Implementing an effective backup strategy in Amazon Quick Sight

Learn Technical Articles
,
1

Introduction

Defining a backup strategy for AWS resources is important for organisations of all sizes and independent of the sector they operate in (becoming critical when they operate on heavily regulated industries such as FSI, HealthCare, Energy, etc.)

An effective backup strategy is important for multiple reasons:

  • Data loss prevention protects from various scenarios including hardware failures, human errors, accidental deletions and cyberattacks like ransomware
  • Meeting recovery objectives helps organisations to meet their Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO) ensuring minimal data loss during incidents
  • Audit and reporting allowing you to track, audit and report assets during its life cycle (creation, updates and deletion).
  • Increased workload resiliency allowing quick restoration of systems to previous states, reducing downtime and improving system reliability. This is actually a key pillar of the Well-Architected Framework
  • Disaster Recovery (DR) preparedness an effective backup solution serves as foundation to implement a DR process that can anticipate and address technology-related disasters and contribute to your organization’s business continuity plan (BCP).

This article will dive deep into the best practices to implement an effective backup strategy for your Business Intelligence system powered by Quick Sight, providing details on the type of assets to cover under the backup process and the Quick Sight APIs to use.

Backup practices for Business Intelligence

Business Intelligence systems present unique business continuity challenges due to their role in supporting decision-making processes and key business stakeholders, so it is paramount to ensure that they are properly protected against service disruptions by implementing an effective backup plan. Before building this plan, it is important to understand how Quick Sight is architected, and which are the dimensions that we need to consider as part of our DR plan.

QS_high_level_arch
QS_high_level_arch1292×572 29.8 KB

As shown on the diagram below Quick Sight leverages AWS’s global infrastructure with multiple regions to provide high availability for Quick Sight assets (these are data sources, datasets, analyses, dashboards, etc.) Imported data into SPICE is also highly available with redundant copy across multiple availability zones (AZs) within the Quick Sight region. This regional design allows you to have resources in multiple regions and leverage a secondary region in the unlikely case of a regional event in the primary region used for your business intelligence resources.

On the other hand, when it comes to user and identity management, Quick Sight uses one region that is defined during the initial account subscription process. As shown in the diagram above, this region will host the user and group identity information. This means that this region should be available for users to be able to access Quick Sight, so for example, if a user wants to access a dashboard that is defined in eu-west-1 region, but the Quick Sight main region is us-east-1 both regions need to be available to allow complete user flow. As mentioned earlier, Quick Sight is designed with a regional architecture leveraging availability-zones (AZs) for redundancy, but if your business needs to be protected against the unlikely case of a regional event you will need to design your DR strategy accordingly.

If you are unsure of what your Quick Sight main region is, you can gather this information by executing this command:

aws quicksight describe-account-settings --aws-account-id 208442788671 --region us-east-1

NOTE: this cli command specifies us-east-1 as endpoint region, if you get a 200 status it means that your identity region is us-east-1, otherwise you will get an error like the following instructing you to pointing your current identity region (e.g. eu-west-1):

An error occurred (AccessDeniedException) when calling the DescribeAccountSettings operation: Operation is being called from endpoint us-east-1, but your identity region is us-east-1. Please use the eu-west-1 endpoint.

Defining Quick Sight assets to include in the backup plan

With a clearer understanding of Quick Sight architecture, the next step is to select the assets you want to include in your backup plan. There are typically two approaches that you can follow:

Backup specific assets:

This approach is appropriate when defining a backup/DR strategy that pursues ensuring that the critical assets for your business operations are covered and can be conveniently restored in the case of an event or accidental deletion. This would include dashboards (and their depending assets) that are used by either key stakeholders to take business decisions or by operating teams (finance, logistics, procurement, etc.) to ensure continued business operation.

Backup all assets:

This strategy is suitable when you want to define a backup strategy that covers both versioning and potential disaster recovery coverage. By backing up all assets you will be able to perform in-place roll back of any asset to a previous step in case there is a human error causing an unintended modification or deletion. Additionally, as you have a backup of all the assets in your account you can select the assets to restore as part of your DR plan.

With the appropriate strategy selected now you need to select the type of Business Intelligence assets to export. In Quick Sight you have the following type of assets available:

  • Dashboards, read only assets targeted for reader users that are published from an analysis. You can also save a dashboard to an Analysis to perform editions.
  • Analyses and reports, an analysis its an editable version of a dashboard hence, it can be only accessed by the authors you choose.
  • Data sources, a data source implements the connection to your data which could be coming from analytic sources such as databases or data warehouses, AWS services such as S3 or third-party SaaS data providers such as Jira, Service now and more.
  • Datasets, this asset type, uses a data source to access external data and allows you to prepare and structure the data that powers your analyses and dashboards.
  • VPC connections, allows you to integrate with your VPC resources such as databases and data warehouses located in that VPC or that are reachable from it (peered VPCs or networks connected via VPN/Direct Link connection).
  • Themes, themes consist of a collection of styling and appearance settings that you can apply to multiple analyses and dashboards to match an esthetic standard that meets your product or corporate branding needs.

All these assets have dependencies between each other, the analyses and the dashboards being the ones that are at the top of this dependency chain that is illustrated on the diagram below:

assets_dependencies
assets_dependencies462×410 24.2 KB

Introduction to the AssetsAsBundle APIs

AssetsAsBundle APIs (AAaB) are a set of high-level APIs available on Quick Sight designed to enable programmatic export and import of Quick Sight resources. They enable a varied range of use cases such as release management, backup and restore, cross-account migration and CI/CD workflows.

These set of APIs include the following operations:

  • StartAssetBundleExportJob: Creates a package (bundle) that contains the assets that get exported as part of the operation. The package is a zip file with text files (JSON or CloudFormation format) that describe the exported assets. Once the operation (asynchronous) is completed, the bundle is uploaded to a temporary S3 location for download.
  • StartAssetBundleImportJob: Takes a previously exported bundle and restores the assets packed on it. The import operation allows you to define overrides for a wide set of parameters such as asset names, data source connection parameters (host, port, workgroup, etc.) …
  • DescribeAssetBundleImportJob and DescribeAssetBundleExportJob: Both AssetBundle operations are asynchronous, these APIs allows you to describe the operation to poll for its status and take action once it is completed. In the case of StartAssetBundleExportJob it also allows you to retrieve the DownloadUrl for the asset (valid for 5 minutes), you can subsequently call this API to refresh the validity of that URL.

Supported assets and current limitations of AssetsAsBundle APIs

AssetsAsBundle APIs support a varied list of Quick Sight assets (Analyses, Dashboards, Data sources, Datasets, Shared folders, Restricted folders, Refresh schedules, Themes and VPC connections). However, there are some limitations for some asset types:

Unsupported data sources: Adobe Analytics, File, GitHub, JIRA, Salesforce, ServiceNow, S3 (with locally uploaded manifest files) and Twitter

Unsupported data sets: Datasets containing ML columns generated using inference via connected SageMaker ML models.

These assets would need to be excluded from your backup plan to avoid getting an InvalidParameterValueException error when issuing the StartAssetBundleExportJob operation.

As a workaround you can replace the unsupported data sources and/or datasets by following this procedure:

For S3 data sources with local manifest files:

Create a new S3 data source and upload the manifest file to S3, then reference the manifest file from your data source. Once completed, replace the data source in the depending data sets using the UpdateDataSet API.

For other data sources and data sets:

Follow this procedure to transform your incompatible data set into a compatible one:

  • Create an analysis connected to the data source you want to support in your backup
  • Create a table visual visualizing all dataset columns
  • Export its data as csv
  • Create an S3 dataset using a manifest that is uploaded to S3
  • Update your analyses and dashboards with the newly created dataset using the replace dataset functionality.
  • Include the newly created assets in your backup

Technical Implementation

To implement a backup automation we suggest to perform the backup of Quick Sight assets (along with its permissions) and the Quick Sight users and groups, so you can use this information to restore the assets state into your target account.

Users and group backup:

The user and groups backup should use the Quick Sight user and group APIs to read the current state of your account and then store the retrieved user and group base in DynamoDB. We suggest to implements date-based suffixes for DynamoDB table names to preserve historical backup data and prevent overwrites allowing point-in-time recovery and backup history tracking. Additionally, this design reduces complexity of restore tools by avoiding the need to filter by date prefixes when querying data within a specific backup.

Backup_users_groups
Backup_users_groups481×351 11.1 KB

Example for a backup run on 2025-10-19:

  • Users: quicksight-users-backup-2025-10-19
  • Groups: quicksight-groups-backup-2025-10-19
  • User-Group Memberships: quicksight-users-groups-backup-2025-10-19

Users Table Schema:


{

"user_name": "string (partition key)",

"arn": "string",

"email": "string",

"role": "string",

"identity_type": "string",

"active": "boolean",

"principal_id": "string",

"backup_timestamp": "string (ISO 8601)",

"custom_permissions_name": "string"

}

Groups Table Schema:

{

"group_name": "string (partition key)",

"arn": "string",

"description": "string",

"principal_id": "string",

"members": ["list of user names"],

"backup_timestamp": "string (ISO 8601)"

}

Users-Groups Membership Table Schema:

{

"membership_id": "string (partition key, format: username#groupname)",

"user_name": "string",

"group_name": "string",

"user_arn": "string",

"group_arn": "string",

"backup_timestamp": "string (ISO 8601)"

}

NOTE: The user and group backup service within your automation tool should be able to in a region (identity_region) different than the asset backup operations. This will allow you to address scenarios where Quick Sight identity management might be configured in a different region different than asset storage.

Assets backup:

The assets bundle backup service within the tool should handles the coordinated export of assets within a region and uploads the generated bundle to an S3 location for later use. The automation takes a backup of the following assets (data sources, datasets, analyses, dashboards and themes) and include all their dependencies by default (this is a setting that can be disabled if needed).

At high level it should perform the following tasks:

  • List all data sources using ListDataSources API, filtering out S3 manifest-based data sources and data sources with invalid VPC connection names (alphanumeric characters separated by hyphens.
  • List all datasets using ListDataSets API, filtering out FILE datasets by checking ImportMode field
  • List all analyses using ListAnalyses API
  • List all dashboards using ListDashboards API
  • Group assets by type for separate export jobs and allows to parametrize the number of assets to include in each bundle (with a maximum of 100 which corresponds to the limit of the API)
  • Checks the status of the export job using the DescribeAssetBundleExportJob API implementing exponential backoff to avoid throttling.
  • Once completed uploads the asset to S3 to a prefix with the following structure.
my-quicksight-backups/

└── quicksight-backups/ # Custom S3 prefix

├── 2024/01/15/

│ ├── datasources/

│ │ ├── datasources-143022.zip # Single bundle (≤ max_assets_per_bundle)

│ │ └── datasources_bundle_1-143045.zip # Multiple bundles when assets exceed limit

│ ├── datasets/

│ │ ├── datasets_bundle_1-143045.zip # Multiple bundles when assets exceed limit

│ │ └── datasets_bundle_2-143045.zip # Sequential numbering for multiple bundles

│ ├── analyses/

│ │ └── analyses-143108.zip # Single bundle

│ └── dashboards/

│ ├── dashboards_bundle_1-143131.zip # First of multiple dashboard bundles

│ └── dashboards_bundle_2-143131.zip # Second dashboard bundle

└── 2024/01/16/

├── datasources/

│ └── datasources-090015.zip

├── datasets/

│ └── datasets-090030.zip

└── ...

NOTE: bundle number string will be present only if the number of assets to backup exceeds the configured value in max_assets_per_bundle.

Sample End to end tool for backup creation

The quicksight_backup tool aims to provide a simple way to export all your Quick Sight assets (and their dependencies) into durable and inexpensive storage such as S3. The tool is designed to create new prefixes for the generated bundles, so previous backups are not overwritten. To make the backup complete, users and groups are also exported using the same principle, in this case DynamoDB will be used for storage and the table names will be containing the date when the backup was generated. This approach not only allows you to use this backup as a source for your recovery strategy but also allows you to also track history of changes of your Quick Sight assets and users associated with them.

The code is built using the boto3 python SDK is provided with packaging support using setuptools to ensure easy setup and use.

Tooling usage and configuration

To use the tool, make sure you comply with the following pre-requisites:

  • Python 3.8 or higher
  • Quick Sight account with Enterprise version or higher.
  • AWS CLI configured with appropriate credentials
  • Required AWS permissions (see Permissions section in the code)

Clone from source

git clone https://github.com/aws-samples/sample-quicksight-backup-tool
cd sample-quicksight-backup-tool

Create a python venv (recommended)

python3 -m venv ./.venv
source .venv/bin/activate

Install package

pip install -e .

Create a configuration file

Refer to the config.sample.yaml file in the repo to get started or create one from scratch, this configuration file allows you to define key parameters for the tool such as the AWS account to use, region, backup locations (DynamoDB tables and S3 bucket/prefixes) and more.

Using the tool

Once installed, the tool can be executed as follows:

quicksight-backup --config config.yaml --mode full

Only the config parameter is required, while the rest of the parameters can be omitted. The --mode parameter controls the backup type to perform (full, users-only or assets-only) where full is the default mode. Find below a list of the arguments supported by the tool:

Optional Arguments

  • –mode, -m: Backup mode (full, users-only, assets-only) [default: full]
  • –output-dir, -o: Output directory for reports and manifests
  • –verbose, -v: Enable verbose (DEBUG) logging
  • –log-file: Path to log file
  • –dry-run: Validate configuration without executing backup
  • –no-progress: Disable progress indicators
  • –generate-manifest: Generate backup manifest file
  • –generate-report: Generate human-readable backup report
  • –version: Show version information

Refer to the tool README file for more information.