Security - AI-Powered Health Data Masking


When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This shared model can reduce your operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate. For more information about security on AWS, visit the AWS Security Center.


AI-Powered for Health Data Masking uses Amazon CloudWatch to capture Amazon API Gateway actions in your environment and AWS CloudTrail to log information from the AWS Lambda functions and Amazon API Gateway. All AWS CloudTrail logs are archived to the solution-created Amazon S3 log bucket.

Authorization and Authentication

In concordance with the principles of least privilege and separation of concerns, each AWS Lambda function operates with a separate AWS Identity and Access Management (IAM) role and policy. For example, only Lambda functions that use Amazon Rekognition for detecting text in an image are authorized to make the DetectText API call to Amazon Rekognition.

Amazon API Gateway uses IAM to control access for invoking the deployed API. This guide provides an example IAM policy that you can create after you have deployed the solution. For more information about creating an IAM policy, see Step 2.


All internal and external communications for AI-Powered Health Data Masking are over HTTPS. For example, Amazon API Gateway only accepts communication over HTTPS and not HTTP, and all AWS API calls made by AWS Lambda are over HTTPS. Additionally, the solution-created Amazon S3 buckets have default server-side encryption enabled, and automatically encrypt any object uploaded into an S3 bucket.