Introducing HAQM QuickSight fine-grained access control over HAQM S3 and HAQM Athena

Today, AWS is excited to announce the availability of fine-grained access control for AWS Identity and Access Management (IAM)-permissioned resources in HAQM QuickSight. Fine-grained access control allows HAQM QuickSight account administrators to control authors’ default access to connected AWS resources. Fine-grained access control enables administrators to use IAM policies to scope down access permissions, limiting specific authors’ access to specific items within the AWS resources. Administrators can now apply this new level of access control to HAQM S3, HAQM Athena, and HAQM RDS/Redshift database discovery.

Fine-Grained Access Control Setup

Here’s how fine-grained access control works in HAQM QuickSight:

Imagine an AWS customer, Acme. Acme’s account contains three S3 buckets, called b1, b2, and b3. HAQM QuickSight is configured to read data via Athena. Assume that Acme’s administrators have configured HAQM QuickSight service role permissions with access to all three buckets. The new default access setting introduced today enables administrators to limit access to Acme’s data for all users by default. Administrators grant access to specific buckets (b1, b2, b3) to individual users or groups within Acme via IAM policies.

In the following example, the policies assigned to Acme users A and B, and Group X grant them access to buckets 1, 2, and 3. Group Y is not assigned, as shown in the following diagram.

When User A attempts to read data via Athena from bucket 1, AWS evaluates the IAM policy associated with the user. Since the policy assigned to User A grants access to bucket 1, the query succeeds. User A can access data from bucket 1. Similarly, User B and users in group X can access data in buckets 2 and 3, respectively.

However, when a user from group Y tries to access bucket 2, QuickSight doesn’t allow any access to data. Remember, group Y has no user-level assignments. Users from group Y are denied access to bucket 2 because HAQM QuickSight requires explicit permissions to access data, as shown in the following diagram.

In an S3 data lake, HAQM QuickSight enables administrators to restrict each author’s data access using IAM policies. (Other AWS mechanisms, outside of HAQM QuickSight, provide for the modification of the policies themselves.) This fine-grained access control relies on the underlying IAM policy evaluation infrastructure. Currently, there is a ten-policy limit on policies that may be linked together at runtime to evaluate the user’s permissions.

HAQM QuickSight also offers an updated UI for AWS permissions management. Administrators can now access an account’s default resource setting, as shown in the following screenshot:

You can set Default resource access to Allow or Deny, based on the administration model. Choose the appropriate option and press Update. (Or, if you decide not to proceed, press Cancel.)

As before, you can specify AWS resource permissions for the HAQM QuickSight account through the new UI. Select resources from the checkboxes on the right side of the screen, as shown in the following screenshot:

And, as shown in the next screenshot, S3 access can be granted to buckets within the AWS account or other AWS accounts:

To control access for specific users or groups, use the newly introduced fine-grained access control feature, illustrated in this screenshot:

The IAM policy assignments button leads you to a page displaying all assignments in the account and lets you create a new assignment, as shown in the following screenshot.

Creating a new policy assignment involves only two steps:

1. Pick from an IAM policy from those on the AWS account list.
2. Assign to specific users or groups.

If you haven’t yet configured groups in HAQM QuickSight, you can do so using AWS APIs for accounts using SSO or HAQM QuickSight-native credentials. Groups are also natively available in an AD-connected account.

Fine-grained access control in HAQM QuickSight, when combined with data in S3 and Athena, allows you to set up a secure environment for data exploration across the organization. This feature is available in HAQM QuickSight Enterprise Edition in all supported AWS Regions starting today.

About the Author

Jose Kunnackal is a principal product manager for HAQM QuickSight.