Architecture overview - FHIR Works on AWS

Architecture overview

Deploying this solution with the default parameters builds the following environment in the AWS Cloud.

FHIR Works on AWS architecture

Figure 1: FHIR Works on AWS architecture

The AWS CloudFormation template deploys the serverless infrastructure necessary to serve FHIR HTTP requests. This includes the following:

  • One Amazon Cognito user pool, domain, and client to authenticate the requesting user’s identity and determine which group the user is in.

  • One Amazon API Gateway to route the request to a Lambda function. The API Gateway also has an Amazon Cognito authorizer to confirm the request has a valid ID token created by this stack’s Amazon Cognito user pool.

  • Two AWS Lambda functions. One to process FHIR requests, routing them to the correct persistence layer, either Amazon Simple Storage Service (Amazon S3) for unstructured FHIR resources, Amazon DynamoDB for create, read, update, delete (CRUD) operations or Amazon OpenSearch Service (OpenSearch Service) for all search operations. Another Lambda function to read updates from the FHIR resource DynamoDB table and stream those changes to OpenSearch Service.

  • One DynamoDB table to store all structured FHIR resources, which after a write operation streams the update to the OpenSearch Service domain.

  • One OpenSearch Service domain to support FHIR searching requests.

  • One Amazon S3 bucket to hold FHIR binary resources, such as unstructured data, X-rays, and raw notes.

  • Four AWS Key Management Service (AWS KMS) keys to encrypt DynamoDB, Amazon S3, Amazon CloudWatch Logs, and the OpenSearch Service domain.

Requests to and responses from the APIs are logged in Amazon CloudWatch and can be optionally archived to Amazon S3 in order to optimize cost.