Using service control policies to restrict Amazon QuickSight sign-up options
If you're an administrator in AWS Organizations, you can use service control policies (SCPs) to restrict how individuals in your organization can sign up for Amazon QuickSight. You can restrict the edition of Amazon QuickSight they can sign up for, and also the type of user that they can sign up for.
AWS Organizations is a user account management service that you can use to consolidate multiple AWS accounts into an organization that you create and centrally manage. You can use SCPs in AWS Organizations to manage the permissions in your organization. For more information, see What is AWS Organizations? and Service control policies in the AWS Organizations User Guide.
In the following topic, you can learn about two ways to restrict Amazon QuickSight sign-up options using SCPs in AWS Organizations. The topic includes an example SCP. To learn more about creating SCPs, see the following topics in the AWS Organizations User Guide:
Restricting the Amazon QuickSight edition
To restrict the edition of Amazon QuickSight that your managed accounts can sign up for, use the quicksight:Edition condition key in your SCP. The values for this key are listed and described in the following table.
| Key Name | Key Value | Description |
|---|---|---|
|
|
|
QuickSight Standard Edition |
|
|
QuickSight Enterprise Edition |
Restricting user management options
To restrict the user management options that individuals in your organization can use to
sign up for Amazon QuickSight, use the quicksight:DirectoryType condition key
in your SCP. The values for this key are listed and described in the following
table.
| Key Name | Key Value | Description |
|---|---|---|
|
|
|
IAM federated identities and QuickSight-managed users |
|
|
Only IAM federated identities |
|
|
|
Users managed in Microsoft Active Directory on AWS Directory Service for Microsoft Active Directory |
|
|
|
Users managed in on-premises Active Directory and connected through AD_Connector to AWS Directory Service for Microsoft Active Directory |
|
|
|
Users managed in a QuickSight account that is integrated with IAM Identity Center. |
Example SCP
The following example for Amazon QuickSight shows a service control policy that denies signing up
for a QuickSight Standard Edition and turns off the ability to sign up using
QuickSight or Active Directory credentials. This policy uses the
quicksight:subscribe action, in addition to the condition keys
previously described. For a list of QuickSight-specific keys for use in IAM
permission policies, seeActions, resources, and condition keys for Amazon QuickSight in the
Service Authorization Reference.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Deny", "Action": [ "quicksight:Subscribe" ], "Resource": [ "*" ], "Condition": { "ForAnyValue:StringEquals": { "quicksight:DirectoryType": [ "iam_identity_center" ] } } }, { "Sid": "Statement2", "Effect": "Deny", "Action": [ "quicksight:Subscribe" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "quicksight:Edition": "standard" } } } ] }
With this policy in effect, individuals in an organization can sign up only for QuickSight Enterprise Edition. Additionally, they can sign up only by using the IAM Identity Center enabled application option. If they try to sign up for QuickSight Standard Edition or use another form of authentication, they are restricted from signing up. They receive a message explaining that they don't have the right permissions to sign up for QuickSight.
