Images from S3

Question & Answer
, , ,
1

Hi,
I would like to add images from S3 and have some questions.
I have followed https://repost.aws/knowledge-center/quicksight-deny-policy-allow-bucket
but can’t make it work as I would like to. @Max I see that you replied in the linked post. Would you be able to help?
My bucket is public.
I added the bucket policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::examplebucketname",
        "arn:aws:s3:::examplebucketname/*"
      ],
      "Condition": {
        "StringNotLike": {
          "aws:userid": [
            "AROAEXAMPLEID:*",
            "AIDAEXAMPLEUSERID"
          ]
        }
      }
    }
  ]
}

QS doesn’t display images.

If I change the object’s ACL and enable read to everyone then the image displays ok.

How to make objects only available to your QS without them being public?

Thanks,
Art

2

Hi @ArtSal -
Using an Amazon CloudFront distribution on a private S3 bucket is one approach I have used. See documentation details here.

Best Regards,
Kellie

3

Hi @Kellie_Burton appreciate your advice however I am not looking into using CloudFront therefore I don’t accept your answer as a solution.
Best,Art

4

Hi @Thomas you mentioned in Embed link and download pdf that you can do it without having the document public. How could I achieve it if my file sits in S3. Any advise would be highly appreciated.

5

Hi @ArtSal,
Yes, if your use case is to only display those images within dashboards that are opened on a user’s device, like a browser on a laptop, you can integrate non-public images as described on the post you referred to (server-side content generation, like PDF generation, does not support non-public images as of now). Key is to provide access to that non-public image on that device.

Note that the implementation of that aspect is completely unrelated to QuickSight. Kellie outlined one approach, but you could also implement an API that integrates with existing authentication mechanisms used by your end users. Alternatively, depending on your use case and security requirements, you could also restrict access to certain networks in which your end users are located in.

Again, the implementation of that sits outside of QuickSight and strongly depends on the details of your requirements and setup.

Hope this helps to understand when and how non-public images can be used within QuickSight.

1 Like