Amazon S3 Usage

If you have been granted access to an Amazon S3 bucket for storing data, here's how to interact with the contents:


Your server is associated with a custom profile that grants it full permission to your Amazon S3 bucket. Thus, any command issued through the AWS command line interface or through one of their SDK's will work automatically without the need to add a key pair to your environment.

If you require access to your bucket outside of the Healthcare Blocks environment, please create a support ticket, and we'll allocate a key pair you can use externally.

Application-Level Authentication

Files containing PHI should have their S3 object permissions set to "private" via the AWS SDK. If you need end users to be able to retrieve content directly from S3 (even if your application obfuscates the S3 object URL and does an internal redirect), your application should create a pre-signed token that automatically expires within 5 minutes. This prevents users from distributing a valid object URL externally. The AWS SDK (for each programming language) contains pre-signed S3 URL functionality - please refer to the respective documentation.

Encryption at Rest

Healthcare Blocks enables encryption-at-rest for newly created S3 buckets.

Don't Embed PHI in Object Names

S3 does not encrypt or obfuscate object names, therefore it is important that you do not embed patient names, SSN, and other PHI identifiers in the file names of the objects saved to S3.

Listing Bucket Contents

Assuming your bucket is called healthcareblocks-storage-12345:

aws s3 ls s3://healthcareblocks-storage-12345

Uploading a local file

aws s3 cp myfile.txt s3://healthcareblocks-123

Also, note that you don't need to be in the same directory as the file, since the aws command works from any directory, e.g.

aws s3 cp /data/postgresql/dropbox/somefile.tar.bz2 s3://healthcareblocks-storage-12345 --sse

Downloading a file

aws s3 cp s3://healthcareblocks-storage-12345/stuff.txt myfile.txt

Additional Reference

Amazon CLI S3 reference

Desktop Clients