I am using anonymous user embedding with RLS for my web app. I have set up the required IAM role, policy, and trust policy, and I understand that the embed URL is valid for 5 minutes and is single-use (once redeemed, it cannot be reused).
Can you please answer few questions for me?
- Is it possible for an unauthorized user to guess or construct a valid QuickSight embed URL. I understand that the embed URL includes a temporary bearer token that is valid for 5 minutes and becomes invalid after it is redeemed. Can you clarify:
-
Is this token cryptographically signed by AWS?
-
Does this mean it cannot be forged or guessed?
-
If someone has the account_id, dashboard_id, etc, can they generate a valid embed URL using the AWS CLI without assuming the IAM role tied to the embedding setup?
-
The doc says “Only the domains that are listed in AllowedEmbeddingDomains can access the embedded dashboard”. What does this mean?
My concern is that, since I am not using provisioned users in QuickSight (anonymous embedding), a malicious actor might find a way to access the dashboard.