Setting up permissions to start using AWS HealthLake - AWS HealthLake
Sign up for an AWS accountCreate a user with administrative accessConfigure an IAM user or role to use HealthLake (IAM Administrator)Add a user or role as the Data Lake Administrator in Lake Formation (IAM Administrator)

Setting up permissions to start using AWS HealthLake

In this chapter, you use the AWS Management Console to set up the required permissions to start using AWS HealthLake and create a data store. To set up permissions to create a data store, you create an IAM user or role that is a data lake administrator and HealthLake administrator. You make this user a data lake administrator in AWS Lake Formation. The data lake administrator grants Lake Formation access to resources needed to use Amazon Athena to query a data store.

After you create a data store in HealthLake, you can set up permissions for importing files into the data store or exporting them. For information about setting up permissions to import files, see Setting up permissions for import jobs. For information about setting up permissions to export files, see Setting up permissions for export jobs.

Sign up for an AWS account

If you do not have an AWS account, complete the following steps to create one.

To sign up for an AWS account

  1. Open https://portal.aws.amazon.com/billing/signup.

  2. Follow the online instructions.

    Part of the sign-up procedure involves receiving a phone call and entering a verification code on the phone keypad.

    When you sign up for an AWS account, an AWS account root user is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform tasks that require root user access.

AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to https://aws.amazon.com/ and choosing My Account.

Create a user with administrative access

After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks.

Secure your AWS account root user

  1. Sign in to the AWS Management Console as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.

    For help signing in by using root user, see Signing in as the root user in the AWS Sign-In User Guide.

  2. Turn on multi-factor authentication (MFA) for your root user.

    For instructions, see Enable a virtual MFA device for your AWS account root user (console) in the IAM User Guide.

Create a user with administrative access

  1. Enable IAM Identity Center.

    For instructions, see Enabling AWS IAM Identity Center in the AWS IAM Identity Center User Guide.

  2. In IAM Identity Center, grant administrative access to a user.

    For a tutorial about using the IAM Identity Center directory as your identity source, see Configure user access with the default IAM Identity Center directory in the AWS IAM Identity Center User Guide.

Sign in as the user with administrative access

  • To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.

    For help signing in using an IAM Identity Center user, see Signing in to the AWS access portal in the AWS Sign-In User Guide.

Assign access to additional users

  1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions.

    For instructions, see Create a permission set in the AWS IAM Identity Center User Guide.

  2. Assign users to a group, and then assign single sign-on access to the group.

    For instructions, see Add groups in the AWS IAM Identity Center User Guide.

Configure an IAM user or role to use HealthLake (IAM Administrator)

Persona: IAM Administrator

A user who can create IAM users and roles, and can add data lake administrators.

These steps in this topic must be carried out by an IAM administrator.

To connect your HealthLake data store to Athena, you need create an IAM user or role that is a data lake administrator and a HealthLake administrator. This new user or role grants access to resources found in a data store via AWS Lake Formation, and has the AmazonHealthLakeFullAccess AWS managed policy added to their user or role.

Important

An IAM user or role that is a data lake administrator cannot create new data lake administrators. To add additional data lake administrator you must use a IAM user or role which has been granted AdministratorAccess access.

To create an administrator

  1. Add the AmazonHealthlakeFullAccess IAM AWS managed policy to a user or role in your organization.

    If you're unfamiliar with creating an IAM user, see Creating an IAM User and Overview of AWS IAM Policies in the IAM User Guide.

  2. Grant the IAM user or role access to AWS Lake Formation.

    • Add the following IAM AWS managed policy to a user or role in your organization: AWSLakeFormationDataAdmin

      Note

      The AWSLakeFormationDataAdmin policy grants access to all AWS Lake Formation resources. We recommend that you always use the minimum permissions required to accomplish your task. For more information, see IAM Best Practices in the IAM User Guide.

  3. Add the following inline policy to the user or role. To learn more about adding inline policies, see Adding and removing IAM identity permissions.

    {
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"s3:PutObject",
				"s3:GetObject"
			],
			"Resource": "arn:aws:s3:::my-bucket/*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"ram:GetResourceShareInvitations",
				"ram:AcceptResourceShareInvitation",
				"glue:CreateDatabase",
				"glue:DeleteDatabase"
				],
			"Resource": "*"
		}
	]
}

For more information on the AWSLakeFormationDataAdmin policy, see Lake Formation Personas and IAM Permissions Reference in the AWS Lake Formation Developer Guide.

Add a user or role as the Data Lake Administrator in Lake Formation (IAM Administrator)

Next, the IAM administrator needs to add the user or role created in step 1 as a data lake administrator in Lake Formation.

To add an IAM user or role as a data lake administrator

  1. Open the AWS Lake Formation console: https://console.aws.amazon.com/lakeformation/

    Note

    If this is your first time visiting Lake Formation, a Welcome to Lake Formation dialog box appears asking you to define a Lake Formation administrator.

    Image of a dialog box asking you to define a lake formation administrator

  2. Assign the new user or role to be a AWS Lake Formation data lake administrator.

    • Option 1: If you received the Welcome to Lake Formation dialog box.

      1. Choose Add other AWS users or roles.

      2. Choose the down arrow (▼).

      3. Choose the HealthLake administrator you would like to also be Lake Formation administrators.

      4. Choose Get started.

    • Option 2: Use the Navigation pane (☰).

      1. Choose the Navigation pane (☰).

      2. Under Permissions, choose Administrative roles and tasks.

      3. In the Data lake administrators section, select Choose administrators .

      4. In the Manage data lake administrators dialog box, choose the down arrow (▼).

      5. Next, select or search for the HealthLake administrators users or roles who you also want to be Lake Formation administrators.

      6. Choose Save.

  3. Change the default security settings to be managed by Lake Formation. The HealthLake data store resources need to be managed by Lake Formation not IAM. To update, see Change the default permission model in the AWS Lake Formation Developer Guide.