AWS Security ChangesHomeSearch

AWS healthimaging documentation change

Service: healthimaging · 2026-03-19 · Documentation low

File: healthimaging/latest/devguide/security_iam_id-based-policy-examples.md

Summary

Added comprehensive documentation on granting permissions based on Study Instance UID and Series Instance UID with detailed examples and API support table

Security assessment

This change adds documentation about fine-grained access control features using DICOM metadata attributes (StudyInstanceUID and SeriesInstanceUID) as IAM condition keys. It provides examples of how to implement least-privilege access policies for medical imaging data. While this enhances security documentation, there is no evidence it addresses a specific security vulnerability or incident.

Diff

diff --git a/healthimaging/latest/devguide/security_iam_id-based-policy-examples.md b/healthimaging/latest/devguide/security_iam_id-based-policy-examples.md
index 901bfe870..2368355f2 100644
--- a//healthimaging/latest/devguide/security_iam_id-based-policy-examples.md
+++ b//healthimaging/latest/devguide/security_iam_id-based-policy-examples.md
@@ -5 +5 @@
-Policy best practicesUsing the consoleAllow users to view their own permissions
+Policy best practicesUsing the consoleAllow users to view their own permissionsGranting permissions based on Study Instance UID and Series Instance UID
@@ -22,0 +23,2 @@ For details about actions and resource types defined by Awesome, including the f
+  * Granting permissions based on Study Instance UID and Series Instance UID
+
@@ -90,0 +93,160 @@ This example shows how you might create a policy that allows IAM users to view t
+## Granting permissions based on Study Instance UID and Series Instance UID
+
+HealthImaging DICOMWeb APIs support granting access to image sets based on the Study Instance UID and Series Instance UID. You can define IAM policies that limit access by adding condition statements with the `StudyInstanceUID` and `SeriesInstanceUID` condition context keys.
+
+HealthImaging DICOMWeb APIs that use `StudyInstanceUID` as a required parameter support IAM policies that limit access based on the `StudyInstanceUID` key. Similarly, HealthImaging DICOMWeb APIs that use `SeriesInstanceUID` as a required parameter support policies with the `SeriesInstanceUID` key.
+
+**HealthImaging APIs that support IAM policies using`StudyInstanceUID` and `SeriesInstanceUID` context keys**
+
+Name | Support for `StudyInstanceUID` condition | Support for `SeriesInstanceUID` condition  
+---|---|---  
+`GetDICOMInstance` | Yes | Yes  
+`GetDICOMInstanceFrames` | Yes | Yes  
+`GetDICOMInstanceMetadata` | Yes | Yes  
+`GetDICOMSeriesMetadata` | Yes | Yes  
+`GetDICOMBulkdata` | Yes | Yes  
+`SearchDICOMSeries` | Yes | No  
+`SearchDICOMInstances` | Yes | Yes  
+`StoreDICOMStudy` | Yes | No  
+  
+###### Note
+
+A HealthImaging API that does not support this context key will function as if no context key was specified when invoked with a policy that contains a `StudyInstanceUID` or `SeriesInstanceUID` context key.
+
+### Example 1: Granting access based on a StudyInstanceUID
+
+To grant access only to specific DICOM studies, attach a policy to the role that specifies a condition on the `StudyInstanceUID`.
+    
+    
+    {
+        "Version": "2012-10-17", 		 	 	 
+        "Statement": [
+            {
+                "Sid": "Statement1",
+                "Effect": "Allow",
+                "Action": [
+                    "medical-imaging:SearchDICOMSeries"
+                ],
+                "Resource": [
+                    "arn:aws:medical-imaging:us-west-2:account-id:datastore/your-datastore-id"
+                ],
+                "Condition": {
+                    "StringEquals": {
+                        "medical-imaging:StudyInstanceUID": "your study instance UID"
+                    }
+                }
+            }
+        ]
+    }
+
+When this role is assumed via `sts assume-role`, the caller will only be authorized to access image sets that match the condition specified in the role policy, otherwise the calls will be rejected throwing an `AccessDenied` error. In this case, the caller will be granted access to all image sets having the specified `StudyInstanceUID`.
+
+You can use all IAM string condition operators in your policies, including wildcard matching and multiple matches.
+
+An example policy for wildcard matching:
+    
+    
+    {
+        "Version": "2012-10-17", 		 	 	 
+        "Statement": [
+            {
+                "Sid": "Statement1",
+                "Effect": "Allow",
+                "Action": [
+                    "medical-imaging:SearchDICOMSeries"
+                ],
+                "Resource": [
+                    "arn:aws:medical-imaging:us-west-2:account-id:datastore/your-datastore-id"
+                ],
+                "Condition": {
+                    "StringLike": {
+                        "medical-imaging:StudyInstanceUID": "123.456.789*"
+                    }
+                }
+            }
+        ]
+    }
+
+An example policy for multiple matches:
+    
+    
+    {
+        "Version": "2012-10-17", 		 	 	 
+        "Statement": [
+            {
+                "Sid": "Statement1",
+                "Effect": "Allow",
+                "Action": [
+                    "medical-imaging:SearchDICOMSeries"
+                ],
+                "Resource": [
+                    "arn:aws:medical-imaging:us-west-2:account-id:datastore/your-datastore-id"
+                ],
+                "Condition": {
+                    "StringEquals": {
+                        "medical-imaging:StudyInstanceUID": [
+                            "123.456.789",
+                            "1.2.3.4.5.6"
+                        ]
+                    }
+                }
+            }
+        ]
+    }
+
+### Example 2: Granting access based on a SeriesInstanceUID
+
+To grant access only to specific image sets corresponding to a DICOM Series, attach a policy to the role that specifies a condition on the `SeriesInstanceUID`.
+    
+    
+    {
+        "Version": "2012-10-17", 		 	 	 
+        "Statement": [
+            {
+                "Sid": "Statement1",
+                "Effect": "Allow",
+                "Action": [
+                    "medical-imaging:SearchDICOMInstances"
+                ],
+                "Resource": [
+                    "arn:aws:medical-imaging:us-west-2:account-id:datastore/your-datastore-id"
+                ],
+                "Condition": {
+                    "StringEquals": {
+                        "medical-imaging:SeriesInstanceUID": [
+                            "123.456.789",
+                            "1.2.3.4.5.6"
+                        ]
+                    }
+                }
+            }
+        ]
+    }
+
+### Example 3: Granting access based on StudyInstanceUIDs and SeriesInstanceUIDs
+
+To grant access only to image sets of a particular DICOM Study and Series, attach a policy to the role that specifies conditions on both the `StudyInstanceUID` and `SeriesInstanceUID`.
+    
+    
+    {
+        "Version": "2012-10-17", 		 	 	 
+        "Statement": [
+            {
+                "Sid": "Statement1",
+                "Effect": "Allow",
+                "Action": [
+                    "medical-imaging:SearchDICOMInstances"
+                ],
+                "Resource": [
+                    "arn:aws:medical-imaging:us-west-2:account-id:datastore/your-datastore-id"
+                ],
+                "Condition": {
+                    "StringEquals": {
+                        "medical-imaging:StudyInstanceUID": ["123.456.789"],
+                        "medical-imaging:SeriesInstanceUID": ["1.2.3.4.5.6"]
+                    }
+                }
+            }
+        ]
+    }
+