Skip to main content
QMSQMS
QMS
  • Welcome to your QMS
  • Quality Manual
  • Procedures
    • GP-001 Control of documents
    • GP-002 Quality planning
    • GP-003 Audits
    • GP-004 Vigilance system
    • GP-005 Human Resources and Training
    • GP-006 Non-conformity, Corrective and Preventive actions
    • GP-007 Post-market surveillance
    • GP-009 Sales
    • GP-010 Purchases and suppliers evaluation
    • GP-011 Provision of service
    • GP-012 Design, redesign and development
    • GP-013 Risk management
    • GP-014 Feedback and complaints
    • GP-015 Clinical evaluation
    • GP-016 Traceability and identification
    • GP-017 Technical assistance service
    • GP-018 Infrastructure and facilities
      • Templates
      • Specific procedures
        • SP-018-001 Remote infrastructure control access policy
        • SP-018-002 AWS console-managed resources procedure
    • GP-019 Non-product software validation
    • GP-020 QMS Data analysis
    • GP-021 Communications
    • GP-022 Document translation
    • GP-023 Change control management
    • GP-024 Predetermined Change Control Plan
    • GP-025 Usability and Human Factors Engineering
    • GP-027 Corporate Governance
    • GP-028 AI Development
    • GP-029 Software Delivery and Commissioning
    • GP-030 Cyber Security Management
    • GP-050 Data Protection
    • GP-051 Security violations
    • GP-052 Data Privacy Impact Assessment (DPIA)
    • GP-100 Business Continuity (BCP) and Disaster Recovery plans (DRP)
    • GP-101 Information security
    • GP-200 Remote Data Acquisition in Clinical Investigations
    • GP-026 Market-specific product requirements
    • GP-110 Esquema Nacional de Seguridad
  • Records
  • Legit.Health Plus Version 1.1.0.0
  • Legit.Health Plus Version 1.1.0.1
  • Legit.Health Utilities
  • Licenses and accreditations
  • Applicable Standards and Regulations
  • Pricing
  • Public tenders
  • Procedures
  • GP-018 Infrastructure and facilities
  • Specific procedures
  • SP-018-002 AWS console-managed resources procedure

SP-018-002 AWS console-managed resources procedure

Procedure flowchart​

Purpose​

This procedure defines the process for creating, configuring, updating and decommissioning AWS resources that are managed through the AWS Management Console, CLI or SDK.

Scope​

This procedure applies to all AWS console-managed resources, including but not limited to:

  • Lambda functions
  • ECR repositories
  • ECS services and task definitions
  • S3 buckets
  • RDS databases
  • API Gateway endpoints
  • CloudWatch alarms and dashboards

Responsibilities​

JD-001 and JD-003​

  • To approve the creation or decommissioning of AWS resources.

JD-005​

  • To ensure that resource changes follow the methodology established in this procedure.
  • To review IAM permissions assigned to each resource.

JD-007​

  • To perform the technical operations described in this procedure and record the corresponding evidence.

Inputs​

  • Requirements or justification for the new, updated or decommissioned resource.

Outputs​

  • The created, updated or decommissioned AWS resource.
  • Updated T-018-001 Infrastructure list and control plan.
  • Updated T-013-002 Risk Management Record (if applicable).

Development​

Creating a new resource​

  1. The team member requesting the resource communicates the need and justification to JD-005.

  2. JD-005 evaluates the request and obtains approval from JD-001 or JD-003.

  3. JD-007 creates the resource in the AWS Console (or via CLI/SDK) following these principles:

    • Naming convention: Resources must be named using lowercase letters, numbers and hyphens (e.g. legit-health-api-production).

    • Region: All resources must be created in the agreed-upon AWS region unless there is a justified technical reason to use a different one.

    • Tagging: Every resource must include at least the following tags:

      Tag keyExample value
      Environmentproduction
      Ownergerardo-fernandez
      Projectlegit-health

  4. JD-007 configures the appropriate IAM permissions, ensuring the minimum access policy is applied. Only the IAM groups ("Administrators" or "Developers") that need access to the resource shall be granted permissions.

  5. JD-007 registers the resource in T-018-001 Infrastructure list and control plan.

  6. JD-005 updates the T-013-002 Risk Management Record if the new resource introduces or modifies any risk.

Updating an existing resource​

  1. The team member proposing the change communicates it to JD-005.
  2. For changes that affect availability, security or data integrity, JD-005 must obtain approval from JD-001 or JD-003 before proceeding. Minor configuration changes (e.g. adjusting a CloudWatch alarm threshold) do not require prior approval.
  3. JD-007 applies the change and updates T-018-001 Infrastructure list and control plan accordingly.

Decommissioning a resource​

  1. JD-005 identifies the resource to be decommissioned and obtains approval from JD-001 or JD-003.
  2. JD-007 verifies that no other active resources or services depend on the resource to be removed.
  3. JD-007 removes the resource and updates T-018-001 Infrastructure list and control plan.
  4. JD-005 updates the T-013-002 Risk Management Record to reflect the removal.

Document signature meaning​

  • Author: JD-007 Gerardo Fernández
  • Review: JD-005 Mr. Alfonso Medela
  • Approval: JD-001 Ms. Andy Aguilar

Signature meaning

The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix of the GP-001, are:

  • Author: Team members involved
  • Reviewer: JD-003 Design & Development Manager, JD-004 Quality Manager & PRRC
  • Approver: JD-001 General Manager
Previous
SP-018-001 Remote infrastructure control access policy
Next
GP-019 Non-product software validation
  • Procedure flowchart
  • Purpose
  • Scope
  • Responsibilities
    • JD-001 and JD-003
    • JD-005
    • JD-007
  • Inputs
  • Outputs
  • Development
    • Creating a new resource
    • Updating an existing resource
    • Decommissioning a resource
  • Document signature meaning
All the information contained in this QMS is confidential. The recipient agrees not to transmit or reproduce the information, neither by himself nor by third parties, through whichever means, without obtaining the prior written permission of Legit.Health (AI Labs Group S.L.)