Use Case
Data security is an important concern for businesses. Various roles—business users, Business Intelligence (BI) leads, data security analysts—handle data operations. To avoid unintentional exposure of data, it may be necessary to restrict BI developers to export data from Amazon QuickSight, while still allowing them access to analysis and dashboards. More and more ASCENDING customers, are expressing the need of fine grain access control for BI developers. In this article, we will discuss how we utilize Amazon QuickSight to safeguard data.
Please note that an Amazon QuickSight Reader who was shared a dashboard by the Analysis creator, i.e., the Author, may still see the option to export a CSV, even if the analysis creator is limited to export to CSV. To limit access to sensitive data, it’s recommended to exclude sensitive fields from the analysis and dashboard.
How to Solve the Problem
Disable Data Export for Dashboard
Before:
After:
Thankfully, Amazon QuickSight makes it easy to restrict BI developers export data as CSV or Excel. You can easily restrict user downloading when publishing the dashboard.
• Expand ‘Advanced publish menu’
• Uncheck the ‘Enable download options’
Disable Data Export for Analysis
A custom permission can be created to restrict users with Amazon QuickSight Author role access to export data. Once custom permission is applied, the Export to CSV option will not appear in the QuickSight UI for those restricted users.
Before:
After:
Prerequisites
• This functionality is only applicable in Amazon QuickSight Enterprise Edition.
• You need to be an Amazon QuickSight Admin with permissions to use quicksight:*CustomPermissions
Steps
- From the Amazon QuickSight console, go to ‘Manage QuickSight.’
- Click ‘Manage users’ then click ‘Manage permissions.’
- For the first time, you need to create a custom permission profile, click ‘Create.’
- Give this permission profile a ‘Name’, and choose ‘Restrictions’ we want to deny, which are Exporting to CSV and Exporting to EXCEL in our case. Note name of the custom permission.
- Apply custom permission to users by running AWS CLI below, provide the custom permission profile name for the parameter
--custom-permissions-name
For a new user:
aws quicksight register-user \
--iam-arn arn:aws:iam::<aws-account>:user/<new-user-name> \
--identity-type IAM \
--user-role AUTHOR \
--custom-permissions-name PC-LimitDataExport \
--email <user-email> \
--aws-account-id <aws-account> \
--namespace default
For an existing user:
aws quicksight update-user \
--user-name <existing-user-name> \
--role AUTHOR \
--custom-permissions-name PC-LimitDataExport \
--email <user-email> \
--aws-account-id <aws-account> \
--namespace default
- (Optional) You can use the command below to remove the permission profile.
aws quicksight update-user \
--user-name <existing-user-name> \
--role AUTHOR \
--unapply-custom-permissions \
--email <user-email> \
--aws-account-id <aws-account> \
--namespace default
Conclusion
By utilizing custom permissions, we can restrict an Amazon Author from performing more fine-grained operations as listed below.
(Reference Link: Customizing access to the Amazon QuickSight console - Amazon QuickSight)
Author & Company Bio
Authors: @Celeste.S, @mycardson, @ryo.hang from AWS Advanced Tier Services Partner, Data and Analytics Competency Partner, and DevOps Competency Partner, ASCENDING Inc.