Using service control policies to restrict Amazon QuickSight sign-up options - Amazon QuickSight

Using service control policies to restrict Amazon QuickSight sign-up options

If you're an administrator in AWS Organizations, you can use service control policies (SCPs) to restrict how individuals in your organization can sign up for Amazon QuickSight. You can restrict the edition of Amazon QuickSight they can sign up for, and also the type of user that they can sign up for.

AWS Organizations is an account management service that you can use to consolidate multiple AWS accounts into an organization that you create and centrally manage. You can use SCPs in AWS Organizations to manage the permissions in your organization. For more information, see What is AWS Organizations? and Service control policies in the AWS Organizations User Guide.

In the following topic, you can learn about two ways to restrict Amazon QuickSight sign-up options using SCPs in AWS Organizations. The topic includes an example SCP. To learn more about creating SCPs, see the following topics in the AWS Organizations User Guide:

Restricting the Amazon QuickSight edition

To restrict the edition of Amazon QuickSight that your managed accounts can sign up for, use the quicksight:Edition condition key in your SCP. The values for this key are listed and described in the following table.

Key Name Key Value Description

quicksight:Edition

standard

QuickSight Standard Edition

enterprise

QuickSight Enterprise Edition

Restricting user management options

To restrict the user management options that individuals in your organization can use to sign up for Amazon QuickSight, use the quicksight:DirectoryType condition key in your SCP. The values for this key are listed and described in the following table.

Key Name Key Value Description

quicksight:DirectoryType

quicksight

IAM federated identities and QuickSight-managed users

iam

Only IAM federated identities

microsoft_ad

Users managed in Microsoft Active Directory on AWS Directory Service for Microsoft Active Directory

ad_connector

Users managed in on-premises Active Directory and connected through AD_Connector to AWS Directory Service for Microsoft Active Directory

Example SCP

The following example for Amazon QuickSight shows a service control policy that denies signing up for a QuickSight Standard Edition and turns off the ability to sign up using QuickSight or Active Directory credentials. This policy uses the quicksight:subscribe action, in addition to the condition keys previously described. For a list of QuickSight-specific keys for use in IAM permission policies, seeActions, resources, and condition keys for Amazon QuickSight in the Service Authorization Reference.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Deny", "Action": [ "quicksight:Subscribe" ], "Resource": [ "*" ], "Condition": { "ForAnyValue:StringEquals": { "quicksight:DirectoryType": [ "microsoft_ad", "quicksight", "ad_connector" ] } } }, { "Sid": "Statement2", "Effect": "Deny", "Action": [ "quicksight:Subscribe" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "quicksight:Edition": "standard" } } } ] }

With this policy in effect, individuals in an organization can sign up only for QuickSight Enterprise Edition. Additionally, they can sign up only using the IAM federated identities option. If they attempt to sign up for QuickSight Standard Edition or by using another form of authentication, they are restricted from signing up. They receive a message explaining that they don’t have the right permissions to sign up for QuickSight.