# Security in Amazon Comprehend Medical
Cloud security at AWS is the highest priority. As an AWS customer, you benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations.
Security is a shared responsibility between AWS and you. The [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) describes this as security *of* the cloud and security *in* the cloud:
+ **Security of the cloud** – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/). To learn about the compliance programs that apply to Amazon Comprehend Medical, see [AWS Services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/).
+ **Security in the cloud** – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations.
This documentation helps you understand how to apply the shared responsibility model when using Amazon Comprehend Medical. The following topics show you how to configure Amazon Comprehend Medical to meet your security and compliance objectives. You also learn how to use other AWS services that help you to monitor and secure your Amazon Comprehend Medical resources.
**Topics**
+ [Data protection in Amazon Comprehend Medical](data-protection.md)
+ [Identity and access management in Amazon Comprehend Medical](security-iam.md)
+ [Logging Amazon Comprehend Medical API calls using AWS CloudTrail](logging-using-cloudtrail.md)
+ [Compliance validation for Amazon Comprehend Medical](compliance-validation.md)
+ [Resilience in Amazon Comprehend Medical](resilience.md)
+ [Infrastructure security in Amazon Comprehend Medical](infrastructure-security.md)
# Data protection in Amazon Comprehend Medical
The AWS [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) applies to data protection in Amazon Comprehend Medical. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. You are also responsible for the security configuration and management tasks for the AWS services that you use. For more information about data privacy, see the [Data Privacy FAQ](https://aws.amazon.com/compliance/data-privacy-faq/). For information about data protection in Europe, see the [AWS Shared Responsibility Model and GDPR](https://aws.amazon.com/blogs/security/the-aws-shared-responsibility-model-and-gdpr/) blog post on the *AWS Security Blog*.
For data protection purposes, we recommend that you protect AWS account credentials and set up individual users with AWS IAM Identity Center or AWS Identity and Access Management (IAM). That way, each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways:
+ Use multi-factor authentication (MFA) with each account.
+ Use SSL/TLS to communicate with AWS resources. We require TLS 1.2 and recommend TLS 1.3.
+ Set up API and user activity logging with AWS CloudTrail. For information about using CloudTrail trails to capture AWS activities, see [Working with CloudTrail trails](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-trails.html) in the *AWS CloudTrail User Guide*.
+ Use AWS encryption solutions, along with all default security controls within AWS services.
+ Use advanced managed security services such as Amazon Macie, which assists in discovering and securing sensitive data that is stored in Amazon S3.
+ If you require FIPS 140-3 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see [Federal Information Processing Standard (FIPS) 140-3](https://aws.amazon.com/compliance/fips/).
We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into tags or free-form text fields such as a **Name** field. This includes when you work with Comprehend Medical or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into tags or free-form text fields used for names may be used for billing or diagnostic logs. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server.
# Identity and access management in Amazon Comprehend Medical
Access to Comprehend Medical requires credentials that AWS can use to authenticate your requests. Those credentials must have permissions to access Comprehend Medical actions. [AWS Identity and Access Management (IAM)](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) can help secure your resources by controlling who can access them. The following sections provide details on how you can use IAM with Comprehend Medical.
+ [Authentication](#auth-med)
+ [Access Control](#access-control-med)
## Authentication
You must give users permissions to interact with Amazon Comprehend Medical. For users who need full access use `ComprehendMedicalFullAccess`.
To provide access, add permissions to your users, groups, or roles:
+ Users and groups in AWS IAM Identity Center:
Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*.
+ Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
+ Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
+ (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.
To use Amazon Comprehend Medical's asynchronous operations you also need a service role.
A service role is an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) that a service assumes to perform actions on your behalf. An IAM administrator can create, modify, and delete a service role from within IAM. For more information, see [Create a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *IAM User Guide*.
To learn more about specifying Amazon Comprehend Medical as the service in principal, see [Role-based Permissions required for batch operations](security-iam-permissions.md#auth-role-permissions-med).
## Access Control
You must have valid credentials to authenticate your requests. The credentials must have permissions to call an Amazon Comprehend Medical action.
The following sections describe how to manage permissions for Amazon Comprehend Medical. We recommend that you read the overview first.
+ [Overview of managing access permissions to Amazon Comprehend Medical resources](security-iam-accesscontrol.md)
+ [Using Identity-Based policies (IAM policies) for Amazon Comprehend Medical](security-iam-permissions.md)
**Topics**
+ [Authentication](#auth-med)
+ [Access Control](#access-control-med)
+ [Overview of managing access permissions to Amazon Comprehend Medical resources](security-iam-accesscontrol.md)
+ [Using Identity-Based policies (IAM policies) for Amazon Comprehend Medical](security-iam-permissions.md)
+ [Amazon Comprehend Medical API Permissions: actions, resources, and conditions reference](security-iam-resources.md)
+ [AWS managed policies for Amazon Comprehend Medical](security-iam-awsmanpol.md)
# Overview of managing access permissions to Amazon Comprehend Medical resources
Permissions policies govern the access to an action. An account administrator attaches permissions policies to IAM identities to manage access to actions. IAM identities include users, groups, and roles.
**Note**
An *account administrator* (or administrator user) is a user with administrator privileges. For more information, see [IAM Best Practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*.
When you grant permissions, you decide both who and what actions get the permissions.
**Topics**
+ [Managing access to actions](#access-control-manage-access-intro-med)
+ [Specifying policy elements: actions, effects, and principals](#access-control-specify-comprehend-actions-med)
+ [Specifying conditions in a policy](#specifying-conditions-med)
## Managing access to actions
A *permissions policy* describes who has access to what. The following section explains the options for permissions policies.
**Note**
This section explains IAM in the context of Amazon Comprehend Medical. It doesn't provide detailed information about the IAM service. For more about IAM, see [What Is IAM?](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) in the *IAM User Guide*. For information about IAM policy syntax and descriptions, see [AWS IAM Policy Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*.
Policies attached to an IAM identity are *identity-based* policies. Policies attached to a resource are *resource-based* policies. Amazon Comprehend Medical supports only identity-based policies.
### Identity-based policies (IAM policies)
You can attach policies to IAM identities. Here are two examples.
+ **Attach a permissions policy to a user or a group in your account**. To allow a user or a group of users to call an Amazon Comprehend Medical action, attach a permissions policy to a user. Attach a policy to a group that contains the user.
+ **Attach a permissions policy to a role to grant cross-account permissions**. To grant cross-account permissions, attach an identity-based policy to an IAM role. For example, the administrator in Account A can create a role to grant cross-account permissions to another account. In this example, call it Account B, which could also be an AWS service.
1. Account A administrator creates an IAM role and attaches a policy to the role that grants permissions to resources in Account A.
1. Account A administrator attaches a trust policy to the role. The policy identifies Account B as the principal who can assume the role.
1. Account B administrator can then delegate permissions to assume the role to any users in Account B. This allows users in Account B to create or access resources in Account A. If you want to grant an AWS service the permissions to assume the role, the principal in the trust policy can also be an AWS service principal.
For more information about using IAM to delegate permissions, see [Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/access.html) in the *IAM User Guide*.
For more information about using identity-based policies with Amazon Comprehend Medical, see [Using Identity-Based policies (IAM policies) for Amazon Comprehend Medical](security-iam-permissions.md). For more information about users, groups, roles, and permissions, see [Identities (Users, Groups, and Roles)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html) in the *IAM User Guide*.
### Resource-based policies
Other services, such as AWS Lambda, support resource-based permissions policies. For example, you can attach a policy to an S3 bucket to manage access permissions to that bucket. Amazon Comprehend Medical doesn't support resource-based policies.
## Specifying policy elements: actions, effects, and principals
Amazon Comprehend Medical defines a set of API operations. To grant permissions for these API operations, Amazon Comprehend Medical defines a set of actions that you can specify in a policy.
The four items here are the most basic policy elements.
+ **Resource** – In a policy, use an Amazon Resource Name (ARN) to identify the resource to which the policy applies. For Amazon Comprehend Medical, the resource is always `"*"`.
+ **Action** – Use action keywords to identify operations that you want to allow or deny. For example, depending on the specified effect, `comprehendmedical:DetectEntities` either allows or denies the user permission to perform the Amazon Comprehend Medical `DetectEntities` operation.
+ **Effect** – Specify the effect of the action that occurs when the user requests the specific action—either allow or deny. If you don't explicitly grant access to (allow) a resource, access is implicitly denied. You can also explicitly deny access to a resource. You might do this to make sure that a user cannot access the resource, even if a different policy grants access.
+ **Principal** – In identity-based policies, the user that the policy is attached to is the implicit principal.
To learn more about IAM policy syntax and descriptions, see [AWS IAM Policy Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*.
For a table showing all of the Amazon Comprehend Medical API actions, see [Amazon Comprehend Medical API Permissions: actions, resources, and conditions reference](security-iam-resources.md).
## Specifying conditions in a policy
When you grant permissions, you use the IAM policy language to specify the conditions under which a policy should take effect. For example, you might want a policy to be applied only after a specific date. For more information about specifying conditions in a policy language, see [Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Condition) in the *IAM User Guide*.
AWS provides a set of predefined condition keys for all AWS services that support IAM for access control. For example, you can use the `aws:userid` condition key to require a specific AWS ID when requesting an action. For more information and a complete list of AWS keys, see [Available Keys for Conditions](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AvailableKeys) in the *IAM User Guide*.
Amazon Comprehend Medical does not provide any additional condition keys.
# Using Identity-Based policies (IAM policies) for Amazon Comprehend Medical
This topic shows example identity-based policies. The examples show how an account administrator can attach permissions policies to IAM identities. This enables users, groups, and roles to perform Amazon Comprehend Medical actions.
**Important**
To understand permissions, we recommend [Overview of managing access permissions to Amazon Comprehend Medical resources](security-iam-accesscontrol.md).
This example policy is required to use the Amazon Comprehend Medical document analysis actions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowDetectActions",
"Effect": "Allow",
"Action": [
"comprehendmedical:DetectEntitiesV2",
"comprehendmedical:DetectPHI",
"comprehendmedical:StartEntitiesDetectionV2Job",
"comprehendmedical:ListEntitiesDetectionV2Jobs",
"comprehendmedical:DescribeEntitiesDetectionV2Job",
"comprehendmedical:StopEntitiesDetectionV2Job",
"comprehendmedical:StartPHIDetectionJob",
"comprehendmedical:ListPHIDetectionJobs",
"comprehendmedical:DescribePHIDetectionJob",
"comprehendmedical:StopPHIDetectionJob",
"comprehendmedical:StartRxNormInferenceJob",
"comprehendmedical:ListRxNormInferenceJobs",
"comprehendmedical:DescribeRxNormInferenceJob",
"comprehendmedical:StopRxNormInferenceJob",
"comprehendmedical:StartICD10CMInferenceJob",
"comprehendmedical:ListICD10CMInferenceJobs",
"comprehendmedical:DescribeICD10CMInferenceJob",
"comprehendmedical:StopICD10CMInferenceJob",
"comprehendmedical:StartSNOMEDCTInferenceJob",
"comprehendmedical:ListSNOMEDCTInferenceJobs",
"comprehendmedical:DescribeSNOMEDCTInferenceJob",
"comprehendmedical:StopSNOMEDCTInferenceJob",
"comprehendmedical:InferRxNorm",
"comprehendmedical:InferICD10CM",
"comprehendmedical:InferSNOMEDCT"
],
"Resource": "*"
}
]
}
```
------
The policy has one statement that grants permission to use the `DetectEntities` and `DetectPHI` actions.
The policy doesn't specify the `Principal` element because you don't specify the principal who gets the permission in an identity-based policy. When you attach a policy to a user, the user is the implicit principal. When you attach a policy to an IAM role, the principal identified in the role's trust policy gets the permission.
To see all the Amazon Comprehend Medical API actions and the resources that they apply to, see [Amazon Comprehend Medical API Permissions: actions, resources, and conditions reference](security-iam-resources.md).
## Permissions required to use the Amazon Comprehend Medical console
The permissions reference table lists the Amazon Comprehend Medical API operations and shows the required permissions for each operation. For more information, about Amazon Comprehend Medical API permissions, see [Amazon Comprehend Medical API Permissions: actions, resources, and conditions reference](security-iam-resources.md).
To use the Amazon Comprehend Medical console, grant permissions for the actions shown in the following policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:CreatePolicy",
"iam:AttachRolePolicy"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "comprehendmedical.amazonaws.com"
}
}
}
]
}
```
------
The Amazon Comprehend Medical console needs these permissions for the following reasons:
+ `iam` permissions to list the available IAM roles for your account.
+ `s3` permissions to access the Amazon S3 buckets and objects that contain the data.
When you create an asynchronous batch job using the console, you can also create an IAM role for your job. To create an IAM role using the console, users must be granted the additional permissions shown here to create IAM roles and policies, and to attach policies to roles.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"iam:CreateRole",
"iam:CreatePolicy",
"iam:AttachRolePolicy"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
The Amazon Comprehend Medical console needs these permissions to create roles and policies and to attach roles and policies. The `iam:PassRole` action enables the console to pass the role to Amazon Comprehend Medical.
## AWS managed (predefined) policies for Amazon Comprehend Medical
AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. These AWS managed policies grant necessary permissions for common use cases so that you can avoid having to investigate what permissions are needed. For more information, see [AWS Managed Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
The following AWS managed policy, which you can attach to users in your account, is specific to Amazon Comprehend Medical.
+ **ComprehendMedicalFullAccess** – Grants full access to Amazon Comprehend Medical resources. Includes permission to list and get IAM roles.
You must apply the following additional policy to any user using Amazon Comprehend Medical:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "comprehendmedical.amazonaws.com"
}
}
}
]
}
```
------
You can review the managed permissions policies by signing in to the IAM console and searching for specific policies there.
These policies work when you are using AWS SDKs or the AWS CLI.
You can also create your own IAM policies to allow permissions for Amazon Comprehend Medical actions and resources. You can attach these custom policies to the IAM users or groups that require them.
## Role-based Permissions required for batch operations
To use the Amazon Comprehend Medical asynchronous operations, grant Amazon Comprehend Medical access to the Amazon S3 bucket that contains your document collection. Do this by creating a data access role in your account to trust the Amazon Comprehend Medical service principal. For more information about creating a role, see [Creating a Role to Delegate Permissions to an AWS Service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *AWS Identity and Access Management User Guide*.
The following is the role's trust policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "comprehendmedical.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
After you have created the role, create an access policy for it. The policy should grant the Amazon S3 `GetObject` and `ListBucket` permissions to the Amazon S3 bucket that contains your input data. It also grants permissions for the Amazon S3 `PutObject` to your Amazon S3 output data bucket.
The following example access policy contains those permissions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::input bucket/*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::input bucket"
],
"Effect": "Allow"
},
{
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::output bucket/*"
],
"Effect": "Allow"
}
]
}
```
------
## Customer managed policy examples
In this section, you can find example user policies that grant permissions for various Amazon Comprehend Medical actions. These policies work when you are using AWS SDKs or the AWS CLI. When you are using the console, you must grant permissions to all the Amazon Comprehend Medical APIs. This is discussed in [Permissions required to use the Amazon Comprehend Medical console](#auth-console-permissions-med).
**Note**
All examples use the us-east-2 Region and contain fictitious account IDs.
**Examples**
### Example 1: Allow all Amazon Comprehend Medical actions
After you sign up for AWS, you create an administrator to manage your account, including creating users and managing their permissions.
You can choose to create a user who has permissions for all Amazon Comprehend actions. Think of this user as a service-specific administrator for working with Amazon Comprehend. You can attach the following permissions policy to this user.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Sid": "AllowAllComprehendMedicalActions",
"Effect": "Allow",
"Action": [
"comprehendmedical:*"],
"Resource": "*"
}
]
}
```
------
### Example 2: Allow only DetectEntities actions
The following permissions policy grants user permissions to detect entities in Amazon Comprehend Medical, but not to detect PHI operations.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowDetectEntityActions",
"Effect": "Allow",
"Action": [
"comprehendmedical:DetectEntitiesV2"
],
"Resource": "*"
}
]
}
```
------
# Amazon Comprehend Medical API Permissions: actions, resources, and conditions reference
Use the following table as a reference when setting up [Access Control](security-iam.md#access-control-med) and writing a permissions' policy that you can attach to a user. The list includes each Amazon Comprehend Medical API operation, the corresponding action for which you can grant permissions to perform the action, and the AWS resource for which you can grant the permissions. You specify the actions in the policy's `Action` field, and you specify the resource value in the policy's `Resource` field.
To express conditions, you can use AWS condition keys in your Amazon Comprehend Medical policies. For a complete list of keys, see [Available Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AvailableKeys) in the *IAM User Guide*.
**Note**
To specify an action, use the `comprehendmedical:` prefix followed by the API operation name, for example, `comprehendmedical:DetectEntities`.
Use the scroll bars to see the rest of the table.
**Amazon Comprehend Medical API and Required Permissions for Actions**
| Amazon Comprehend Medical API Operations | Required Permissions (API Actions) | Resources |
| --- | --- | --- |
| DescribeEntitiesDetectionV2Job | comprehendmedical:DescribeEntitiesDetectionV2Job | \$1 |
| DescribePHIDetectionJob | comprehendmedical:DescribePHIDetectionJob | \$1 |
| DetectEntities | comprehendmedical:DetectEntities | \$1 |
| DetectEntitiesV2 | comprehendmedical:DetectEntitiesV2 | \$1 |
| DetectPHI | comprehendmedical:DetectPHI | \$1 |
| ListEntitiesDetectionV2Jobs | comprehendmedical:ListEntitiesDetectionV2Jobs | \$1 |
| ListPHIDetectionJobs | comprehendmedical:ListPHIDetectionJobs | \$1 |
| StartEntitiesDetectionV2Job | comprehendmedical:StartEntitiesDetectionV2Job | \$1 |
| StartPHIDetectionJob | comprehendmedical:StartPHIDetectionJob | \$1 |
| StopEntitiesDetectionV2Job | comprehendmedical:StopEntitiesDetectionV2Job | \$1 |
| StopPHIDetectionJob | comprehendmedical:StopPHIDetectionJob | \$1 |
| InferICD10CM | comprehendmedical:InferICD10CM | \$1 |
| InferRxNorm | comprehendmedical:InferRxNorm | \$1 |
| InferSNOMEDCT | comprehendmedical:InferSNOMEDCT | \$1 |
| StartICD10CMInferenceJob | comprehendmedical:StartICD10CMInferenceJob | \$1 |
| StartRxNormInferenceJob | comprehendmedical:StartRxNormInferenceJob | \$1 |
| StartSNOMEDCTInferenceJob | comprehendmedical:StartSNOMEDCTInferenceJob | \$1 |
| ListICD10CMInferenceJobs | comprehendmedical:ListICD10CMInferenceJobs | \$1 |
| ListRxNormInferenceJobs | comprehendmedical:ListRxNormInferenceJobs | \$1 |
| ListSNOMEDCTInferenceJobs | comprehendmedical:ListSNOMEDCTInferenceJobs | \$1 |
| StopICD10CMInferenceJob | comprehendmedical:StopICD10CMInferenceJob | \$1 |
| StopRxNormInferenceJob | comprehendmedical:StopRxNormInferenceJob | \$1 |
| StopSNOMEDCTInferenceJob | comprehendmedical:StopSNOMEDCTInferenceJob | \$1 |
| DescribeICD10CMInferenceJob | comprehendmedical:DescribeICD10CMInferenceJob | \$1 |
| DescribeRxNormInferenceJob | comprehendmedical:DescribeRxNormInferenceJob | \$1 |
| DescribeSNOMEDCTInferenceJob | comprehendmedical:DescribeSNOMEDCTInferenceJob | \$1 |
# AWS managed policies for Amazon Comprehend Medical
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
**Topics**
+ [AWS managed policy: ComprehendMedicalFullAccess](#security-iam-awsmanpol-ComprehendMedicalFullAccess)
+ [Amazon Comprehend Medical updates to AWS managed policies](#security-iam-awsmanpol-updates)
## AWS managed policy: ComprehendMedicalFullAccess
You can attach the `ComprehendMedicalFullAccess` policy to your IAM identities.
This policy grants administrative permission to all Amazon Comprehend Medical actions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement" : [
{
"Action" : [
"comprehendmedical:*"
],
"Effect" : "Allow",
"Resource" : "*"
}
]
}
```
------
## Amazon Comprehend Medical updates to AWS managed policies
View details about updates to AWS managed policies for Amazon Comprehend Medical since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the [Document history](comprehendmedical-releases.md) page.
| Change | Description | Date |
| --- | --- | --- |
| Amazon Comprehend Medical started tracking changes | Amazon Comprehend Medical started tracking changes for its AWS managed policies. | November 27, 2018 |
# Logging Amazon Comprehend Medical API calls using AWS CloudTrail
Amazon Comprehend Medical is integrated with AWS CloudTrail. CloudTrail is a service that provides a record of actions taken by a user, role, or an AWS service from within Amazon Comprehend Medical. CloudTrail captures all API calls for Amazon Comprehend Medical as events. The calls captured include calls from the Amazon Comprehend Medical console and code calls to the Amazon Comprehend Medical API operations. If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for Amazon Comprehend Medical. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in **Event history**. Using the information collected by CloudTrail, you can determine several things such as:
+ The request that was made to Amazon Comprehend Medical
+ The IP address from which the request was made
+ Who made the request
+ When the request was made
+ Other details
To learn more about CloudTrail, see the [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/).
## Amazon Comprehend Medical information in CloudTrail
CloudTrail is enabled on your AWS account when you create the account. When activity occurs in Amazon Comprehend Medical, that activity is recorded in a CloudTrail event along with other AWS service events in **Event history**. You can view, search, and download recent events in your AWS account. For more information, see [Viewing Events with CloudTrail Event History](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html).
For an ongoing record of events in your AWS account, including events for Amazon Comprehend Medical, create a trail. A *trail* enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create a trail in the console, the trail applies to all AWS Regions. The trail logs events from all Regions in the AWS partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs. For more information, see the following:
+ [Overview for Creating a Trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html)
+ [CloudTrail Supported Services and Integrations](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-integrations)
+ [Configuring Amazon SNS Notifications for CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_notifications_top_level.html)
+ [Receiving CloudTrail Log Files from Multiple Regions](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html) and [Receiving CloudTrail Log Files from Multiple Accounts](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html)
All Amazon Comprehend Medical actions are logged by CloudTrail and are documented in the [Amazon Comprehend Medical API Reference](https://docs.aws.amazon.com/comprehend/latest/dg/API_Operations_AWS_Comprehend_Medical.html). For example, calls to the `DetectEntitiesV2`, `DetectPHI` and `ListEntitiesDetectionV2Jobs` actions generate entries in the CloudTrail log files.
Every event or log entry contains information about who generated the request. The identity information helps you determine the following:
+ Whether the request was made with root or AWS Identity and Access Management (IAM) user credentials.
+ Whether the request was made with temporary security credentials for a role or federated user.
+ Whether the request was made by another AWS service.
For more information, see the [CloudTrail userIdentity Element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html).
## Understanding Amazon Comprehend Medical log file entries
A trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you specify. CloudTrail log files contain one or more log entries. An event represents a single request from any source. The event includes information about the requested action, such as the date and time or request parameters. CloudTrail log files aren't an ordered stack trace of the public API calls, so they don't appear in any specific order.
The following example shows a CloudTrail log entry that demonstrates the `DetectEntitiesV2` action.
```
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDACKCEVSQ6C2EXAMPLE",
"arn": "arn:aws:iam::123456789012:user/Mateo_Jackson",
"accountId": "123456789012",
"accessKeyId": "ASIAXHKUFODNN8EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AIDACKCEVSQ6C2EXAMPLE",
"arn": "arn:aws:iam::123456789012:user/Mateo_Jackson",
"accountId": "123456789012",
"userName": "Mateo_Jackson"
},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2019-09-27T20:07:27Z"
}
}
},
"eventTime": "2019-09-27T20:10:26Z",
"eventSource": "comprehendmedical.amazonaws.com",
"eventName": "DetectEntitiesV2",
"awsRegion": "us-east-1",
"sourceIPAddress": "702.21.198.166",
"userAgent": "aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.184-0.1.ac.235.83.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation",
"requestParameters": null,
"responseElements": null,
"requestID": "8d85f2ec-EXAMPLE",
"eventID": "ae9be9b1-EXAMPLE",
"eventType": "AwsApiCall",
"recipientAccountId": "123456789012"
}
```
# Compliance validation for Amazon Comprehend Medical
Third-party auditors assess the security and compliance of Amazon Comprehend Medical as part of multiple AWS compliance programs. These include PCI, FedRAMP, HIPAA, and others. You can download third-party audit reports using AWS Artifact. For more information, see [Downloading Reports in AWS Artifact](https://docs.aws.amazon.com/artifact/latest/ug/downloading-documents.html).
Your compliance responsibility when using Amazon Comprehend Medical is determined by the sensitivity of your data, your company's compliance objectives, and applicable laws and regulations. AWS provides the following resources to help with compliance:
+ [Security and Compliance Quick Start Guides](https://aws.amazon.com/quickstart/?awsf.quickstart-homepage-filter=categories%23security-identity-compliance) – These deployment guides discuss architectural considerations and provide steps for deploying security- and compliance-focused baseline environments on AWS.
+ [Architecting for HIPAA Security and Compliance Whitepaper](https://docs.aws.amazon.com/whitepapers/latest/architecting-hipaa-security-and-compliance-on-aws/architecting-hipaa-security-and-compliance-on-aws.html) – This whitepaper describes how companies can use AWS to create HIPAA-compliant applications.
+ [AWS Compliance Resources](https://aws.amazon.com/compliance/resources/) – This collection of workbooks and guides might apply to your industry and location.
+ [AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) – This AWS service assesses how well your resource configurations comply with internal practices, industry guidelines, and regulations.
+ [AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) – This AWS service provides a comprehensive view of your security state within AWS that helps you check your compliance with security industry standards and best practices.
For a list of AWS services in scope of specific compliance programs, see [AWS Services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/). For general information, see [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/).
# Resilience in Amazon Comprehend Medical
The AWS global infrastructure is built around AWS Regions and Availability Zones. AWS Regions provide multiple physically separated and isolated Availability Zones, which are connected with low-latency, high-throughput, and highly redundant networking. With Availability Zones, you can design and operate applications and databases that automatically fail over between Availability Zones without interruption. Availability Zones are more highly available, fault tolerant, and scalable than traditional single or multiple data center infrastructures.
For more information about AWS Regions and Availability Zones, see [AWS Global Infrastructure](https://aws.amazon.com/about-aws/global-infrastructure/).
# Infrastructure security in Amazon Comprehend Medical
As a managed service, Amazon Comprehend Medical is protected by the AWS global network security procedures that are described in the [Amazon Web Services: Overview of Security Processes](https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Whitepaper.pdf) whitepaper.
To access Amazon Comprehend Medical through the network, you use AWS published API calls. Clients must support Transport Layer Security (TLS) 1.0 or later. We recommend TLS 1.2 or later. Clients must also support cipher suites with perfect forward secrecy (PFS), such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE). Most modern systems, such as Java 7 and later, support these modes.
Additionally, requests must be signed by using an access key ID and a secret access key that is associated with an AWS Identity and Access Management (IAM) principal. Or you can use the [AWS Security Token Service](https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html) (AWS STS) to generate temporary security credentials to sign requests.