Safe and simplify account setup and entry administration with new Amazon QuickSight administrative controls

Amazon QuickSight is a fully-managed, cloud-native enterprise intelligence (BI) service that makes it simple to connect with your knowledge, create interactive dashboards, and share these with tens of hundreds of customers, both inside the QuickSight interface, or embedded in software program as a service (SaaS) purposes or internet portals. In contrast to many BI options out there right now, QuickSight requires no server deployments or administration for scaling to tens of hundreds of customers, and authors construct dashboards utilizing a web-based interface, with none consumer downloads wanted. QuickSight additionally helps non-public VPC connectivity to AWS databases and analytics providers comparable to Amazon Relational Database Service (Amazon RDS) and Amazon Redshift, and AWS Identification and Entry Administration (IAM) permissions-based entry to Amazon Easy Storage Service (Amazon S3) and Amazon Athena, making it safe and straightforward to entry knowledge in AWS by way of QuickSight.

On this publish, we discover three new options in QuickSight that allow directors to additional simplify QuickSight setup and entry controls, which makes it simpler than ever to scale QuickSight to all of your AWS accounts.

Overview of recent QuickSight options

Directors can reap the benefits of the next new options in QuickSight:

• Service management coverage primarily based sign-up controls – Admins can now use service management insurance policies (SCPs) to limit QuickSight sign-up choices inside your group. You may prohibit the QuickSight version (Normal or Enterprise), and likewise the kind of identification mechanisms that can be utilized. For instance, admins can arrange service management insurance policies that deny sign-ups for a QuickSight Normal Version and switch off the power to ask any customers aside from these doable by way of federated single sign-on (SSO). For extra info, see Utilizing Service Management Insurance policies to Prohibit Amazon QuickSight Signal-up Choices.
• Automated electronic mail sync for federated SSO customers – Admins can arrange QuickSight and SSO such that electronic mail addresses for end-users are mechanically synced at first-time login. This avoids any handbook errors throughout entry, and prevents use of non-public electronic mail addresses (comparable to Gmail or Hotmail). For instance, directors could make it in order that solely corporate-assigned electronic mail addresses are used when customers are provisioned to their QuickSight account by means of their identification supplier (IdP). For extra info, see Configuring E-mail Syncing for Federated Customers in Amazon QuickSight.
• Carry your individual function throughout QuickSight account setup – QuickSight means that you can usher in knowledge saved in a number of AWS providers to create datasets, analyses, and dashboards. QuickSight makes use of an IAM function to specify permissions to the AWS sources (comparable to Amazon S3 or Athena) on the QuickSight account degree (which you’ll additional management inside QuickSight). This service function was beforehand created throughout QuickSight sign-up, and required the person signing as much as have permissions to create this function. Now, directors signing as much as QuickSight can decide from an current function of their AWS account as an alternative of QuickSight making a customized service function for the account. This lets you arrange your individual function for a gaggle of codependent AWS providers and QuickSight that you simply wish to work collectively. For extra info, see Passing IAM Roles to Amazon QuickSight.

Use case overview

Let’s stroll by means of a use case for these options.

OkTank is an enterprise within the healthcare area, the place it owns and manages a number of hospitals. OkTank’s IT infrastructure is managed centrally by a staff that’s liable for making certain safety and governance of all the IT infrastructure. Every particular person facility has its personal AWS account, which is a member of OkTank’s central AWS Organizations account.

Every hospital wants its personal QuickSight account for gathering enterprise intelligence and enhancing the healthcare service they supply to their prospects. The central IT staff requires that every hospital when establishing their QuickSight account solely indicators up for Enterprise version. As well as, they wish to authenticate every hospital’s QuickSight customers (admins, authors, and readers) utilizing Okta, which is their company IdP. This helps them guarantee that QuickSight directors can’t invite non-federated customers deliberately or by mistake.

Directors additionally wish to guarantee that when customers get an invite to join their hospital’s QuickSight account, they solely use pre-approved electronic mail tackle as configured in Okta and don’t enter their private electronic mail tackle. This offers a seamless sign-up expertise for brand spanking new customers as a result of they don’t should enter an electronic mail tackle anymore, and it offers extra safety as a result of customers can’t use their private electronic mail for sign-up and future logins.

Lastly, as a result of AWS directors manages different providers comparable to Amazon S3 and Athena, that are being utilized by QuickSight, they’ve configured roles for every of those providers. Directors wish to be sure that they’ll use preconfigured roles when exterior providers are being utilized by QuickSight. This makes certain that customers and QuickSight admins can’t create their very own roles for these providers, and the roles might be enforced by directors of these exterior providers.

To allow all these setup and entry controls, OkTank’s Organizations administrator and the hospital’s QuickSight administrator use the brand new options within the following order:

• Carry your individual function throughout QuickSight account setup
• SCP-based sign-up controls
• Automated electronic mail sync for federated SSO customers

Carry your individual function throughout QuickSight account setup

OkTank makes use of Amazon S3 for storage, and needs to make use of it as a knowledge supply in all of the hospitals’ QuickSight accounts. An IT administrator creates an IAM function for Amazon S3 that solely permits read-only entry to a QuickSight account and its customers. Throughout QuickSight account creation, the administrator can choose the read-only Amazon S3 function. OkTank’s Organizations administrator for every hospital’s AWS account completes the next steps to create an Amazon S3 function and configure it for use by QuickSight:

1. On the IAM console, select Roles within the navigation pane.
   
2. Select Create function.
   
3. Select AWS Service and select S3.
   
4. Select Subsequent: Permissions.
5. Seek for S3 and choose AmazonS3ReadOnlyAccess.
6. Select Subsequent: Tags.
   
7. Select Subsequent: Evaluate.
8. For Position title, enter QuickSightS3Role.
9. Select Create function.
   
10. Select the newly created function.
11. On the Belief relationships tab,
12. Select Edit belief relationship.
    
13. Enter the next JSON:

    {
    "Model": "2012-10-17",
    "Assertion": [
    {
    "Effect": "Allow",
    "Principal": {
    "Service": "quicksight.amazonaws.com"
    },
    "Action": "sts:AssumeRole"
    }
    ]
    }

14. Select Replace Belief Coverage.
    

This newly created function is now obtainable for the administrator to decide on whereas making a QuickSight account within the subsequent part.

SCP-based sign-up controls

To make sure that hospitals when creating their QuickSight account solely select Enterprise version and their customers are solely invited by way of Okta, OkTank’s Organizations administrator completes the next steps:

1. On the Organizations console, select Insurance policies within the navigation pane.
2. Select Service management insurance policies.
   
3. Select Create coverage.
   
4. For Coverage title, enter QuickSightSCP.
5. Enter the next JSON within the coverage part:

   {
   "Model": "2012-10-17",
   "Assertion": [
   {
   "Sid": "Statement1",
   "Effect": "Deny",
   "Action": [
   "quicksight:Subscribe"
   ],
   "Useful resource": [
   "*"
   ],
   "Situation": {
   "ForAnyValue:StringEquals": {
   "quicksight:DirectoryType": [
   "microsoft_ad",
   "quicksight",
   "ad_connector"
   ]
   }
   }
   },
   {
   "Sid": "Statement2",
   "Impact": "Deny",
   "Motion": [
   "quicksight:Subscribe"
   ],
   "Useful resource": [
   "*"
   ],
   "Situation": {
   "StringEquals": {
   "quicksight:Version": "normal"
   }
   }
   }
   ]
   }

6. Select Create coverage.
   
7. Select AWS accounts within the navigation pane.
8. Select the Root account.
   
9. On the Insurance policies tab, beneath Service management insurance policies, select Connect.
   
10. Choose the coverage QuickSightSCP that you simply created earlier and select Connect coverage.
    

Now the newly created coverage is connected to all of the hospital’s AWS accounts.

Check the sign-up controls

Because the hospital’s AWS admin, you’ll be able to take a look at the sign-up controls to verify they stop you from utilizing Normal Version.

1. When signing up for a QuickSight account, select Normal.
2. Choose Use IAM federated identities & QuickSight-managed customers.
   

You’re offered with the next error message.

As per the brand new SCP coverage connected to the hospital’s AWS account, the admin has to decide on Enterprise Version and use IAM federated identities with a purpose to efficiently arrange a QuickSight account.

3. Select Enterprise.
4. Choose Use IAM federated identities solely.
   

The Amazon S3 read-only function that you simply created earlier is out there in QuickSight.

5. Choose Use an current function and select QuickSightS3Role.
6. Select End.
   

After you make your alternatives per the SCP coverage and the customized function for Amazon S3 read-only entry, this QuickSight account is created efficiently for the hospital.

Automated electronic mail sync for federated SSO customers

The hospital’s QuickSight account is now set as much as solely settle for customers invited by means of federated SSO. On this case, they use Okta, which is their company IdP. After authentication by way of Okta is full, the QuickSight customers are requested to enter their electronic mail tackle after they log in for the very first time.

This electronic mail request might create confusion for some customers as to which electronic mail tackle they need to use.

The hospital’s QuickSight admin staff needs to streamline the person login course of and forestall customers from getting into any emails aside from their company electronic mail. To make sure that, the hospital’s QuickSight admin decides to make use of the brand new automated electronic mail sync function for federated SSO customers. With this new function, admins can arrange QuickSight and SSO such that electronic mail addresses for end-users are mechanically synced at first-time login. This prevents any handbook errors throughout entry, or customers signing up with private electronic mail addresses. OkTank’s directors can arrange controls in order that solely corporate-assigned electronic mail addresses are used when customers are provisioned to their QuickSight account by means of their IdP.

The hospital’s admin completes the next steps to make use of this function:

1. On the IAM console, select Roles within the navigation pane.
2. Seek for the function you utilize with AssumeRoleWithSAML (for this publish, it’s known as QuickSightOktaFederatedRole).
   
3. On the Belief relationships tab, select Edit belief relationship.
   
4. For the coverage particulars, enter the next JSON:

   {
   "Model": "2012-10-17",
   "Assertion": [
   {
   "Effect": "Allow",
   "Principal": {
   "Federated": "arn:aws:iam::xxxxxxxxxx:saml-provider/Okta"
   },
   "Action": "sts:AssumeRoleWithSAML",
   "Condition": {
   "StringEquals": {
   "SAML:aud": "https://signin.aws.amazon.com/saml"
   }
   }
   },
   {
   "Effect": "Allow",
   "Principal": {
   "Federated": "arn:aws:iam::xxxxxxxxxx:saml-provider/Okta"
   },
   "Action": "sts:TagSession",
   "Condition": {
   "StringLike": {
   "aws:RequestTag/Email": "*"
   }
   }
   }
   ]
   }

5. Select Replace Belief Coverage.

OkTank’s central IT administrator (liable for managing Okta’s configuration) makes the next modifications within the Okta configuration by way of Okta’s admin console:

6. Log in to the Okta admin console.
7. Select Functions within the navigation pane.
   
8. Select the Okta software for QuickSight federation (on this case, it’s known as AWS Account Federation – QuickSight).
   
9. Select the Signal On tab.
   
10. Within the Settings part, select Edit.
    
11. Choose SAML 2.0 and broaden the Attributes part.
    
12. Add an attribute assertion as follows:
    1. For Identify, enter https://aws.amazon.com/SAML/Attributes/PrincipalTag:E-mail.
    2. For Identify format, choose URI reference.
    3. For Worth, choose person.electronic mail.
13. Select Save.

Lastly, after you replace the belief relationship for the IAM function with AssumeRoleWithSAML and add a SAML attribute for the IAM Principal tag in Okta, the subsequent step is to activate electronic mail syncing for federated customers in QuickSight.

OkTank’s central IT administrator (liable for managing Okta’s configuration) makes the next modifications within the Okta configuration by way of Okta’s admin console.

14. On the QuickSight console, on the person title menu, select Handle QuickSight.
    
15. Select Single sign-on (SSO) within the navigation pane.
    
16. Within the E-mail Syncing for Federated Customers part, choose ON.
    

As soon as turned on, customers when launching the QuickSight software by way of the Okta console for the primary time bypass the e-mail request and are redirected to the QuickSight console.

Conclusion

With these options, directors can now strengthen controls round QuickSight accounts and open up QuickSight entry to extra AWS accounts inside your group. Check out these options to strengthen the safety of your QuickSight account and simplify end-user entry, and share your suggestions and questions within the feedback.

Keep tuned for extra new admin capabilities, and take a look at what’s new for the most recent updates.

Concerning the Authors

Raji Sivasubramaniam is a Specialist Options Architect at AWS, specializing in Analytics. Raji has 20 years of expertise in architecting end-to-end Enterprise Knowledge Administration, Enterprise Intelligence and Analytics options for Fortune 500 and Fortune 100 corporations throughout the globe. She has in-depth expertise in built-in healthcare knowledge and analytics with broad number of healthcare datasets together with managed market, doctor focusing on and affected person analytics. In her spare time, Raji enjoys climbing, yoga and gardening.

Mayank Agarwal is a product supervisor for Amazon QuickSight, AWS’ cloud-native, absolutely managed BI service. He focuses on account administration, governance and developer expertise. He began his profession as an embedded software program engineer growing handheld gadgets. Previous to QuickSight he was main engineering groups at Credence ID, growing customized cell embedded machine and internet options utilizing AWS providers that make biometric enrollment and identification quick, intuitive, and cost-effective for Authorities sector, healthcare and transaction safety purposes.