# Creating a FHIR Subscription with AWS HealthLake
<a name="managing-fhir-subscriptions-create"></a>

The following guide shows you how to create a FHIR Subscription using AWS HealthLake. 

**To create a FHIR Subscription**

1. Create a `SubscriptionTopic`.

   Example Subscription Topic resource:

   ```
   {
     "resourceType": "SubscriptionTopic",
     "url": "http://example.org/FHIR/SubscriptionTopic/encounter-create",
     "version": "1.0.0-fhir.r4b",
     "title": "encounter-create",
     "status": "unknown",
     "description": "Example topic for new encounters",
     "resourceTrigger": [
       {
         "description": "Encounter Create",
         "resource": "Encounter",
         "supportedInteraction": ["create", "update"]
       }
     ]
   }
   ```

1. Prepare your notification endpoint (custom channel). The following steps are required steps to ensure the endpoint will receive notifications

   **When using REST Hook**
   + Trust `events.amazonaws.com` in your KMS key policy if using CM\_CMK datastore.
   + If using a CM\_CMK datastore, you must add the `EventBridgeApiDestinations` tag to your KMS key with the value of `true`
   + HealthLake uses OAuth to authenticate your REST Hook endpoint. Therefore, when creating a REST hook subscription, you must pass in a client-id, client-secret, and oAuth-endpoint-url in the channel.\_type.extension[\*]. 

   Example KMS key policy if using CM\_CMK datastore:

   ```
   {
     "Sid": "AllowEventBridgeToUseKMSKey",
     "Effect": "Allow",
     "Principal": {
       "Service": ["events.amazonaws.com", "healthlake.amazonaws.com"]
     },
     "Action": ["kms:GenerateDataKey*", "kms:Decrypt", "kms:DescribeKey"],
     "Resource": "*"
   }
   ```

   **When using EventBridge**
   + Trust `events.amazonaws.com` in your KMS key policy if using CM\_CMK datastore.
   + Verify your EventBridge resource policy trusts `healthlake.amazonaws.com` as service principal.
   + When using CM\_CMK and EventBridge is the endpoint, verify that you are encrypting your EventBridge bus with the **same** KMS key as the **datastore** KMS key. 
   + Verify that your EventBridge Bus has at least 1 rule that matches to events generated by HealthLake.

   Example resource policy for EventBridge channel bus:

   ```
   {
     "Version": "2012-10-17",		 	 	 
     "Statement": [
       {
         "Sid": "allowHealthlakeToPutEvents",
         "Effect": "Allow",
         "Principal": {
           "Service": "healthlake.amazonaws.com"
         },
         "Action": "events:PutEvents",
         "Resource": "arn:aws:healthlake:us-east-1:{{111122223333}}:event-bus/FhirSubscriptions-bus"
       }
     ]
     }
   ```

   Example EventBridge rule event-pattern to receive events from HealthLake:

   ```
   {
       "detail-type": ["FHIR Subscription Notification"],
       "source": ["healthlake"]
   }
   ```
**Note**  
HealthLake supports 2 sources:  
`“healthlake”`: Only for Subscriptions.
`“aws.healthlake”`: To receive HealthLake service events. 
Use `“healthlake”` as the source when creating a rule for FHIR Subscriptions event buses.

1. Create your `Subscription`

   Submit a Subscription resource with:
   + Status: `"requested"`
   + Reference to your chosen `SubscriptionTopic` id 
   + Filter criteria. For more information, see Filtering Notifications for supported filters.
   + Channel configuration