Turning on Internet Protocol (IP) restrictions in Amazon QuickSight - Amazon QuickSight

Turning on Internet Protocol (IP) restrictions in Amazon QuickSight

You can limit access to your organization's Amazon QuickSight account to a predefined list of Internet Protocol (IP) ranges. For example, you can create an IP rule that allows users to access your Amazon QuickSight account only from IP addresses associated with your company’s office or remote virtual private network (VPN).

Only admins with AWS Identity and Access Management (IAM) credentials who have access to the Amazon QuickSight console pages can access the IP restrictions table.

Adding an IP rule

An IP rule is created when you add a CIDR address with a public IP version 4 address to the IP restrictions table. The IP restrictions table doesn't accept individual IP addresses. You can add up to 100 IP rules to the IP restrictions table. You can only add rules from the AWS Region where your account is.

A CIDR address is composed of two parts: the prefix and the suffix. The prefix is the CIDR's network address and is written like a normal IP address. The suffix shows how many bits are in the address. An example of a put-together CIDR address is 10.24.34.0/23.

IP rules apply only to Amazon QuickSight web, embedded, and mobile access and don't restrict access to the public API. Your users can still call all API operations from restricted IP ranges. For information on restricting calls to the public API from specific IP addresses, see AWS: Denies access to AWS based on the source IP in the IAM User Guide.

Before you save any IP rule changes or turn on other IP rules, make sure that you have an IP rule that includes your IP address. If there isn’t an IP rule that includes your IP address, you can't save your changes.

When you add, change, or delete an IP rule, a yellow box appears at the top of the table. This box tracks unsaved changes.

To apply changes to the IP restrictions table, choose Save changes in the box. The changes don't apply to the rules table until you save them. After you choose Save changes, it can take up to 10 minutes for a change to take effect.

To add an IP rule to the IP restrictions table

  1. On the Amazon QuickSight start page, choose Manage QuickSight, and then choose Security and Permissions.

  2. Choose IP Restrictions.

  3. For IP address, enter the CIDR address that you want to add.

  4. (Optional) For Description, enter a description of the CIDR address. Doing this can help you differentiate your IP rules.

  5. Choose Add.

  6. Choose Save changes in the box that appears to apply the rule.

It can take up to 10 minutes for a rule to be fully implemented.

You can also change existing IP rules. You can update IP rules only from the AWS Region where your account is.

To change an existing IP rule

  1. On the Amazon QuickSight start page, choose Manage QuickSight, and then choose Security and Permissions.

  2. Choose IP restrictions.

  3. Choose the edit icon to the right of the rule that you want to change.

  4. Make your changes and choose Update.

  5. Choose Save changes in the box that appears to apply the rule.

It can take up to 10 minutes for an updated rule to be fully implemented.

To delete an IP rule

  1. On the Amazon QuickSight start page, choose Manage QuickSight, and then choose Security and Permissions.

  2. Choose IP restrictions.

  3. Make your changes and choose Update. A rule marked for deletion appears with a strike through it.

  4. Choose Save changes in the box that appears to apply the rule.

Turning on your IP rules

You can turn on or turn off your account's IP restrictions by using the Rules option at the top of the IP restrictions page. When IP rules are turned on, users from restricted IP addresses can't access Amazon QuickSight mobile, embedded, and website pages. IP rules are global and apply to all AWS Regions.

When your IP rules are turned off, traffic is allowed from all IP addresses. If a user is accessing the Amazon QuickSight account from a restricted IP address when you turn on IP restrictions, they lose access to the account.

Account holders can audit users who make changes to the IP restrictions table by using AWS CloudTrail. For more information, see the AWS CloudTrail User Guide.