Sharing Overrides IAM Policy Permissions - Is that intentional?

I attach IAM policies to users/groups which specify things like athena & s3 access. To me this is a way to control user access to data in s3. However, I noticed a scenario that surprised me.
Example,

Person A1 has access to data in Bucket B1 (according to their attached IAM policy)
Person A2 has access to data in a different bucket B2 (according to their attached IAM policy)

But if person A2 creates a dashboard with data from bucket B2, then shares it with person A1, then person A1 can now see that data from bucket B2 in the dashboard, even though their IAM policy does not allow access to that data. I was thinking the IAM policy should apply in this case and prevent person A1 from seeing that data, but it seems that sharing overrides the IAM policy.

Is my understanding correct? If so, I am curious why it is set up that way?

Visibility of data via Dashboards sharing is not controlled by IAM policies. IAM policies are meant to control what users can do in QuickSight not what can they see in a Dashboard. If A2 does not want A1 to see certain data, it can be done via RLS and/or CLS.

Thank you for the reply @agmayan. I agree that is one approach for administration, but I don’t think it is the only valid approach - let me explain.

If you use the default of allowing all users access to all connected resources then I agree you have to use the native RLS and CLS within Quicksight.

But it also allows you to not allow access by default, and then provision access through IAM policies.
Here is an example of what this looks like under “Security & permissions” in the management console:

You can see it states “Resource access is controlled by assigning IAM policies”, & other similar statements. I’ve also tested this out and verified that the IAM policies (such as S3 & KMS) do in fact control access to data. If I try to access a visualization for which I don’t have the necessary S3 or KMS permissions I will receive an error.

Given the Quicksight documentation and testing I’ve done, I think this is supposed to be a valid approach for controlling data access. However, sharing overrides the IAM policies. So if someone with the necessary S3 & KMS permissions (via a policy assignment) shared that visualization with me, I would be able to see it. This seems unusual to me.

Maybe splitting this up in to two parts will help:

  1. Is controlling access to data via IAM policies like I have described above a valid approach? (Everything I’ve seen in the docs & from testing makes me think it is).

  2. If so, why does sharing override the IAM policy assignments?

Any help with my follow-up above?

Hi,

Sorry for the delayed response. I would like to mention that not all users in QuickSight are IAM users for e.g. AD users. Also, in case of embedding there is no way to enforce IAM policy on end customer readers such as anonymous readers. In such cases RLS/CLS is the way to control data access.

I do see what you are saying though that in case of IAM policies sharing overrides it. I will do some experiments at our end and figure out if there is a need to address this. There is a chance that I might be overlooking some considerations. Will get back to you soon on this thread.

Ok, sounds great agmayan

Hi @agmayan - just wanted to check if you had an update on this?

Hi @agmayan or anyone else on the QS team - just wanted to check if you have looked into this?

Hi @bergqdou, @agmayan was going to look into the issue in this post but he has not responded for quite some time. Do you know if there is somebody else who could take a look?

Hi jochapjo

Sincere apologies for not being active on this thread.
Correct me if I am wrong but, what you are asking for is basically pass through authentication/authorization using IAM policies.
If yes, that is not possible today and I will take it as a feature request.

Basically I am asking for the sharing functionality to not override what I’ve specified (as an admin) in user’s IAM policies.

Here’s another example -

As an admin, I give author A access to certain data using IAM policies (S3, KMS, Glue, Athena permissions, etc).
As an admin, I give author B access to different data (no overlap with the data author A has access to).

Scenario: Author A creates an Athena connection to access the data they have permissions for.
Then Author A shares that connection with Author B.

The current functionality is that Author B can now use that Athena connection to query data that I did not give permissions for in their IAM policy.
The behavior I would prefer is if either Author A couldn’t share the connection (because B does not have the necessary permissions), or when B tried to use it, it errored out.

Thanks jochapjo. Your ask makes sense. I will keep this scenario/use case in the list as we work on the future initiatives in the governance area. Really appreciate your patience.

1 Like

Sounds great, thanks agmayan!

1 Like