Setting up AWS HealthImaging

You must set up your AWS environment before using AWS HealthImaging. The following topics are prerequisites for the tutorial located in the next section.

Sign up for an AWS account

If you do not have an AWS account, complete the following steps to create one.

To sign up for an AWS account

1. Open https://portal.aws.amazon.com/billing/signup.

2. Follow the online instructions.

   Part of the sign-up procedure involves receiving a phone call and entering a verification code on the phone keypad.

   When you sign up for an AWS account, an AWS account root user is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform tasks that require root user access.

AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to https://aws.amazon.com/ and choosing My Account.

Create a user with administrative access

After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks.

Secure your AWS account root user

1. Sign in to the AWS Management Console as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.

   For help signing in by using root user, see Signing in as the root user in the AWS Sign-In User Guide.

2. Turn on multi-factor authentication (MFA) for your root user.

   For instructions, see Enable a virtual MFA device for your AWS account root user (console) in the IAM User Guide.

Create a user with administrative access

1. Enable IAM Identity Center.

   For instructions, see Enabling AWS IAM Identity Center in the AWS IAM Identity Center User Guide.

2. In IAM Identity Center, grant administrative access to a user.

   For a tutorial about using the IAM Identity Center directory as your identity source, see Configure user access with the default IAM Identity Center directory in the AWS IAM Identity Center User Guide.

Sign in as the user with administrative access

• To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.

  For help signing in using an IAM Identity Center user, see Signing in to the AWS access portal in the AWS Sign-In User Guide.

Assign access to additional users

1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions.

   For instructions, see Create a permission set in the AWS IAM Identity Center User Guide.

2. Assign users to a group, and then assign single sign-on access to the group.

   For instructions, see Add groups in the AWS IAM Identity Center User Guide.

Create S3 buckets

To import DICOM P10 data into AWS HealthImaging, two Amazon S3 buckets are recommended. The Amazon S3 input bucket stores the DICOM P10 data to be imported and HealthImaging reads from this bucket. The Amazon S3 output bucket stores the processing results of the import job and HealthImaging writes to this bucket. For a visual representation of this, see the diagram at Understanding import jobs.

Note

Due to AWS Identity and Access Management (IAM) policy, your Amazon S3 bucket names must be unique. For more information, see Bucket naming rules in the Amazon Simple Storage Service User Guide.

For the purpose of this guide, we specify the following Amazon S3 input and output buckets in the IAM role for import.

• Input bucket: arn:aws:s3:::medical-imaging-dicom-input

• Output bucket: arn:aws:s3:::medical-imaging-output

For additional information, see Creating a bucket in the Amazon S3 User Guide.

Create a data store

When you import your medical imaging data, the AWS HealthImaging data store holds the results of your transformed DICOM P10 files, which are called image sets. For a visual representation of this, see the diagram at Understanding import jobs.

Tip

A datastoreID is generated when you create a data store. You must use the datastoreID when completing the trust relationship for import later in this section.

To create a data store, see Creating a data store.

Create an IAM user with HealthImaging full access permission

Best practice

We suggest you create separate IAM users for different needs such as importing, data access, and data management. This aligns with Grant least privilege access in the AWS Well-Architected Framework.

For the purposes of the Tutorial in the next section, you will be using a single IAM user.

To create an IAM user

1. Follow the instructions for Creating an IAM user in your AWS account in the IAM User Guide. Consider naming the user ahiadmin (or similar) for clarification purposes.

2. Assign the AWSHealthImagingFullAccess managed policy to the IAM user. For more information, see AWS managed policy: AWSHealthImagingFullAccess.

   Note

   IAM permissions can be narrowed. For more information, see AWS managed policies for AWS HealthImaging.

Create an IAM role for import

Note

The following instructions refer to an AWS Identity and Access Management (IAM) role that grants read and write access to Amazon S3 buckets for importing your DICOM data. Although the role is required for the tutorial in the next section, we recommend you add IAM permissions to users, groups, and roles using AWS managed policies for AWS HealthImaging, because they are easier to use than writing policies yourself.

An IAM role is an IAM identity that you can create in your account that has specific permissions. To start an import job, the IAM role that calls the StartDICOMImportJob action must be attached to a user policy that grants access to the Amazon S3 buckets used for reading your DICOM P10 data and storing the import job processing results. It must also be assigned a trust relationship (policy) that enables AWS HealthImaging to assume the role.

To create an IAM role for import purposes

1. Using the IAM Console, create a role named ImportJobDataAccessRole. You use this role for the tutorial in the next section. For more information, see Creating IAM roles in the IAM User Guide.

   Tip

   For the purposes of this guide, the code examples in Starting an import job reference the ImportJobDataAccessRole IAM role.

2. Attach an IAM permission policy to the IAM role. This permission policy grants access to the Amazon S3 input and output buckets. Attach the following permission policy to the IAM role ImportJobDataAccessRole.

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Action": [
                   "s3:ListBucket"
               ],
               "Resource": [
                   "arn:aws:s3:::medical-imaging-dicom-input",
                   "arn:aws:s3:::medical-imaging-output"
               ],
               "Effect": "Allow"
           },
           {
               "Action": [
                   "s3:GetObject"
               ],
               "Resource": [
                   "arn:aws:s3:::medical-imaging-dicom-input/*"
               ],
               "Effect": "Allow"
           },
           {
               "Action": [
                   "s3:PutObject"
               ],
               "Resource": [
                   "arn:aws:s3:::medical-imaging-output/*"
               ],
               "Effect": "Allow"
           }
       ]
   }
   

3. Attach the following trust relationship (policy) to the ImportJobDataAccessRole IAM role. The trust policy requires the datastoreId that was generated when you completed the section Create a data store. The tutorial following this topic assumes you are using one AWS HealthImaging data store, but with data store-specific Amazon S3 buckets, IAM roles, and trust policies.

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Principal": {
                   "Service": "medical-imaging.amazonaws.com"
               },
               "Action": "sts:AssumeRole",
               "Condition": {
                   "ForAllValues:StringEquals": {
                       "aws:SourceAccount": "accountId"
                   },
                   "ForAllValues:ArnEquals": {
                       "aws:SourceArn": "arn:aws:medical-imaging:region:accountId:datastore/datastoreId"
                   }
               }            
           }
       ]
   }
   

To learn more about creating and using IAM policies with AWS HealthImaging, see Identity and Access Management for AWS HealthImaging.

To learn more about IAM roles in general, see IAM roles in the IAM User Guide. To learn more about IAM policies and permissions in general, see IAM Policies and Permissions in the IAM User Guide.

Install the AWS CLI (optional)

The following procedure is required if you are using the AWS Command Line Interface. If you're using the AWS Management Console or AWS SDKs, you can skip the following procedure.

To set up the AWS CLI

1. Download and configure the AWS CLI. For instructions, see the following topics in the AWS Command Line Interface User Guide.

   • Installing or updating the latest version of the AWS CLI

   • Getting started with the AWS CLI

2. In the AWS CLI config file, add a named profile for the administrator. You use this profile when running the AWS CLI commands. Under the security principle of least privilege, we recommend you create a separate IAM role with privileges specific to the tasks being performed. For more information about named profiles, see Configuration and credential file settings in the AWS Command Line Interface User Guide.

   [default]
   aws_access_key_id = default access key ID
   aws_secret_access_key = default secret access key
   region = region
   

3. Verify the setup using the following help command.

   aws medical-imaging help

   If the AWS CLI is configured correctly, you see a brief description of AWS HealthImaging and a list of available commands.