Setting up permissions to start using AWS HealthLake
In this chapter, you use the AWS Management Console to set up the required permissions to start using AWS HealthLake and create a data store. To set up permissions to create a data store, you create an IAM user or role that is a data lake administrator and HealthLake administrator. You make this user a data lake administrator in AWS Lake Formation. The data lake administrator grants Lake Formation access to resources needed to use Amazon Athena to query a data store.
After you create a data store in HealthLake, you can set up permissions for importing files into the data store or exporting them. For information about setting up permissions to import files, see Setting up permissions for import jobs. For information about setting up permissions to export files, see Setting up permissions for export jobs.
Topics
Sign up for an AWS account
If you do not have an AWS account, complete the following steps to create one.
To sign up for an AWS account
Open https://portal.aws.amazon.com/billing/signup
. Follow the online instructions.
Part of the sign-up procedure involves receiving a phone call and entering a verification code on the phone keypad.
When you sign up for an AWS account, an AWS account root user is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform tasks that require root user access.
AWS sends you a confirmation email after the sign-up process is
complete. At any time, you can view your current account activity and manage your account by
going to https://aws.amazon.com/
Create a user with administrative access
After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks.
Secure your AWS account root user
-
Sign in to the AWS Management Console
as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password. For help signing in by using root user, see Signing in as the root user in the AWS Sign-In User Guide.
-
Turn on multi-factor authentication (MFA) for your root user.
For instructions, see Enable a virtual MFA device for your AWS account root user (console) in the IAM User Guide.
Create a user with administrative access
-
Enable IAM Identity Center.
For instructions, see Enabling AWS IAM Identity Center in the AWS IAM Identity Center User Guide.
-
In IAM Identity Center, grant administrative access to a user.
For a tutorial about using the IAM Identity Center directory as your identity source, see Configure user access with the default IAM Identity Center directory in the AWS IAM Identity Center User Guide.
Sign in as the user with administrative access
-
To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.
For help signing in using an IAM Identity Center user, see Signing in to the AWS access portal in the AWS Sign-In User Guide.
Assign access to additional users
-
In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions.
For instructions, see Create a permission set in the AWS IAM Identity Center User Guide.
-
Assign users to a group, and then assign single sign-on access to the group.
For instructions, see Add groups in the AWS IAM Identity Center User Guide.
Configure an IAM user or role to use HealthLake (IAM Administrator)
Persona: IAM Administrator
A user who can create IAM users and roles, and can add data lake administrators.
These steps in this topic must be carried out by an IAM administrator.
To connect your HealthLake data store to Athena, you need create an IAM user or role that is a data lake administrator
and a HealthLake administrator. This new user or role grants access to resources found in a data store via AWS Lake Formation, and has
the AmazonHealthLakeFullAccess
AWS managed policy added to their user or role.
Important
An IAM user or role that is a data lake administrator cannot create new data lake
administrators. To add additional data lake administrator you must use a IAM user or role which has been
granted AdministratorAccess
access.
To create an administrator
-
Add the
AmazonHealthlakeFullAccess
IAM AWS managed policy to a user or role in your organization.If you're unfamiliar with creating an IAM user, see Creating an IAM User and Overview of AWS IAM Policies in the IAM User Guide.
-
Grant the IAM user or role access to AWS Lake Formation.
-
Add the following IAM AWS managed policy to a user or role in your organization:
AWSLakeFormationDataAdmin
Note
The
AWSLakeFormationDataAdmin
policy grants access to all AWS Lake Formation resources. We recommend that you always use the minimum permissions required to accomplish your task. For more information, see IAM Best Practices in the IAM User Guide.
-
-
Add the following inline policy to the user or role. For more information, see Inline policies in the IAM User Guide.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::
amzn-s3-demo-source-bucket
/*", "arn:aws:s3:::amzn-s3-demo-logging-bucket
/*" ] }, { "Effect": "Allow", "Action": [ "ram:GetResourceShareInvitations", "ram:AcceptResourceShareInvitation", "glue:CreateDatabase", "glue:DeleteDatabase" ], "Resource": "*" } ] }
For more information on the AWSLakeFormationDataAdmin
policy, see Lake Formation Personas and IAM Permissions Reference in the AWS Lake Formation Developer
Guide.
Add a user or role as the Data Lake Administrator in Lake Formation (IAM Administrator)
Next, the IAM administrator needs to add the user or role created in step 1 as a data lake administrator in Lake Formation.
To add an IAM user or role as a data lake administrator
-
Open the AWS Lake Formation console: https://console.aws.amazon.com/lakeformation/
Note
If this is your first time visiting Lake Formation, a Welcome to Lake Formation dialog box appears asking you to define a Lake Formation administrator.
-
Assign the new user or role to be a AWS Lake Formation data lake administrator.
-
Option 1: If you received the Welcome to Lake Formation dialog box.
-
Choose Add other AWS users or roles.
-
Choose the down arrow (▼).
-
Choose the HealthLake administrator you would like to also be Lake Formation administrators.
-
Choose Get started.
-
-
Option 2: Use the Navigation pane (☰).
-
Choose the Navigation pane (☰).
-
Under Permissions, choose Administrative roles and tasks.
-
In the Data lake administrators section, select Choose administrators .
-
In the Manage data lake administrators dialog box, choose the down arrow (▼).
-
Next, select or search for the HealthLake administrators users or roles who you also want to be Lake Formation administrators.
-
Choose Save.
-
-
-
Change the default security settings to be managed by Lake Formation. The HealthLake data store resources need to be managed by Lake Formation not IAM. To update, see Change the default permission model in the AWS Lake Formation Developer Guide.