Embed url security for anonymous users

Question & Answer
,
1

I am using anonymous user embedding with RLS for my web app. I have set up the required IAM role, policy, and trust policy, and I understand that the embed URL is valid for 5 minutes and is single-use (once redeemed, it cannot be reused).

Can you please answer few questions for me?

  1. Is it possible for an unauthorized user to guess or construct a valid QuickSight embed URL. I understand that the embed URL includes a temporary bearer token that is valid for 5 minutes and becomes invalid after it is redeemed. Can you clarify:

  • Is this token cryptographically signed by AWS?

  • Does this mean it cannot be forged or guessed?

  1. If someone has the account_id, dashboard_id, etc, can they generate a valid embed URL using the AWS CLI without assuming the IAM role tied to the embedding setup?

  2. The doc says “Only the domains that are listed in AllowedEmbeddingDomains can access the embedded dashboard”. What does this mean?

My concern is that, since I am not using provisioned users in QuickSight (anonymous embedding), a malicious actor might find a way to access the dashboard.

2

Hi @nazma,

Thank you for posting.

I will answer your questions below

  1. For anyone to be able to create a valid embeded URL , they need required IAM role and permissions even if they know the account ID.

  2. No. Generating a valid embeded URL requires calling the AWS API with the correct permissions. See documentation here

  3. Amazon QuickSight will only allow the embedded dashboard to load in iframes hosted on domains you have explicitly allow-listed. Documentation can be found here

Regards,
Demola

1 Like