Important: We've redesigned the Amazon QuickSight analysis workspace. You might encounter screenshots or procedural text that doesn't reflect the new look in the QuickSight console. We're in the process of updating screenshots and procedural text.
To find a feature or item, use the Quick search bar.
For more information on QuickSight's new look, see Introducing new analysis experience on Amazon QuickSight
IAM policy examples for Amazon QuickSight
This section provides examples of IAM policies that you can use with Amazon QuickSight.
IAM identity-based policies for Amazon QuickSight
This section shows examples of identity-based policies to use with Amazon QuickSight.
Topics
- IAM identity-based policies for QuickSight IAM console administration
- IAM identity-based policies for Amazon QuickSight: dashboards
- IAM identity-based policies for Amazon QuickSight: namespaces
- IAM identity-based policies for Amazon QuickSight: custom permissions
- IAM identity-based policies for Amazon QuickSight: customizing email report templates
- IAM identity-based policies for Amazon QuickSight: creating users
- IAM identity-based policies for Amazon QuickSight: creating and managing groups
- IAM identity-based policies for Amazon QuickSight: All access for Standard edition
- IAM identity-based policies for Amazon QuickSight: All access for Enterprise edition with IAM Identity Center
- IAM identity-based policies for Amazon QuickSight: all access for Enterprise edition with Active Directory
- IAM identity-based policies for Amazon QuickSight: active directory groups
- IAM identity-based policies for Amazon QuickSight: using the admin asset management console
- IAM identity-based policies for Amazon QuickSight: using the admin key management console
- AWS resources Amazon QuickSight: scoping policies in Enterprise edition
IAM identity-based policies for QuickSight IAM console administration
The following example shows the IAM permissions needed for QuickSight IAM console administration actions.
{ "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": [ "quicksight:*", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:ListAttachedRolePolicies", "iam:GetPolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:GetPolicyVersion", "iam:ListPolicyVersions", "iam:DeleteRole", "iam:CreateRole", "iam:GetRole", "iam:ListRoles", "iam:CreatePolicy", "iam:ListEntitiesForPolicy", "iam:listPolicies", "s3:ListAllMyBuckets", "athena:ListDataCatalogs", "athena:GetDataCatalog" ], "Resource": [ "*" ] } }
IAM identity-based policies for Amazon QuickSight: dashboards
The following example shows an IAM policy that allows dashboard sharing and embedding for specific dashboards.
{ "Version": "2012-10-17", "Statement": [ { "Action": "quicksight:RegisterUser", "Resource": "*", "Effect": "Allow" }, { "Action": "quicksight:GetDashboardEmbedUrl", "Resource": "arn:aws:quicksight:us-west-2:
111122223333
:dashboard/1a1ac2b2-3fc3-4b44-5e5d-c6db6778df89
", "Effect": "Allow" } ] }
IAM identity-based policies for Amazon QuickSight: namespaces
The following examples show IAM policies that allow a QuickSight administrator to create or delete namespaces.
Creating namespaces
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ds:AuthorizeApplication", "ds:UnauthorizeApplication", "ds:DeleteDirectory", "ds:CreateIdentityPoolDirectory", "ds:DescribeDirectories", "quicksight:CreateNamespace" ], "Resource": "*" } ] }
Deleting namespaces
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ds:UnauthorizeApplication", "ds:DeleteDirectory", "ds:DescribeDirectories", "quicksight:DeleteNamespace" ], "Resource": "*" } ] }
IAM identity-based policies for Amazon QuickSight: custom permissions
The following example shows an IAM policy that allows a QuickSight administrator or a developer to manage custom permissions.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "quicksight:*CustomPermissions" ], "Resource": "*" } ] }
The following example shows another way to grant the same permissions as shown in the previous example.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "quicksight:CreateCustomPermissions", "quicksight:DescribeCustomPermissions", "quicksight:ListCustomPermissions", "quicksight:UpdateCustomPermissions", "quicksight:DeleteCustomPermissions" ], "Resource": "*" } ] }
IAM identity-based policies for Amazon QuickSight: customizing email report templates
The following example shows a policy that allows viewing, updating, and creating email report templates in QuickSight, as well as obtaining verification attributes for an Amazon Simple Email Service identity. This policy allows a QuickSight administrator to create and update custom email report templates, and to confirm that any custom email address they want to send email reports from is a verified identity in SES.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "quicksight: DescribeAccountCustomization", "quicksight: CreateAccountCustomization", "quicksight: UpdateAccountCustomization", "quicksight: DescribeEmailCustomizationTemplate", "quicksight: CreateEmailCustomizationTemplate", "quicksight: UpdateEmailCustomizationTemplate", "ses: GetIdentityVerificationAttributes" ], "Resource": "*" } ] }
IAM identity-based policies for Amazon QuickSight: creating users
The following example shows a policy that allows creating Amazon QuickSight users only. For
quicksight:CreateReader
, quicksight:CreateUser
, and
quicksight:CreateAdmin
, you can limit the permissions to
"Resource":
"arn:aws:quicksight::
.
For all other permissions described in this guide, use <YOUR_AWS_ACCOUNTID>
:user/${aws:userid}""Resource":
"*"
. The resource you specify limits the scope of the permissions to the
specified resource.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "quicksight:CreateUser" ], "Effect": "Allow", "Resource": "arn:aws:quicksight::<
YOUR_AWS_ACCOUNTID
>:user/${aws:userid}" } ] }
IAM identity-based policies for Amazon QuickSight: creating and managing groups
The following example shows a policy that allows QuickSight administrators and developers to create and manage groups.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "quicksight:ListGroups", "quicksight:CreateGroup", "quicksight:SearchGroups", "quicksight:ListGroupMemberships", "quicksight:CreateGroupMembership", "quicksight:DeleteGroupMembership", "quicksight:DescribeGroupMembership", "quicksight:ListUsers" ], "Resource": "*" } ] }
IAM identity-based policies for Amazon QuickSight: All access for Standard edition
The following example for Amazon QuickSight Standard edition shows a policy that allows subscribing and creating authors and readers. This example explicitly denies permission to unsubscribe from Amazon QuickSight.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ds:AuthorizeApplication", "ds:UnauthorizeApplication", "ds:CheckAlias", "ds:CreateAlias", "ds:DescribeDirectories", "ds:DescribeTrusts", "ds:DeleteDirectory", "ds:CreateIdentityPoolDirectory", "iam:ListAccountAliases", "quicksight:CreateUser", "quicksight:Subscribe" ], "Resource": "*" }, { "Effect": "Deny", "Action": "quicksight:Unsubscribe", "Resource": "*" } ] }
IAM identity-based policies for Amazon QuickSight: All access for Enterprise edition with IAM Identity Center
The following example for Amazon QuickSight Enterprise edition shows a policy that allows subscribing, creating users, and managing Active Directory in a QuickSight account that is integrated with IAM Identity Center. This example explicitly denies permission to unsubscribe from Amazon QuickSight.
{ "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": [ "quicksight:*", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:ListAttachedRolePolicies", "iam:GetPolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:GetPolicyVersion", "iam:ListPolicyVersions", "iam:DeleteRole", "iam:CreateRole", "iam:GetRole", "iam:ListRoles", "iam:CreatePolicy", "iam:ListEntitiesForPolicy", "iam:listPolicies", "s3:ListAllMyBuckets", "athena:ListDataCatalogs", "athena:GetDataCatalog", "sso:GetManagedApplicationInstance" , "sso:CreateManagedApplicationInstance", "sso:GetManagedApplicationInstance", "sso:DeleteManagedApplicationInstance", "sso:GetManagedApplicationInstance", "sso:DescribeGroup", "sso:SearchGroups", "sso:GetProfile", "sso:AssociateProfile", "sso:DisassociateProfile", "sso:ListProfiles", "sso:ListDirectoryAssociations", "sso:DescribeRegisteredRegions" ], "Resource": [ "*" ] } ] }
IAM identity-based policies for Amazon QuickSight: all access for Enterprise edition with Active Directory
The following example for Amazon QuickSight Enterprise edition shows a policy that allows subscribing, creating users, and managing Active Directory in a QuickSight account that uses Active Directory for identity management. This example explicitly denies permission to unsubscribe from Amazon QuickSight.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ds:AuthorizeApplication", "ds:UnauthorizeApplication", "ds:CheckAlias", "ds:CreateAlias", "ds:DescribeDirectories", "ds:DescribeTrusts", "ds:DeleteDirectory", "ds:CreateIdentityPoolDirectory", "iam:ListAccountAliases", "quicksight:CreateAdmin", "quicksight:Subscribe", "quicksight:GetGroupMapping", "quicksight:SearchDirectoryGroups", "quicksight:SetGroupMapping" ], "Resource": "*" }, { "Effect": "Deny", "Action": "quicksight:Unsubscribe", "Resource": "*" } ] }
IAM identity-based policies for Amazon QuickSight: active directory groups
The following example shows an IAM policy that allows Active Directory group management for an Amazon QuickSight Enterprise edition account.
{ "Statement": [ { "Action": [ "ds:DescribeTrusts", "quicksight:GetGroupMapping", "quicksight:SearchDirectoryGroups", "quicksight:SetGroupMapping" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }
IAM identity-based policies for Amazon QuickSight: using the admin asset management console
The following example shows an IAM policy that allows access to the admin asset management console.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "quicksight:SearchGroups", "quicksight:SearchUsers", "quicksight:ListNamespaces", "quicksight:DescribeAnalysisPermissions", "quicksight:DescribeDashboardPermissions", "quicksight:DescribeDataSetPermissions", "quicksight:DescribeDataSourcePermissions", "quicksight:DescribeFolderPermissions", "quicksight:ListAnalyses", "quicksight:ListDashboards", "quicksight:ListDataSets", "quicksight:ListDataSources", "quicksight:ListFolders", "quicksight:SearchAnalyses", "quicksight:SearchDashboards", "quicksight:SearchFolders", "quicksight:SearchDatasets", "quicksight:SearchDatasources", "quicksight:UpdateAnalysisPermissions", "quicksight:UpdateDashboardPermissions", "quicksight:UpdateDataSetPermissions", "quicksight:UpdateDataSourcePermissions", "quicksight:UpdateFolderPermissions" ], "Resource": "*" } ] }
IAM identity-based policies for Amazon QuickSight: using the admin key management console
The following example shows an IAM policy that allows access to the admin key management console.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:CreateGrant", "kms:ListAliases", "kms:ListKeys", "quicksight:ListCustomerManagedKeys", "quicksight:ListKMSKeysForUser", "quicksight:RegisterCustomerManagedKey" "quicksight:RemoveCustomerManagedKey", ], "Resource": "*" } ]
AWS resources Amazon QuickSight: scoping policies in Enterprise edition
The following example for Amazon QuickSight Enterprise edition shows a policy that allows setting default access to AWS resources and scoping policies for permissions to AWS resources.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "quicksight:*IAMPolicyAssignment*", "quicksight:AccountConfigurations" ], "Effect": "Allow", "Resource": "*" } ] }