Hi,
In my setup I want to deny Quick Sight users and groups access to AWS data and resources. The datasets they can use, have to be defined and managed by Terraform/CLI and exposed to them in shared folders. The Terraform resources are applied by a AWS IAM role that has the necessary permissions to the underlying data and resources and has the necessary Quick Sight: permissions.
To do this I thought that setting the “Default resource access” setting to “Deny access to all AWS data and resources to all users and groups” would be sufficient. However, when I do this, I can also no longer manage the datasets using Terraform/CLI, even when the AWS IAM role is not related to Quick Sight (using aws sts get-caller-identity in the terminal shows the expected assumed-role, and not some Quick Sight user). Via the Quick Sight IAM policy assignments it is only possible to assign IAM Policies to Quick Sight users and groups and not IAM roles. I am therefore not able to create datasets through Terraform or the CLI anymore.
The way how I was able to get it to work, was by setting the “Default resource access” setting to “Allow”, creating a group with all Quick Sight users and assigning an explicit DENY all s3 resources policy to that group. Then I am still able to manage datasets with the CLI/Terraform but are users no longer able to create datasets on their own starting from S3.
I am wondering if it is possible to get the first approach working ( “Default resource access” setting to “Deny” while still allowing Terraform/CLI)? I prefer this because the second approach with Allow by default doesn’t seem the cleanest or safest as I just want to deny all except that one role used for automation with Terraform.
Kind regards
Nelis