”;
To manage IAM policies for Quicksight account, you can use root user or IAM credentials. It is recommended to use IAM credentials to manage resource access and policies instead of root user.
Following policies are required to signup and use Amazon Quicksight −
Standard Edition
- ds:AuthorizeApplication
- ds:CheckAlias
- ds:CreateAlias
- ds:CreateIdentityPoolDirectory
- ds:DeleteDirectory
- ds:DescribeDirectories
- ds:DescribeTrusts
- ds:UnauthorizeApplication
- iam:CreatePolicy
- iam:CreateRole
- iam:ListAccountAliases
- quicksight:CreateUser
- quicksight:CreateAdmin
- quicksight:Subscribe
Enterprise Edition
Apart from the above mentioned policies, below permissions are required in enterprise edition −
- quicksight:GetGroupMapping
- quicksight:SearchDirectoryGroups
- quicksight:SetGroupMapping
You can also allow a user to manage permissions for AWS resources in Quicksight. Following IAM policies should be assigned in both editions −
- iam:AttachRolePolicy
- iam:CreatePolicy
- iam:CreatePolicyVersion
- iam:CreateRole
- iam:DeletePolicyVersion
- iam:DeleteRole
- iam:DetachRolePolicy
- iam:GetPolicy
- iam:GetPolicyVersion
- iam:GetRole
- iam:ListAttachedRolePolicies
- iam:ListEntitiesForPolicy
- iam:ListPolicyVersions
- iam:ListRoles
- s3:ListAllMyBuckets
To prevent an AWS administrator to unsubscribe from Quicksight, you can deny all users “quicksight:Unsubscribe”
IAM policy for dashboard embedding
To embed an AWS Quciksight dashboard URL in web page, you need the following IAM policies to be assigned to the user −
{ "Version": "2012-10-17", "Statement": [ { "Action": "quicksight:RegisterUser", "Resource": "*", "Effect": "Allow" }, { "Action": "quicksight:GetDashboardEmbedUrl", "Resource": "arn:aws:quicksight:us-east-1: 868211930999:dashboard/ f2cb6cf2-477c-45f9-a1b3-639239eb95d8 ", "Effect": "Allow" } ] }
You can manage and test these roles and policies using IAM policy simulator in Quicksight. Below is the link to access IAM Policy simulator −
https://policysim.aws.amazon.com/home/index.jsp?#
”;