Hi,
In my setup I want to deny QuickSight users and groups access to AWS data and resources. The datasets they can use, have to be defined and managed by Terraform/CLI and exposed to them in shared folders. The Terraform resources are applied by a AWS IAM role that has the necessary permissions to the underlying data and resources and has the necessary QuickSight: permissions.
To do this I thought that setting the “Default resource access” setting to “Deny access to all AWS data and resources to all users and groups” would be sufficient. However, when I do this, I can also no longer manage the datasets using Terraform/CLI, even when the AWS IAM role is not related to QuickSight (using aws sts get-caller-identity in the terminal shows the expected assumed-role, and not some QuickSight user). Via the QuickSight IAM policy assignments it is only possible to assign IAM Policies to QuickSight users and groups and not IAM roles. I am therefore not able to create datasets through Terraform or the CLI anymore.
The way how I was able to get it to work, was by setting the “Default resource access” setting to “Allow”, creating a group with all QuickSight users and assigning an explicit DENY all s3 resources policy to that group. Then I am still able to manage datasets with the CLI/Terraform but are users no longer able to create datasets on their own starting from S3.
I am wondering if it is possible to get the first approach working ( “Default resource access” setting to “Deny” while still allowing Terraform/CLI)? I prefer this because the second approach with Allow by default doesn’t seem the cleanest or safest as I just want to deny all except that one role used for automation with Terraform.
Kind regards
Nelis