AWS Business Intelligence Blog

Integrate private HAQM S3 hosted images with HAQM QuickSight dashboards

HAQM QuickSight is a scalable, serverless, embeddable, machine learning (ML)-powered business intelligence (BI) service built for the cloud that supports identity federation in both Standard and Enterprise editions. QuickSight provides a range of BI features, including the ability to embed an image in a dashboard through custom content visuals. Incorporating images into QuickSight dashboards can elevate the storytelling experience and make visualizations more engaging. Companies can use this functionality to reinforce their branding and maintain a cohesive, professional look across all dashboards. Furthermore, strategically placed images can guide the viewer’s attention to the most critical insights or trends, helping make sure that they’re aware of that information.

When it comes to incorporating images into QuickSight dashboards, there are two primary approaches: direct upload and public URL. For static images like company logos, direct file uploads within QuickSight provide a secure and straightforward solution. Although the direct upload approach is straightforward, it has a 1 MB limitation per image and might not be suitable for scenarios requiring dynamic image management or frequent updates.

For dynamic image and content requirements, such as displaying product images in table rows or dynamically swapping logos based on parameters, using publicly-accessible URLs is the right approach. Commonly, customers store the image files in HAQM Simple Storage Service (HAQM S3). However, although HAQM S3 offers flexibility for image storage and more, it necessitates making the bucket public—a critical security risk. Public buckets expose your data to breaches, accidental exposure, and operational disruptions caused by unauthorized modifications or deletions. They can also lead to damage and erode customer trust.

In this post, we present a secure solution for delivering HAQM S3 backed content to QuickSight dashboards using public URLs, eliminating the vulnerabilities inherent in public S3 buckets. Specifically, we demonstrate how to use HAQM CloudFront with your private S3 buckets to deliver content to QuickSight. This approach allows organizations to maintain strict security controls while creating visually compelling dashboards that align with their design guidelines and effectively communicate data-driven insights.

Solution overview

This solution demonstrates how to use CloudFront in conjunction with a private S3 bucket to securely serve images to QuickSight dashboards (as shown in the following figure). By implementing this architecture, you can maintain the privacy of your S3 bucket while still allowing QuickSight to access and display the images, enhancing your dashboards with visual elements without compromising security.

In this post, we walk you through the following steps:

  1. Deploy QuickSight resources using AWS CloudFormation.
  2. Upload a QuickSight image to a private S3 bucket.
  3. Create a CloudFront distribution.
  4. Limit S3 bucket access to CloudFront.
  5. Add private images to QuickSight

Prerequisites

This solution uses AWS CloudFormation to help automate the deployment and configuration of the foundational QuickSight artifacts so you can focus on creating the CloudFront distribution and embedding the images into the QuickSight analysis using CloudFront.

You will need access to the following AWS services:

  • QuickSight with an active QuickSight subscription – Used to create an analysis and dashboard. Additionally, you need a QuickSight user registered and active in the AWS Region where you’re going to deploy the solution.
  • AWS CloudFormation – Used to deploy sample QuickSight artifacts.
  • HAQM CloudFront – Used to privately share images stored in an S3 bucket with a QuickSight dashboard.
  • S3 bucket – Used to store images that are needed for QuickSight.

Deploy QuickSight resources using AWS CloudFormation

We have created a CloudFormation template that creates the following QuickSight resources:

  • A data source
  • A dataset
  • An analysis
  • A template
  • A dashboard

To deploy the CloudFormation template that creates the preceding items, we provide a sample dataset (global_ecommerce_sales.csv) and a manifest file (manifest.json) that are used by the QuickSight dashboard.

Complete the following steps:

  1. Update the manifest.json file to include an S3 bucket that can serve the QuickSight data.
  2. Sign in to your AWS account for deployment.
  3. Upload the manifest.json and global_ecommerce_sales.csv files to the S3 bucket.
  4. Provide QuickSight access to the S3 bucket:
    • Sign in to the QuickSight console.
    • Choose the user icon and choose Manage QuickSight.
    • Choose Security & Permissions.
    • Under Access granted to services, choose Manage.
    • Select HAQM S3 and then choose Select S3 Buckets.
    • Select the S3 bucket with the files, and then choose Finish and Save.
  5. Choose Launch Stack to open the prepopulated stack template.
    BI-2769-image002-launch-stack-button
  6. Provide the following parameters:
    • For ManifestFileName, enter the name and path of the manifest file in the S3 bucket.
    • For QuickSightUsername, enter your QuickSight user name (default/USERNAME). You can find your QuickSight user name by signing in to QuickSight and then choosing the user icon. The dropdown menu will display your user name.
    • For S3BucketName, enter the name of the S3 bucket containing the data file and manifest.
  7. Choose Next.
  8. Review the configuration options and choose Create stack.

You will see that the stack starts in CREATE_IN_PROGRESS. This step will take approximately 5 minutes. When complete, the stack will show CREATE_COMPLETE.

Upload a QuickSight image to a private S3 bucket

In this section, you create the private S3 bucket and upload the sample image:

  1. On the HAQM S3 console, choose Buckets in the navigation pane.
  2. Choose a bucket that is configured to have all public access blocked or create a new bucket. If creating a new bucket:
    • Choose Create bucket.
    • For Bucket name, enter a name (for example, myfavoritebucket12345).
    • Choose Block all public access and accept the remaining default settings.
    • Choose Create.
  3. After the bucket has been created, choose Upload and add an image to the private S3 bucket.

Create a CloudFront distribution

In this section, you create the CloudFront distribution:

  1. On the CloudFront console, choose Distributions in the navigation pane.
  2. Choose Create distribution.
  3. For Origin domain, enter the domain for the S3 bucket you uploaded the image to.
  4. Under Origin access, select Origin access control settings (recommended).
  5. Under Origin access control, choose Create new OAC.
  6. For OAC name, enter a name. The OAC name needs to be a unique identifier of your choice.
  7. Choose Create.
  8. Back on the Create distribution page, select the desired settings for Default cache behavior, Function associations, Web Application Firewall (WAF), Settings, and Standard Logging.
  9. Choose Create distribution.
  10. On the distribution page, on the banner that reads “The S3 bucket policy needs to be updated,” choose Copy policy, and store the policy where it can be accessed later.
  11. Choose the newly created distribution, and on the General tab, copy the value for Distribution domain name to your notepad or somewhere it can be accessed later.

Limit S3 bucket access to CloudFront

In this section, you update the private S3 bucket’s policy to restrict access exclusively to the associated CloudFront distribution, helping enforce secure and controlled access:

  1. On the HAQM S3 console, navigate to the private bucket you created.
  2. In the navigation pane, choose Permissions.
  3. In the Bucket policy section, choose Edit and enter the S3 bucket policy created by the CloudFront distribution in the previous steps.
  4. Choose Save changes.

Add private images to QuickSight

In this section, you add images from the private S3 bucket to a QuickSight analysis using the CloudFront distribution for secure access:

  1. On the QuickSight console, choose Analyses in the navigation pane.
  2. Choose Global E-commerce Analysis, which was created by the CloudFormation template.
  3. In the navigation pane, choose Visualize, choose Add, then choose Custom visual content: requires URL.
  4. In the Properties pane, choose Custom Content, and enter the distribution domain name and image name. In the following example, replace distribution-domain-name and image-name with your own information. If your image resides in a folder within the bucket, include the folder. 
    http://distribution-domain-name/image-name
http://distribution-domain-name/folder/image-name
  5. Turn on Show as image and adjust the Image sizing option settings as needed.
  6. In the top navigation bar, choose PUBLISH.
  7. Enter a dashboard name, then choose Publish dashboard.

You have successfully published a dashboard that displays a visualization stored in a private S3 bucket.

Clean up

If you don’t want to keep the resources and want to avoid future charges, complete the following steps:

  1. On the CloudFront console, delete the CloudFront distribution.
  2. On the HAQM S3 console, delete the S3 bucket.
  3. On the AWS CloudFormation console, delete the CloudFormation stack.

Conclusion

In this post, we demonstrated how to securely embed images stored in a private S3 bucket into a QuickSight dashboard using CloudFront. This solution addresses the critical balance between functionality and security, allowing organizations to enhance their dashboards with visual elements while maintaining strict access controls over their assets.

The combination of the content delivery capabilities of CloudFront with secure storage in HAQM S3 provides several key benefits:

  • Provides secure display of content stored in a private S3 bucket within QuickSight dashboards
  • Offers controlled access through a CloudFront distribution

The approach in this post can be generalized by centrally storing images and other content to be used in all QuickSight dashboards across your organization and served through a CloudFront distribution.

As organizations continue to prioritize both data visualization and security, this implementation offers a robust framework that can be adapted for various use cases. Whether you’re embedding brand assets, product images, or other visual elements, this solution ensures your QuickSight dashboards remain secure.

Remember to regularly review and update your security configurations and access policies as your needs evolve. If you have any questions or feedback, leave a comment. For additional discussion and help getting answers to your questions, check out the QuickSight Community.

About the Authors

Seun Akinyosoye is a Senior Technical Account Manager supporting public sector customers at HAQM Web Services. Seun has a background in analytics and data engineering, which he uses to help customers achieve their goals. Outside of work, Seun enjoys spending time with his family, reading, traveling, and supporting his favorite sports teams.

Sean Bjurstrom is a Senior Technical Account Manager in ISV accounts at HAQM Web Services, where he specializes in analytics technologies and draws on his background in consulting to support customers on their analytics and cloud journeys. Sean is passionate about helping businesses harness the power of data to drive innovation and growth. Outside of work, he enjoys running and has participated in several marathons.

Anupa Bhattacharyya is an Enterprise Support Lead in CIENG at HAQM Web Services, where she guides enterprise customers through their cloud journey. With over 15 years of experience in data and analytics, she excels in defining strategic initiatives for enterprise customers. Outside of work, she enjoys painting, traveling, family time, and savoring new cuisines.