AWS healthlake documentation change
Summary
Updated procedure for enabling SMART on FHIR V2.2: Changed from requiring support tickets to self-service via UpdateFHIRDatastore API. Clarified requirements including need to maintain permission-v2 and full configuration replacement.
Security assessment
This change improves documentation of OAuth scopes and identity provider configuration for SMART on FHIR, which is an authentication/authorization framework. However, there's no evidence it addresses a specific security vulnerability.
Diff
diff --git a/healthlake/latest/devguide/reference-smart-on-fhir-oauth-scopes.md b/healthlake/latest/devguide/reference-smart-on-fhir-oauth-scopes.md index e05120f98..fca74cfdb 100644 --- a//healthlake/latest/devguide/reference-smart-on-fhir-oauth-scopes.md +++ b//healthlake/latest/devguide/reference-smart-on-fhir-oauth-scopes.md @@ -135,3 +135 @@ When creating a new data store, add `permission-v2.2` to the `capabilities` arra -For existing data stores, submit a support ticket requesting the addition of `permission-v2.2` to your data store configuration. This follows the same process used when upgrading from SMART on FHIR V1 to SMART on FHIR V2. - -Self-service updates for V2.2 on existing data stores are not yet available. The HealthLake team will apply the change on your behalf upon ticket submission. +To enable SMART on FHIR V2.2 on an existing data store, add `permission-v2.2` to the `capabilities` array in the `Metadata` field of your [`IdentityProviderConfiguration`](https://docs.aws.amazon.com/healthlake/latest/APIReference/API_IdentityProviderConfiguration.html) and submit the change with `UpdateFHIRDatastore`. For more information, see [Updating a HealthLake data store](./managing-data-stores-update.html). @@ -141 +139 @@ Requirements: - * `permission-v2` must remain in the array. V2.2 cannot be used without V2. + * `permission-v2` must remain in the array. V2.2 extends V2 and can't be used on its own. @@ -145 +143 @@ Requirements: - * No downtime required. The change takes effect immediately. + * Updating the identity provider configuration replaces it in full, so include all existing fields and capabilities along with `permission-v2.2`. @@ -150 +148 @@ Requirements: -To verify, confirm via the [Discovery Document](./reference-smart-on-fhir-discovery-document.html) (requires SigV4): +The change takes effect immediately, with no downtime. To verify, fetch the [Discovery Document](./reference-smart-on-fhir-discovery-document.html) (requires SigV4):