Amazon QuickSight
User Guide

IAM Policy Examples for Amazon QuickSight

This section provides examples of IAM policies that you can use with Amazon QuickSight.

IAM Identity-Based Policies for Amazon QuickSight

This section shows examples of identity-based policies to use with Amazon QuickSight.

IAM Identity-Based Policies for Amazon QuickSight: Dashboards

The following example shows an IAM policy that enables dashboard sharing and embedding for specific dashboards.

{ "Version": "2012-10-17", "Statement": [ { "Action": "quicksight:RegisterUser", "Resource": "*", "Effect": "Allow" }, { "Action": "quicksight:GetDashboardEmbedUrl", "Resource": "arn:aws:quicksight:us-west-2:111122223333:dashboard/1a1ac2b2-3fc3-4b44-5e5d-c6db6778df89", "Effect": "Allow" } ] }

IAM Identity-Based Policies for Amazon QuickSight: Creating Users

The following example shows a policy that enables creating Amazon QuickSight users only. For quicksight:CreateReader, quicksight:CreateUser, and quicksight:CreateAdmin, you can limit the permissions to "Resource": "arn:aws:quicksight::<YOUR_AWS_ACCOUNTID>:user/${aws:userid}". For all other permissions described in this guide, use "Resource": "*". The resource you specify limits the scope of the permissions to the specified resource.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "quicksight:CreateUser" ], "Effect": "Allow", "Resource": "arn:aws:quicksight::<YOUR_AWS_ACCOUNTID>:user/${aws:userid}" } ] }

IAM Identity-Based Policies for Amazon QuickSight: All Access for Standard Edition

The following example for Amazon QuickSight Standard edition shows a policy that enables subscribing, creating authors and readers. This example explicitly denies permission to unsubscribe from Amazon QuickSight.

This example is provided

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ds:AuthorizeApplication", "ds:UnauthorizeApplication", "ds:CheckAlias", "ds:CreateAlias", "ds:DescribeDirectories", "ds:DescribeTrusts", "ds:DeleteDirectory", "ds:CreateIdentityPoolDirectory", "iam:ListAccountAliases", "quicksight:CreateUser", "quicksight:Subscribe" ], "Resource": "*" }, { "Effect": "Deny", "Action": "quicksight:Unsubscribe", "Resource": "*" } ] }

IAM Identity-Based Policies for Amazon QuickSight: All Access for Enterprise Edition

The following example for Amazon QuickSight Enterprise edition shows a policy that enables subscribing, creating users, and managing Active Directory. This example explicitly denies permission to unsubscribe from Amazon QuickSight.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ds:AuthorizeApplication", "ds:UnauthorizeApplication", "ds:CheckAlias", "ds:CreateAlias", "ds:DescribeDirectories", "ds:DescribeTrusts", "ds:DeleteDirectory", "ds:CreateIdentityPoolDirectory", "iam:ListAccountAliases", "quicksight:CreateAdmin", "quicksight:Subscribe", "quicksight:GetGroupMapping", "quicksight:SearchDirectoryGroups", "quicksight:SetGroupMapping" ], "Resource": "*" }, { "Effect": "Deny", "Action": "quicksight:Unsubscribe", "Resource": "*" } ] }

IAM Identity-Based Policies for Amazon QuickSight: Active Directory Groups

The following example shows an IAM policy that enables Active Directory group management for an Amazon QuickSight Enterprise edition account.

{ "Statement": [ { "Action": [ "ds:DescribeTrusts", "quicksight:GetGroupMapping", "quicksight:SearchDirectoryGroups", "quicksight:SetGroupMapping" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }

IAM Identity-Based Policies for Amazon QuickSight: Accessing AWS Resources

The following example for Amazon QuickSight Enterprise and Standard editions shows a policy that you can use to enable a user to manage access to AWS resources. This is an optional step during setup, and the user only needs this access while they are configuring access.

This example also shows an optional condition you can add to limit access to this policy to users a specific AWS account, and to a specific date and time range. To learn more about best practices for securing IAM policies, see IAM Best Practices.

{ "Version": "2012-10-17", "Id": "PolicyForAccessingAWSResourcesFromQuickSight", "Statement": [ { "Sid": "Attach this policy while you are setting up access to AWS resources", "Effect": "Allow", "Principal": "*", "Action": [ "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:ListAttachedRolePolicies", "iam:GetPolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:GetPolicyVersion", "iam:ListPolicyVersions", "iam:DeleteRole", "iam:GetRole", "iam:ListRoles", "iam:ListEntitiesForPolicy", "s3:ListAllMyBuckets" ], "Resource": "*", "Condition": { "StringEquals": {"AWS:SourceAccount": "444455556666"}, "DateGreaterThan": {"aws:CurrentTime": "2019-07-01T00:00:00Z"}, "DateLessThan": {"aws:CurrentTime": "2019-07-31T23:59:59Z"} } } ] }

IAM Identity-Based Policies for Amazon QuickSight: Scoping Policies in Enterprise Edition

The following example for Amazon QuickSight Enterprise edition shows a policy that enables setting default access to AWS resources and scoping policies for permissions to AWS resources.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "quicksight:ScopeDownPolicy", "quicksight:AccountConfigurations" ], "Effect": "Allow", "Resource": "*" } ] }

On this page: