-token-validation.md index 6e079b012..0050e1f80 100644 --- a//healthlake/latest/devguide/reference-smart-on-fhir-token-validation.md +++ b//healthlake/latest/devguide/reference-smart-on-fhir-token-validation.md @@ -206,0 +207,19 @@ Adding the IAM action `GetSecretValue` to execution role grants the necessary pe +JSON + + +**** + + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "secretsmanager:GetSecretValue", + "Resource": "arn:aws:secretsmanager:us-east-1:123456789012:secret:secret-name-DKodTA" + } + ] + } + + @@ -272,0 +292,28 @@ Use this procedure to create a service role. When you create a service you will +JSON + + +**** + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Principal": { + "Service": "healthlake.amazonaws.com" + }, + "Condition": { + "StringEquals": { + "aws:SourceAccount": "123456789012" + }, + "ArnEquals": { + "aws:SourceArn": "arn:aws:healthlake:us-east-1:123456789012:datastore/fhir/your-datastore-id" + } + } + } + ] + } + +