Automated Deployment - AI-Powered Health Data Masking

Automated Deployment

Before you launch the automated deployment, please review the architecture, configuration, prerequisites, post-deployment instructions, and other considerations discussed in this guide. Follow the step-by-step instructions in this section to configure and deploy the AI-Powered Health Data Masking solution into your account.

Time to deploy: Approximately two minutes

Prerequisites

Before deploying this solution, verify that you have requested any necessary limit increases for your account. This solution uses Amazon API Gateway, AWS Lambda, Amazon Comprehend Medical, and Amazon Rekognition. For more information about limit increases, see the Service Limits page for each service.

What We'll Cover

The procedure for deploying this architecture on AWS consists of the following steps. For detailed instructions, follow the links for each step.

Step 1. Launch the Stack

  • Launch the AWS CloudFormation template into your AWS account.

  • Enter values for required parameter: Stack Name

Step 2. Create an IAM Policy to Access the API

  • Create or update the IAM policy to access the solution-created API

Step 1. Launch the Stack

This automated AWS CloudFormation template deploys AI-Powered Health Data Masking on the AWS Cloud. Verify that you’ve increased any service limits as needed before launching the stack.

Note

You are responsible for the cost of the AWS services used while running this solution. See the Cost section for more details. For full details, see the pricing webpage for each AWS service you will be using in this solution.

  1. Sign in to the AWS Management Console and click the button below to launch the ai-powered-health-data-masking AWS CloudFormation template.

    
                                AI Powered Health Data Masking launch button

    You can also download the template as a starting point for your own implementation.

  2. The template is launched in the US East (N. Virginia) Region by default. To launch this solution in a different AWS Region, use the region selector in the console navigation bar.

    Note

    This solution uses Amazon Comprehend Medical and Amazon Rekognition services, which are currently available in specific AWS Regions only. Therefore, you must launch this solution in an AWS Region where these services are available. For the most current service availability by region, see the AWS service offerings by region.

  3. On the Create stack verify that the correct template URL shows in the Amazon S3 URL text box and choose Next.

  4. On the Specify stack details page, assign a name to your solution stack.

  5. Choose Next.

  6. On the Configure stack options page, Choose Next.

  7. On the Review page, review and confirm the settings. Be sure to check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources.

  8. Choose Create stack to deploy the stack.

    You can view the status of the stack in the AWS CloudFormation console in the Status column. You should see a status of CREATE_COMPLETE in approximately two minutes.

Step 2. Create an IAM Policy to Access the API

This solution does not automatically create an AWS Identity and Access Management (IAM) policy to invoke the created API. Follow at least one of the two procedures below to implement an IAM policy for access to the API.

Grant access to the entire API

Use the following procedure to grant access to the entire API to mask images and text in the JSON document. Note that using this procedure will allow a user to mask health data and view all information.

  1. In the following JSON document, replace us-east-1 with the AWS Region you are deploying in.

  2. Replace 123456789012 with your account ID.

  3. Replace ab12cd3efg with your API Gateway ID. You can find your ID in the Outputs tab of the AWS CloudFormation stack deployment.

  4. Replace prod with the name of your staging environment. Note that if you did not change this in the mappings section of the AWS CloudFormation template when deploying, you can leave as is.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "execute-api:Invoke", "apigateway:PUT", "apigateway:POST", "apigateway:GET" ], "Resource": [ "arn:aws:execute-api:<us-east-1>:<123456789012>:<ab12cd3efg>/<prod>/*", "arn:aws:apigateway:<us-east-1>::/restapis/<ab12cd3efg>/resources/*" ] } ] }

Grant access to masking functions

To grant access to only the functions that mask images and text use the following procedure to modify the JSON document below. Note that using this procedure will allow a user to mask health data without viewing specific information.

  1. Replace us-east-1 with the applicable AWS Region.

  2. Replace 123456789012 with your account ID.

  3. Replace ab12cd3efg with your API Gateway ID. You can find your ID in the Outputs tab of the AWS CloudFormation stack deployment.

  4. Replace prod with the name of your staging environment. Note that if you did not change this in the mappings section of the AWS CloudFormation template when deploying, you can leave as is.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "execute-api:Invoke", "apigateway:PUT", "apigateway:POST", "apigateway:GET" ], "Resource": [ "arn:aws:execute-api:<us-east-1>:<123456789012>:<ab12cd3efg>/<prod>/POST/image/mask", "arn:aws:execute-api:<us-east-1>:<123456789012>:<ab12cd3efg>/<prod>/POST/text/mask", "arn:aws:apigateway:<us-east-1>::/restapis/<ab12cd3efg>/resources/*" ] } ] }

Create the IAM policy

Use the following procedure to create the access policies above.

  1. Navigate to AWS Identity and Access Management console.

  2. In the navigation pane, select Policies. Then, select the Create policy button.

  3. Navigate to the JSON tab.

  4. Copy and paste the modified JSON document you modified in the previous section for the access policy you want to create.

See Appendix B for details on how to test the API.