Different editions of Amazon QuickSight - Amazon QuickSight

Different editions of Amazon QuickSight

Amazon QuickSight offers Standard and Enterprise editions. To learn more about the differences in availability, user management, permissions, and security between the two versions, see the following topic.

Both editions offer a full set of features for creating and sharing data visualizations. Enterprise edition additionally offers encryption at rest and Microsoft Active Directory integration. In Enterprise edition, you select a Microsoft Active Directory directory in AWS Directory Service. You use that active directory to identify and manage your Amazon QuickSight users and administrators.

For more information about the different features offered by the Amazon QuickSight editions and about pricing, see Amazon QuickSight pricing.

Availability of editions

All editions are available in any AWS Region that is currently supported by Amazon QuickSight.

The capacity region in which you start your Amazon QuickSight subscription is where your account's default SPICE capacity is allocated. However, you can purchase additional SPICE capacity and access your AWS resources in any other supported AWS Region.

You can start a new Amazon QuickSight subscription using Standard edition, choosing any default capacity region. You can then upgrade it to Enterprise edition at any time.

To manage Enterprise account settings, you must temporarily change your region for your session to US East (N. Virginia) Region. You can change it back when you have finished editing your account settings. These settings include changing your subscription's notification email, enabling IAM access requests, editing access to AWS resources, and unsubscribing from Amazon QuickSight.

User management between editions

User management is different between the Amazon QuickSight Standard and Enterprise editions. However, both editions support identity federation, or Federated Single Sign-On (IAM Identity Center), through Security Assertion Markup Language 2.0 (SAML 2.0).

User management for standard edition

In Standard edition, you can invite an AWS Identity and Access Management user and allow that user to use their credentials to access Amazon QuickSight. Alternatively, you can invite any person with an email address to create an Amazon QuickSight–only account. When you create a QuickSight user account, Amazon QuickSight sends email to that user inviting them to activate their account.

When you create a QuickSight user account, you also choose to assign it either an administrative or a user role. This role assignment determines the user's permissions in Amazon QuickSight. You perform all management of users by adding, changing, and deleting accounts in Amazon QuickSight.

User management for enterprise edition

In Enterprise edition, you can select one or more IAM Identity Center or Microsoft Active Directory groups for administrative access. All users in these groups are authorized to sign in to Amazon QuickSight as administrators. You can also select one or more IAM Identity Center or Microsoft Active Directory groups in AWS Directory Service for user access. All users in these groups are authorized to sign in to Amazon QuickSight as users.

Important

With IAM Identity Center, share the AWS sign in portal with end users to access QuickSight. For more information, see Sign in to the AWS access portal.

With Active Directory, Amazon QuickSight Administrators and users aren't automatically notified of their access to Amazon QuickSight. You must email users with the sign-in URL, the account name, and their credentials.

You can only add or remove Enterprise edition accounts by adding or removing a person from the IAM Identity Center or Microsoft Active Directory group that you associated with Amazon QuickSight. When you add a QuickSight user account, its permissions depend on whether the IAM Identity Center or Microsoft Active Directory group is an administrative group or a user group in Amazon QuickSight.

To remove a user's access to QuickSight, remove the user from an IAM Identity Center or Microsoft Active Directory group or remove their IAM Identity Center or Microsoft Active Directory group from an associated role in Amazon QuickSight.

Permissions for the different editions

In the Standard edition, all Amazon QuickSight administrators can manage subscriptions and SPICE capacity. They can also add, modify, and delete accounts.

Additional IAM permissions are required to manage Amazon QuickSight permissions to AWS resources and to unsubscribe from Amazon QuickSight. These tasks can only be performed by an IAM user who also has administrative permissions in Amazon QuickSight, or by the IAM user or AWS account that created the Amazon QuickSight account.

To manage access to AWS resources from Amazon QuickSight, you must be logged in as one of the following:

  • Any IAM user who is an Amazon QuickSight administrator

  • The IAM user or AWS root account that created the Amazon QuickSight account

All IAM Identity Center or Microsoft Active Directory users that are Amazon QuickSight administrators can manage subscriptions and SPICE capacity.

Additional IAM permissions are required to manage access to AWS resources or to unsubscribe from Amazon QuickSight. Administrators need to sign in with IAM permissions to perform these tasks.

The following table summarizes the admin actions that you can perform in QuickSight based on the access type that you choose.

Admin action IAM permissions QuickSight administrator (non-IAM)

Manage assets

Yes

Security & permissions

Yes

Manage VPC connections

Yes

KMS keys

Yes

Account settings

Yes

Account customization

Yes

Manage users

Yes

Your subscriptions

Yes

Mobile settings

Yes

Domains and embedding

Yes

SPICE capacity

Yes