Scope Down Policies (SCP):
Fine-grained access control allows Amazon QuickSight account administrators to control authors’ default access to connected AWS resources. Fine-grained access control enables administrators to use IAM policies to scope down access permissions, limiting specific authors’ access to specific items within the AWS resources.
You can use SCP to limit Author access to specific Athena databases/tables or S3 buckets. This is done by creating an IAM policy with the required permissions and applying the policy to users or groups within QuickSight. The steps are detailed here.
A sample policy with the required IAM permissions is provided below. Note, this is an example only and not meant to be used directly in production. Please test all permissions, policies in dev/sandbox environment.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"athena:ListEngineVersions",
"athena:ListDataCatalogs",
"athena:ListWorkGroups"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"athena:GetTableMetadata",
"athena:StartQueryExecution",
"athena:GetQueryResults",
"athena:GetDatabase",
"athena:GetDataCatalog",
"athena:ListQueryExecutions",
"athena:GetWorkGroup",
"athena:StopQueryExecution",
"athena:GetQueryResultsStream",
"athena:ListDatabases",
"athena:GetQueryExecution",
"athena:ListTableMetadata",
"athena:GetQueryResultsStream",
"athena:BatchGetQueryExecution"
],
"Resource": [
"arn:aws:athena:us-east-1:<AWS_Account_ID>:workgroup/<Athena_workgroup_name>",
"arn:aws:athena:us-east-1:<AWS_Account_ID>:datacatalog/<Data_Catalog_Name>"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"glue:GetTables",
"glue:GetDatabases",
"glue:GetTable"
],
"Resource": [
"arn:aws:glue:us-east-1:<AWS_Account_ID>:catalog",
"arn:aws:glue:us-east-1:<AWS_Account_ID>:database/<Database_Name>",
"arn:aws:glue:us-east-1:<AWS_Account_ID>:table/default/<Table_Name>"
]
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:ListBucket",
"s3:AbortMultipartUpload",
"s3:ListBucketMultipartUploads",
"s3:PutBucketPublicAccessBlock",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:GetObject",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::aws-athena-query-results-*"
]
},
{
"Sid": "VisualEditor4",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:us-east-1:<AWS_Account_ID>:function:<Function_Name>"
]
},
{
"Sid": "VisualEditor5",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::<S3_Data_Bucket_Name>",
"arn:aws:s3:::<S3_Data_Bucket_Name>/*"
]
}
]
}
SCPs require selecting the services QuickSight has access to via a default QuickSight manager (service) role or an IAM role QuickSight can use here. This role determines all Author/Admin access in QuickSight, and SCPs can be applied to limit select/all user access.
If you want to override the QuickSight managed IAM role or IAM role selected in the above step, but want to associate permissions at a data source level, you can use Role-based access control (Run as role).
With Run-as IAM Role for S3 and Athena, QuickSight account administrators will be able to provide an IAM Role to individual S3 or Athena data sources in their QuickSight account, rather than enabling account-wide access to connect from QuickSight to S3 or Athena. More details here.
To use Run-as IAM role,
- Create an IAM role, with trust policy allowing QuickSight to assume the role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "quicksight.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
- Attach an IAM policy to the role with the required permissions (similar to sample policy provided above)
- Create a new Athena/S3 Data Source using CLI/API with the IAM role ARN as ‘RoleArn’ parameter value as shown here.
The data sets created using the above data source would always use the permissions provided in the IAM policy to query Athena/S3.