Allow Quick Sight access to buckets with restrictive policies
When bucket policies restrict access to just customer defined IP ranges or VPCs, Quick Sight won’t be able to access these buckets via S3 connector. To enable access for Quick Sight, you can bypass the IP/VPC check for just Quick Sight service roles by adding a ArnNotEquals check to your S3 bucket policies deny statement. Sample deny statement is given below.
Note -
- Make sure you replace all place holders.
- Ensure that the trust relationship to Quick Sight role/s is granted only to Quick Sight service.
(Depending on your instance, you might see one or both of these roles in IAM) - The three actions listed in statement below are the ones that Quick Sight needs at minimum.
Same bypass principal will work if your policy applies to all S3 actions. - You still need to allow access to the bucket via Quick Sight management panel.
- If you are using a custom role for Quick Sight, use that role’s arn in the policy instead of the standard Quick Sight role arns.
Sample bucket policy
{
"Version": "2012-10-17",
"Id": "Policy1644867078422",
"Statement": [
{
"Sid": "RestrictAccess",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::<Bucket Name>",
"arn:aws:s3:::<Bucket Name>/*"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"<Allowed IP Range>"
]
},
"ArnNotEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::<Account Number>:role/service-role/aws-quicksight-s3-consumers-role-v0",
"arn:aws:iam::<Account Number>:role/service-role/aws-quicksight-service-role-v0"
]
}
}
}
]
}
How does this work ?
For access to be denied, both the conditions - NotIpAddress and ArnNotEquals - need to evaluate to true. When Quick Sight S3 connector is trying to access the data, the PrincipalArn will be one of the two roles listed in the ArnNotEquals condition; hence, it will evaluate to false and the request won’t be denied.
Regards,
Arun Santhosh