AWS Quicksight - Managing IAM Policies


Advertisements

To manage IAM policies for Quicksight account, you can use root user or IAM credentials. It is recommended to use IAM credentials to manage resource access and policies instead of root user.

Following policies are required to signup and use Amazon Quicksight −

Standard Edition

  • ds:AuthorizeApplication
  • ds:CheckAlias
  • ds:CreateAlias
  • ds:CreateIdentityPoolDirectory
  • ds:DeleteDirectory
  • ds:DescribeDirectories
  • ds:DescribeTrusts
  • ds:UnauthorizeApplication
  • iam:CreatePolicy
  • iam:CreateRole
  • iam:ListAccountAliases
  • quicksight:CreateUser
  • quicksight:CreateAdmin
  • quicksight:Subscribe

Enterprise Edition

Apart from the above mentioned policies, below permissions are required in enterprise edition −

  • quicksight:GetGroupMapping
  • quicksight:SearchDirectoryGroups
  • quicksight:SetGroupMapping

You can also allow a user to manage permissions for AWS resources in Quicksight. Following IAM policies should be assigned in both editions −

  • iam:AttachRolePolicy
  • iam:CreatePolicy
  • iam:CreatePolicyVersion
  • iam:CreateRole
  • iam:DeletePolicyVersion
  • iam:DeleteRole
  • iam:DetachRolePolicy
  • iam:GetPolicy
  • iam:GetPolicyVersion
  • iam:GetRole
  • iam:ListAttachedRolePolicies
  • iam:ListEntitiesForPolicy
  • iam:ListPolicyVersions
  • iam:ListRoles
  • s3:ListAllMyBuckets

To prevent an AWS administrator to unsubscribe from Quicksight, you can deny all users “quicksight:Unsubscribe”

IAM policy for dashboard embedding

To embed an AWS Quciksight dashboard URL in web page, you need the following IAM policies to be assigned to the user −

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Action": "quicksight:RegisterUser",
         "Resource": "*",
         "Effect": "Allow"
      },
      {
         "Action": "quicksight:GetDashboardEmbedUrl", 
         "Resource": "arn:aws:quicksight:us-east-1: 
         868211930999:dashboard/ 
         f2cb6cf2-477c-45f9-a1b3-639239eb95d8 ",
         "Effect": "Allow"
      }
   ]
}

You can manage and test these roles and policies using IAM policy simulator in Quicksight. Below is the link to access IAM Policy simulator −

https://policysim.aws.amazon.com/home/index.jsp?#

IAM Policy Simulator
Advertisements