Hi,
I restricted a group of users via an IAM policy so that they can’t create datasets (which generally works), but it doesn’t stop the creation of a dataset via the dataset → “use in a new dataset” item. Is this intended and, if so, are there any permissions to restrict that?
Thanks for clarifying this.
Thank you for bringing up this interesting scenario. The behavior you’re experiencing is likely not intended, and it sounds like you’ve discovered a potential inconsistency in how permissions are applied across different dataset creation methods in QuickSight.
Typically, the ability to create datasets is controlled by the “quicksight:CreateDataSet” action in IAM policies. However, the “use in a new dataset” feature might be using a different set of permissions or might be overlooked in the permission checks.
To address this issue, you could try the following approaches:
Restrict Additional Permissions:
In addition to denying "quicksight:CreateDataSet", you might want to deny these related actions:
quicksight:UpdateDataSet
quicksight:PassDataSet
quicksight:UpdateDataSetPermissions
Use Resource-Level Permissions:
If possible, use resource-level permissions to restrict access to specific datasets or data sources.
Contact AWS Support:
Since this appears to be an inconsistency in how permissions are applied, it would be worthwhile to contact AWS Support. They can confirm if this is expected behavior or a bug that needs to be addressed.
Use QuickSight SPICE Capacity Limits:
As a workaround, you could set SPICE capacity limits for the users or groups to prevent them from creating new datasets that would exceed their allocated SPICE capacity.
Implement Governance Checks:
Set up regular audits or use AWS Config rules to detect and remediate any datasets created outside of your intended permissions.
Here’s an example IAM policy that denies these actions:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Deny”,
“Action”: [
“quicksight:CreateDataSet”,
“quicksight:UpdateDataSet”,
“quicksight:PassDataSet”,
“quicksight:UpdateDataSetPermissions”
],
“Resource”: “*”
}
]
}
Remember to test any changes thoroughly in a non-production environment first.
It’s also a good idea to report this behavior to AWS Support, as it could be considered a security issue that they might want to address in future updates.
Thank you very much for your detailed thoughts on this. I have tried the additional policy statement out, unfortunately, it didn’t fix the problem. It’s not a massive issue for us and a simple “don’t do it” instruction will probably solve it, but I am going to raise it with AWS Support to get their views.
Hi @Steffen_Paessler,
It’s been awhile since we last heard from you. Checking in to see if you were able to create a support ticket and if so, were they able to provide help in your scenario?
If there are no further questions, I’ll go ahead and close out this topic if we do not hear back within the next 3 business days.
Thank you!