Best Practices for Security in Amazon QuickSight - Amazon QuickSight

Best Practices for Security in Amazon QuickSight

Amazon QuickSight provides a number of security features to consider as you develop and implement your own security policies. The following best practices are general guidelines and don’t represent a complete security solution. Because these best practices might not be appropriate or sufficient for your environment, treat them as helpful considerations rather than prescriptions.

Firewall – To allow users to access Amazon QuickSight, allow access to HTTPS and WebSockets Secure (wss://) protocol. To allow Amazon QuickSight to reach a database that is on a non-AWS server, change that server's firewall configuration to accept traffic from the appropriate Amazon QuickSight IP address range.

SSL – Use SSL to connect to your databases, especially if you are using public networks. Using SSL with Amazon QuickSight requires the use of certificates signed by a publicly-recognized certificate authority (CA).

Enhanced security – Use Amazon QuickSightEnterprise edition to make use of its enhanced security capabilities, including the following.

  • Store data in SPICE with encryption at rest

  • Integrate Active Directory and SSO authentication

  • Securely access data in private VPCs and on-premises

  • Limit access to data with row level security

VPC – (Enterprise Edition) Use a virtual private cloud (VPC), for data in AWS data sources and for data in on-premises servers without public connectivity. For AWS sources, VPC access for Amazon QuickSight uses an elastic network interface for secure, private communication with data sources in a VPC. For your local data, VPC allows you to use AWS Direct Connect to create a secure, private link with your on-premises resources.