Amazon QuickSight
User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Using other AWS Services: Scoping Down Access

 Applies to: Enterprise Edition and Standard Edition 
 Intended audience: System administrators and Amazon QuickSight administrators 

You can control the AWS resources that Amazon QuickSight can access. You can scope down access to those resources at a more granular level. In Enterprise edition, you can also set up general access defaults for everyone in your account, and you can set up specific access for individual users and groups.

Before you begin, you need the correct permissions. Your system administrator can give you the correct permissions by creating a policy that allows you to use the following IAM actions, and then associating that policy with your user or group in IAM.

  • quicksight:AccountConfigurations – to enable setting default access to AWS resources

  • quicksight:ScopeDownPolicy – scoping policies for permissions to AWS resources

To enable or disable the AWS services that Amazon QuickSight can access

  1. Choose your user name on the application bar, and then choose Manage QuickSight.

  2. Choose Security & permissions.

  3. Under QuickSight access to AWS services, choose Add or remove.

    A screen appears where you can enable all available AWS services.

    If you see a permissions error, and you're an authorized Amazon QuickSight administrator, contact your system administrator for assistance.

  4. If you have already enabled an AWS service, the check box for that service is already selected. If Amazon QuickSight can't access a particular AWS service, its check box is not selected. Choose the check boxes for the services you want to allow. Clear check boxes for services you don't want to allow.

    In some cases, you might see a message like this one: This policy used by Amazon QuickSight for AWS resource access was modified outside of Amazon QuickSight, so you can no longer edit this policy to provide AWS resource permission to Amazon QuickSight. To edit this policy permissions, go to IAM console and delete this policy permission with policy arn - arn:aws:iam::111122223333:policy/service-role/AWSQuickSightS3Policy. This type of message means that one of the IAM policies that Amazon QuickSight uses was manually altered. To fix this, the system administrator deletes the IAM policy listed in the error message, and reload the Security & permissions screen before you try again.

  5. Choose Update to confirm, or Cancel to return to the previous screen.

Setting Default Resource Access to AWS Services

 Applies to: Enterprise Edition 
 Intended audience: System administrators and Amazon QuickSight administrators 

In Enterprise edition, if you don't configure specific permissions for the AWS services that an Amazon QuickSight user can access, Amazon QuickSight uses a default set of permissions, based on your settings. The current behavior is displayed in a blue information box.

To change the default resource access for all users, to use when no other permissions are configured

  1. Open the settings screen for Security & permissions, if it isn't already open.

  2. Choose your user name on the application bar, and then choose Manage QuickSight.

  3. Choose Security & permissions.

  4. Under Default resource access, choose Change.

  5. Choose one of the following:

    • Allow access to all AWS data and resources

    • Deny access to all AWS data and resources

Setting Detailed Resource Access to AWS Services

 Applies to: Enterprise Edition 
 Intended audience: System administrators and Amazon QuickSight administrators 

In Enterprise edition, Amazon QuickSight provides a way for you to set up detailed access to resources in AWS Services. Like every other AWS service, Amazon QuickSight uses IAM policies to control access for users and groups.

Before you begin, ask an IAM administrator to set up the necessary IAM policies ahead of time, so that you can select them as part of the procedure in this section. For information about creating IAM policies to use with Amazon QuickSight, see Identity and Access Management in Amazon QuickSight.

To assign an IAM policy to a user or group

  1. Open the settings screen for Security & permissions, if it isn't already open.

  2. Choose your user name on the application bar, and then choose Manage QuickSight.

  3. Choose Security & permissions.

  4. Under Resource access for individual users and groups, choose IAM policy assignments.

    The remaining steps at this point involve choosing an IAM policy to assign to the user or group. You can assign multiple IAM policies to one Amazon QuickSight user or group. To determine permissions, Amazon QuickSight performs a union and an intersection with the AWS account level policies.

    If you already have active IAM policy assignments, they are listed on this page. You can search for existing assignments by using the search box. If you have drafts that aren't active yet, they are listed under Assignment drafts.

  5. Choose one of the following:

    • To create an IAM policy assignment, choose Add new assignment.

    • To edit an existing assignment, choose the Edit assignment icon for that assignment.

    • To enable or disable a policy, select the check box for that policy, and then choose Enable or Disable. You can select multiple policy assignments at a time.

    • To delete an existing assignment, choose the Remove assignment icon near the name of the assignment. To confirm your choice, choose Delete on the confirmation screen. Or, choose Back to cancel deletion.

    If you are creating or editing an assignment, continue to the next step. Otherwise, skip to the end of this procedure.

  6. The next screen divides the policy assignment process into steps. However, as you work through the steps, you can go forward or backward to make changes. When you exit the screen, your changes from all of the steps are saved.

    1. Step 1: Name assignment – If this is a new assignment, enter a name for the assignment, and then choose Next to continue. If you want to change the name, choose Step 1 at left.

    2. Step 2: Select an IAM policy – Choose an IAM policy that you want to use. From this screen, you can interact with the policies as follows:

      • Choose a policy that you want to use.

      • Search for a policy name.

      • Filter the list to see all IAM policies, AWS-managed policies, or customer-managed policies.

      • View a policy, by choosing View policy.

      To choose a policy, choose the button beside it, and then choose Next to continue.

    3. Step 3: Assign users and groups – Choose specific users or groups. Or, choose to use the selected IAM policy for all users and groups.

      Choose one of the following.

      • For Assign to all users and groups, enable the check box to assign the IAM policy to all Amazon QuickSight users and groups. Choosing this option assigns the policy to all current and future users and groups.

      • Choose the users and groups you want to assign to this IAM policy. You can search for them by name, email address, or group name.

      When you are finished selecting users and groups, choose Next to continue.

    4. Step 4: Review and enable changes – Save your changes.

      Choose one of the following.

      • To edit any of your choices, choose that step to edit it.

      • To save this policy assignment as a draft, choose Save as draft. You can enable the draft at a later time.

      • To immediately enable this policy, choose Save and enable. This option overwrites any existing policy assignment with the same name.