AWS Security ChangesHomeSearch

AWS healthlake documentation change

Service: healthlake · 2026-06-13 · Documentation low

File: healthlake/latest/devguide/reference-smart-on-fhir-oauth-scopes.md

Summary

Updated procedure for enabling SMART on FHIR V2.2: Changed from requiring support tickets to self-service via UpdateFHIRDatastore API. Clarified requirements including need to maintain permission-v2 and full configuration replacement.

Security assessment

This change improves documentation of OAuth scopes and identity provider configuration for SMART on FHIR, which is an authentication/authorization framework. However, there's no evidence it addresses a specific security vulnerability.

Diff

diff --git a/healthlake/latest/devguide/reference-smart-on-fhir-oauth-scopes.md b/healthlake/latest/devguide/reference-smart-on-fhir-oauth-scopes.md
index e05120f98..fca74cfdb 100644
--- a//healthlake/latest/devguide/reference-smart-on-fhir-oauth-scopes.md
+++ b//healthlake/latest/devguide/reference-smart-on-fhir-oauth-scopes.md
@@ -135,3 +135 @@ When creating a new data store, add `permission-v2.2` to the `capabilities` arra
-For existing data stores, submit a support ticket requesting the addition of `permission-v2.2` to your data store configuration. This follows the same process used when upgrading from SMART on FHIR V1 to SMART on FHIR V2.
-
-Self-service updates for V2.2 on existing data stores are not yet available. The HealthLake team will apply the change on your behalf upon ticket submission.
+To enable SMART on FHIR V2.2 on an existing data store, add `permission-v2.2` to the `capabilities` array in the `Metadata` field of your [`IdentityProviderConfiguration`](https://docs.aws.amazon.com/healthlake/latest/APIReference/API_IdentityProviderConfiguration.html) and submit the change with `UpdateFHIRDatastore`. For more information, see [Updating a HealthLake data store](./managing-data-stores-update.html).
@@ -141 +139 @@ Requirements:
-  * `permission-v2` must remain in the array. V2.2 cannot be used without V2.
+  * `permission-v2` must remain in the array. V2.2 extends V2 and can't be used on its own.
@@ -145 +143 @@ Requirements:
-  * No downtime required. The change takes effect immediately.
+  * Updating the identity provider configuration replaces it in full, so include all existing fields and capabilities along with `permission-v2.2`.
@@ -150 +148 @@ Requirements:
-To verify, confirm via the [Discovery Document](./reference-smart-on-fhir-discovery-document.html) (requires SigV4):
+The change takes effect immediately, with no downtime. To verify, fetch the [Discovery Document](./reference-smart-on-fhir-discovery-document.html) (requires SigV4):