# AWS security in Quick
Amazon Quick provides a secure platform that enables you to distribute dashboards and insights to tens of thousands of users, with multiple-region availability and built-in redundancy.
Cloud security at AWS is the highest priority. As an AWS customer, you benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations.
Security is a shared responsibility between AWS and you. The [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) describes this as security *of* the cloud and security *in* the cloud:
+ **Security of the cloud** – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. The effectiveness of our security is regularly tested and verified by third-party auditors as part of the [AWS compliance programs](https://aws.amazon.com/compliance/programs/). To learn about the compliance programs that apply to Quick, see [AWS Services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/).
+ **Security in the cloud** – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors, including the sensitivity of your data, your organization’s requirements, and applicable laws and regulations.
This documentation helps you understand how to apply the shared responsibility model when using Amazon Quick. The following topics show you how to configure Amazon Quick to meet your security and compliance objectives. You also learn how to use other AWS services that can help you to monitor and secure your Amazon Quick resources.
Amazon Quick enables you to manage your users and content using a comprehensive set of security features. These include role-based access control, Microsoft Active Directory integration, AWS CloudTrail auditing, single sign-on using AWS Identity and Access Management (IAM) and third-party solutions, private VPC subnets, and data backup. Amazon Quick can also support FedRAMP, HIPAA, PCI DSS, ISO, and SOC compliance to help you meet industry-specific or regulatory requirements.
**Topics**
+ [Data protection in Amazon Quick](sec-data-protection.md)
+ [Incident response, logging, and monitoring in Amazon Quick](incident-response-logging-and-monitoring.md)
+ [Compliance validation for Amazon Quick](sec-compliance.md)
+ [Resilience in Amazon Quick](disaster-recovery-resiliency.md)
+ [Infrastructure security in Amazon Quick](infrastructure-and-network-access.md)
+ [Best practices for security in Amazon Quick](best-practices-security.md)
+ [AWS managed policies for Amazon Quick](security-iam-quicksight.md)
# Data protection in Amazon Quick
The AWS [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) applies to data protection in Amazon Quick. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. You are also responsible for the security configuration and management tasks for the AWS services that you use. For more information about data privacy, see the [Data Privacy FAQ](https://aws.amazon.com/compliance/data-privacy-faq/). For information about data protection in Europe, see the [AWS Shared Responsibility Model and GDPR](https://aws.amazon.com/blogs/security/the-aws-shared-responsibility-model-and-gdpr/) blog post on the *AWS Security Blog*.
For data protection purposes, we recommend that you protect AWS account credentials and set up individual users with AWS IAM Identity Center or AWS Identity and Access Management (IAM). That way, each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways:
+ Use multi-factor authentication (MFA) with each account.
+ Use SSL/TLS to communicate with AWS resources. We require TLS 1.2 and recommend TLS 1.3.
+ Set up API and user activity logging with AWS CloudTrail. For information about using CloudTrail trails to capture AWS activities, see [Working with CloudTrail trails](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-trails.html) in the *AWS CloudTrail User Guide*.
+ Use AWS encryption solutions, along with all default security controls within AWS services.
+ Use advanced managed security services such as Amazon Macie, which assists in discovering and securing sensitive data that is stored in Amazon S3.
+ If you require FIPS 140-3 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see [Federal Information Processing Standard (FIPS) 140-3](https://aws.amazon.com/compliance/fips/).
We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into tags or free-form text fields such as a **Name** field. This includes when you work with Amazon Quick or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into tags or free-form text fields used for names may be used for billing or diagnostic logs. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server.
Amazon Quick does not use customer data for training or improving underlying LLMs.
**Topics**
+ [Data encryption in Amazon Quick](data-encryption.md)
+ [Inter-network traffic privacy in Amazon Quick](internetwork-traffic-privacy.md)
# Data encryption in Amazon Quick
Amazon Quick uses the following data encryption features:
+ Encryption at rest
+ Encryption in transit
+ Key management
You can find more details about data encryption at rest and data encryption in transit in the following topics. For more information about key management in Amazon Quick see [Encrypting Amazon Quick SPICE datasets with AWS KMS customer-managed keys](https://docs.aws.amazon.com/quicksuite/latest/userguide/customer-managed-keys.html).
**Topics**
+ [Encryption at rest](#data-encryption-at-rest)
+ [Encryption in transit](#data-encryption-in-transit)
## Encryption at rest
Amazon Quick securely stores your Amazon Quick metadata. This includes the following:
+ Amazon Quick user data, including Amazon Quick user names, email addresses, and passwords. Amazon Quick administrators can view user names and emails, but each user's password is completely private to each user.
+ Minimal data necessary to coordinate user identification with your Microsoft Active Directory or identity federation implementation (Federated Single Sign-On (IAM Identity Center) through Security Assertion Markup Language 2.0 (SAML 2.0)).
+ Data source connection data.
+ Amazon Quick data source credentials (username and password) or OAuth tokens to establish a data source connection are encrypted with the customers default CMK when customer registers a CMK with Amazon Quick. If the customer does not register a CMK with Amazon Quick, we will continue to encrypt the information using a Amazon Quick owned AWS KMS key.
+ Names of your uploaded files, data source names, and data set names.
+ Statistics that Amazon Quick uses to populate machine learning (ML) insights.
+ Data indexed to support Amazon Q in Quick. This includes the following:
+ Topics
+ Metadata related to your dashboards
+ Your first index capacity purchase
+ Your first chat
+ Your first space creation
+ Your first knowledge base creation
**Note**
Configure a CMK prior to creating the above. Otherwise, Q data will be encrypted by an AWS–owned key and cannot be changed later.
Amazon Quick securely stores your Amazon Quick data. This includes the following:
+ Data-at-rest in SPICE is encrypted using hardware block-level encryption with AWS-managed keys.
+ Data-at-rest other than SPICE is encrypted using Amazon-managed KMS keys. This includes the following:
+ Email reports
+ Sample value for filters
When you delete a user, all of that user's metadata is permanently deleted. If you don't transfer that user's Amazon Quick objects to another user, all of the deleted user's Amazon Quick objects (data sources, datasets, analyses, and so on) are also deleted. When you unsubscribe from Amazon Quick, all metadata and any data you have in SPICE is completely and permanently deleted.
## Encryption in transit
Amazon Quick supports encryption for all data transfers. This includes transfers from the data source to SPICE, or from SPICE to the user interface. However, encryption isn't mandatory. For some databases, you can choose whether transfers from the data source are encrypted or not. Amazon Quick secures all encrypted transfers by using Secure Sockets Layer (SSL).
# Inter-network traffic privacy in Amazon Quick
To use Amazon Quick, users need access to the internet. They also need access to a compatible browser or a mobile device with the Amazon Quick mobile app installed. They don't need access to the data sources they want to analyze. This access is handled inside Amazon Quick. User connections to Amazon Quick are protected through the use of SSL. So that users can access Amazon Quick, allow access to HTTPS and Web Sockets Secure (wss://) protocol.
You can use a Microsoft AD connector and single sign-on (IAM Identity Center) in a corporate network environment. You can further restrict access through the identity provider. Optionally, you can also use MFA.
Amazon Quick accesses data sources by using connection information supplied by the data source owner in Amazon Quick. Connections are protected both between Amazon Quick and on-premises applications and between Amazon Quick and other AWS resources within the same AWS Region. For connections to any source, the data source must allow connections from Amazon Quick.
## Traffic between service and on-premises clients and applications
You have two connectivity options between your private network and AWS:
+ An AWS Site-to-Site VPN connection. For more information, see [What is AWS site-to-site VPN?](https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html)
+ An Direct Connect connection. For more information, see [What is AWS direct connect?](https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html)
If you are using AWS API operations to interact with Amazon Quick through the network, clients must support Transport Layer Security (TLS) 1.0. We recommend TLS 1.2. Clients must also support cipher suites with Perfect Forward Secrecy (PFS), such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Diffie-Hellman Ephemeral (ECDHE). Most modern systems such as Java 7 and later support these modes. You must sign requests using an access key ID and a secret access key that are associated with an IAM principal, or you can use the [AWS Security Token Service (STS)](https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html) to generate temporary security credentials to sign requests.
## Traffic between AWS resources in the same region
An Amazon Virtual Private Cloud (Amazon VPC) endpoint for Amazon Quick is a logical entity within a VPC that allows connectivity only to Amazon Quick. The VPC routes requests to Amazon Quick and routes responses back to the VPC. For more information, see the following:
+ [VPC endpoints](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html) in the *Amazon VPC User Guide*
+ [Connecting to a Amazon VPC with Amazon Quick](https://docs.aws.amazon.com/quicksight/latest/user/working-with-aws-vpc.html)
# Incident response, logging, and monitoring in Amazon Quick
| |
| --- |
| Intended audience: System administrators and Amazon Quick administrators |
Effective incident response, logging, and monitoring are essential for maintaining the security, performance, and reliability of your Amazon Quick instance. This monitoring framework provides multiple layers of visibility into user activities, system performance, security events, and operational metrics across all Amazon Quick features including chat, spaces, flows, actions, research, dashboards, and custom agents.
Amazon Quick integrates with AWS native monitoring and logging services to provide both real-time insights and historical analysis capabilities. The monitoring system captures detailed analytics on user engagement, conversation patterns, resource utilization, and security-related events, while CloudTrail logging ensures complete audit trails for compliance and forensic analysis.
This section covers:
+ **Analytics and monitoring** - Comprehensive dashboards and metrics for tracking user adoption, performance, feedback, and security events across all Amazon Quick capabilities
+ **CloudTrail logging** - Complete audit trails of API calls and administrative actions for compliance and security monitoring in Amazon Quick Sight
+ **Non-API event logging** - Monitoring of user interactions, content access, and system events that don't generate API calls
+ **Log analysis and interpretation** - Understanding log entries, identifying security incidents, and responding to operational issues in Amazon Quick Sight
Whether you're investigating a security incident, analyzing user behavior patterns, measuring system performance, or ensuring regulatory compliance, these monitoring and logging capabilities provide the visibility and data you need to maintain a secure and well-functioning Amazon Quick environment.
**Topics**
+ [Monitoring Amazon Quick usage using CloudWatch Logs](monitoring-quicksuite-chat-feedback-cloudwatch.md)
+ [Incident response, logging, and monitoring in Amazon Quick Sight using CloudTrail](incident-response-logging-and-monitoring-qs.md)
+ [Monitoring data in Amazon Quick Sight using CloudWatch](monitoring-quicksight.md)
# Monitoring Amazon Quick usage using CloudWatch Logs
You can use [Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html) to deliver chat conversations, user feedback and agent/research hours usage in Amazon Quick for you to analyze. These logs can be delivered to multiple destinations, such as CloudWatch, Amazon S3, or Amazon Data Firehose (standard rates apply). We recommend that you set up vended logs shortly after enabling Amazon Quick AI features.
The following are examples of tasks you can complete with logs from Amazon Quick:
+ Identify common user queries and pain points by reviewing the chat message content.
+ Monitor the quality of responses by looking at metrics like `feedbackReason`.
+ Understand user sentiment and satisfaction by analyzing the feedback data, including comments and usefulness ratings.
+ Generate custom dashboards and reports to track key metrics and trends over time.
+ Identify and Analyze cases where the chat returned no answer or the user query was blocked
+ Monitor agent and research hours usage
**Important**
Logs from conversations might include sensitive or personally identifiable data passed in the chats. You can filter out this information from your logs when setting up logs subscription. Or you can mask this data on your logs using CloudWatch Logs masking policies. For more information, see [Help protect sensitive log data with masking](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data.html).
## Supported log destinations
Amazon Quick can deliver logs to the following destinations:
+ **Amazon CloudWatch Logs** - For real-time monitoring and analysis
+ **Amazon S3** - For long-term storage and batch processing
+ **Amazon Data Firehose** - For streaming analytics and data transformation
## Prerequisites
Before you can enable logging, ensure you have:
+ An active Amazon Quick instance with Enterprise or Professional subscriptions
+ Appropriate IAM permissions to configure log delivery
+ A destination configured for your logs (CloudWatch Logs, Amazon S3 bucket, or Firehose)
## Configure logging
To enable logging for Amazon Quick chat and feedback, you need to configure IAM permissions, create a delivery source and destination, and verify that logs are being delivered successfully.
**Topics**
+ [Set up IAM permissions](#quicksuite-chat-feedback-setup-iam-permissions)
+ [Configure log subscription](#quicksuite-chat-feedback-configure-log-subscription)
+ [Verify log delivery](#quicksuite-chat-feedback-verify-log-delivery)
### Set up IAM permissions
To set up CloudWatch Logs for Amazon Quick, use the following IAM policy examples to grant the necessary permissions.
```
{
"Version": "2012-10-17" ,
"Statement": [{
"Sid": "QuicksightLogDeliveryPermissions",
"Effect": "Allow",
"Action": "quicksight:AllowVendedLogDeliveryForResource",
"Resource": "arn:aws:quicksight:region:account-id:account/account-id"
}]
}
```
You must also allow the `delivery.logs.amazonaws.com` service principal in your customer managed AWS KMS key policy.
```
{
"Effect": "Allow" ,
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:SourceArn": "arn:partition:logs:region:account-id:*"
}
}
}
```
### Configure log subscription
For example IAM policies with all the required permissions for your specific logging destination, see [Enable logging from AWS services](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html) in the *Amazon CloudWatch Logs User Guide*.
Create a delivery source with the [PutDeliverySource](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliverySource.html) CloudWatch Logs API operation. Give the delivery source a name and for `resourceArn`, specify the ARN of your application. For `logType`, specify `CHAT_LOGS`, `AGENT_HOURS_LOGS` or `FEEDBACK_LOGS`
```
{
"logType": "CHAT_LOGS",
"name": "my-quick-suite-delivery-source",
"resourceArn": "arn:aws:quicksight:your-region:your-account-id:account/account-id"
}
```
```
{
"logType": "FEEDBACK_LOGS",
"name": "my-quick-suite-delivery-source",
"resourceArn": "arn:aws:quicksight:your-region:your-account-id:account/account-id"
}
```
```
{
"logType": "AGENT_HOURS_LOGS",
"name": "my-quick-suite-delivery-source",
"resourceArn": "arn:aws:quicksight:your-region:your-account-id:account/account-id"
}
```
To enable user conversation logging with the CloudWatch Logs API operations, you call the `PutDeliverySource`, `PutDeliveryDestination`, and `CreateDelivery` API operations.
**Note**
Logs would be available for the region mentioned in resource ARN in `PutDeliverySource` input.
### Verify log delivery
Once configured, verify that logs are being delivered to your destination:
+ **Verify the setup:** Verify the list of deliveries that have been created in the account by using the `DescribeDeliveries` API in CloudWatch Logs.
+ **CloudWatch Logs**: Check the specified log group for new log streams.
+ **Amazon S3**: Monitor your bucket for new log files.
+ **Firehose**: Verify data is flowing through your delivery stream.
## Log schema and format
Amazon Quick logs follow a structured schema with common fields shared across all log types and specific fields for chat and feedback logs.
### Common fields
All log events include these common fields:
+ `resource_arn` - Resource ARN of your Amazon Quick account (for example, `arn:aws:quicksight:us-east-1:111122223333:account/111122223333:`)
+ `event_timestamp` - ISO 8601 timestamp of the event (for example, `1763532110061`)
+ `logType` - Type of log (for example, `Chat` or `Feedback`)
+ `accountId` - AWS account ID (for example, `123456789012`)
+ `user_arn` - Amazon Quick user ARN associated with the event (for example, `"arn:aws:quicksight:us-west-2:111122223333:user/default/user"`)
### Chat logs
Chat logs capture conversation interactions and contains below fields:
+ `status_code` - Status of the chat request (for example, `Success, request_blocked, no_answer_found` )
+ `namespace*` - Amazon Quick namespace for the event (for example, `default`)
+ `user_type` - Amazon Quick user type associated with the event (for example, `ADMIN_PRO`)
+ `conversation_id` - Unique ID for the user conversation
+ `system_message_id` - System-generated message ID
+ `latency*` - Chat message latency in milliseconds
+ `time_to_first_token*` - Time in milliseconds of first response token
+ `message_scope` - Scope of the message (for example, `all_resources, specific_resources, no_resources` )
+ `user_message_id` - Unique ID of the user message
+ `user_message` - user message in the conversation
+ `agent_id` - Unique ID of the chat agent
+ `flow_id` - Unique ID of the Amazon Quick Flow
+ `system_text_message` - System response in the conversation
+ `surface_type*` - Application being used for the conversation
+ `web_search*` - Web search enabled or not
+ `user_selected_resources`- List of resources selected by user
+ `action_connectors` - List of action connectors
+ `cited_resource` - List of cited resources
+ `file_attachment` - List of files attached by user
The following is an example of chat logs:
```
{
"status_code": "success",
"namespace": "default",
"user_type": "ADMIN_PRO",
"conversation_id": "a11b2bbc-c123-3abc-a12b-12a34b5c678d",
"system_message_id": "a11b2bbc-c123-3abc-a12b-12a34b5c678d",
"latency": "10000",
"time_to_first_token": "10000",
"message_scope": "all_resources",
"user_message_id": "a11b2bbc-c123-3abc-a12b-12a34b5c678d",
"user_message": "Hi chat",
"agent_id": "a11b2bbc-c123-3abc-a12b-12a34b5c678d",
"flow_id": "a11b2bbc-c123-3abc-a12b-12a34b5c678d?",
"system_text_message": "Hello user",
"surface_type": "WEB_EXPERIENCE",
"web_search": "true"
"user_selected_resources": [{"resource_type": "Dashboard","resource_id": "146abs-1222-534894"},{"resource_type": "Space","resource_id": "123abs-1234-534894"}],
"action_connectors": [{"action_connector_id": "quicksight-website"},{"action_connector_id": "123abs-1234-534894"}]
"cited_resource": [{"cited_resource_name": "Dashboard","cited_resource_id": "146abs-1222-534894","cited_resource_name": "ds1"},{"cited_resource_name": "Space","cited_resource_id": "123abs-1234-534894","cited_resource_name": "space1"}],
"file_attachment": [{"file_attachmet_type": "pdf","file_attachment_name": "file1.pdf"},{"file_attachmet_type": "txt","file_attachment_name": "file2.txt"}]
}
```
### Feedback logs
Feedback logs capture user feedback on chat and contains below fields:
+ `status_code` - Status of the event delivery
+ `namespace*` - Amazon Quick namespace for the event (for example, `default`)
+ `user_type` - Amazon Quick user type associated with the event (for example, `ADMIN_PRO`)
+ `conversation_id` - Unique ID of the conversation
+ `system_message_id` - System generated message ID
+ `user_message_id` - Unique ID of user message
+ `feedback_type` - Type of feedback (for example, `Not Useful, Useful` )
+ `feedback_reason` - Feedback reason selected by the user
+ `feedback_details` - (Optional) Additional details provided by the user
The following is an example of feedback logs:
```
{
"status_code": "success",
"namespace": "default",
"user_type": "ADMIN_PRO",
"conversation_id": "a11b2bbc-c123-3abc-a12b-12a34b5c678d",
"system_message_id": "a11b2bbc-c123-3abc-a12b-12a34b5c678d",
"user_message_id" : "a11b2bbc-c123-3abc-a12b-12a34b5c678d",
"feedback_type" :"Not Useful / Useful"
"feedback_reason" : "Too wordy,Issue with sources,Other etc."
"feedback_details" : "additional text shared by user"
}
```
## Agent/Research hours Logs
This log type captures the usage logs for different agents within your Quick account used for pricing:
+ `subscription_type` - ENTERPRISE or PROFESSIONAL
+ `reporting_service` - Service corresponding to the agent: RESEARCH, FLOWS OR AUTOMATIONS
+ `usage_group` - `Included or Extra` based on the subscription type and usage so far
+ `usage_hours` - Decimal value indicating the usage hours for the particular log instance
+ `service_resource_arn` - ARN of the corresponding Agent’s service
The following is an example of Agent Hours logs:
```
{
"subscription_type": "ENTERPRISE",
"reporting_service": "RESEARCH",
"usage_group": "Included",
"usage_hours": 0.3333,
"service_resource_arn": "arn:aws:quicksight:eu-west-1:111222333444:research/a11b2bbc-c123-3abc-a12b-12a34b5c678d"
}
```
**Note**
\$1 Fields marked with ‘\$1’ do not get added by default to your log subscription. These need to be specified explicitly while calling CreateDelivery if required.
## Security considerations
+ **Encryption**: Use customer-managed AWS KMS keys for sensitive data
+ **Access control**: Implement least-privilege IAM policies
+ **Data retention**: Configure appropriate retention policies for your compliance requirements
# Incident response, logging, and monitoring in Amazon Quick Sight using CloudTrail
Amazon Quick Sight is integrated with AWS CloudTrail. This service provides a record of actions taken by a user, role, or an AWS service in Amazon Quick Sight. CloudTrail captures all API calls for Amazon Quick Sight as events. The calls captured include some calls from the Amazon Quick Sight console and all code calls to Amazon Quick Sight API operations. If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for Amazon Quick Sight. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in **Event history**. Using the information collected by CloudTrail, you can determine the request that was made to Amazon Quick Sight, the IP address from which the request was made, who made the request, when it was made, and additional details.
Amazon Quick Sight doesn’t natively support alerting with Amazon CloudWatch or other external systems. However, it's possible to develop a custom solution to process CloudTrail logs.
Amazon Quick Sight service status can be viewed on the [Service Health Dashboard](https://status.aws.amazon.com/).
By default, the log files delivered by CloudTrail to your bucket are encrypted by Amazon [server-side encryption with Amazon S3-managed encryption keys (SSE-S3)](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html). To provide a security layer that is directly manageable, you can instead use [server-side encryption with AWS KMS–managed keys (SSE-KMS)](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html) for your CloudTrail log files. Enabling server-side encryption encrypts the log files but not the digest files with SSE-KMS. Digest files are encrypted with [Amazon S3-managed encryption keys (SSE-S3)](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html).
To learn more about CloudTrail, including how to configure and enable it, see the [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/).
**Topics**
+ [Logging Amazon Quick Sight information with AWS CloudTrail](#logging-using-cloudtrail)
+ [Tracking non-API events by using CloudTrail logs](#logging-non-api)
+ [Example: Amazon Quick Sight log file entries](#understanding-quicksight-entries)
## Logging Amazon Quick Sight information with AWS CloudTrail
| |
| --- |
| Intended audience: System administrators |
CloudTrail is enabled on your AWS account when you create the account. When supported event activity occurs in Amazon Quick Sight, that activity is recorded in a CloudTrail event along with other AWS service events in **Event history**. You can view, search, and download recent events in your AWS account. For more information, see [Viewing Events with CloudTrail Event History](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html).
For an ongoing record of events in your AWS account, including events for Amazon Quick Sight, create a trail. A *trail* enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create a trail in the console, the trail applies to all . The trail logs events from all Regions in the AWS partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs. For more information, see the following:
+ [Overview for Creating a Trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html)
+ [CloudTrail Supported Services and Integrations](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-integrations)
+ [Configuring Amazon SNS Notifications for CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_notifications_top_level.html)
+ [Receiving CloudTrail Log Files from Multiple Regions](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html) and [Receiving CloudTrail Log Files from Multiple Accounts](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html)
+ [Cross-Account CloudTrail Logging](https://docs.aws.amazon.com/lake-formation/latest/dg/cross-account-logging.html) in the AWS Lake Formation Developer Guide Guide – This topic includes instructions for including principal identities in cross-account CloudTrail logs.
Amazon Quick Sight supports logging the following actions as events in CloudTrail log files:
+ Whether the request was made with root or AWS Identity and Access Management user credentials
+ Whether the request was made with temporary security credentials for an IAM role or federated user
+ Whether the request was made by another AWS service
For more information on user identity, see the [CloudTrail userIdentity Element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html).
By default, each Amazon Quick Sight log entry contains the following information:
+ **userIdentity** – User identity
+ **eventTime** – Event time
+ **eventId** – Event Id
+ **readOnly** – Read only
+ **awsRegion** – AWS Region
+ **eventSource (quicksight)** – Source of the event (Amazon Quick Sight)
+ **eventType (AwsServiceEvent)** – Event type (AWS service event)
+ **recipientAccountId (customer AWS account)** – Recipient account ID (Customer AWS account)
**Note**
CloudTrail displays users as `unknown` if they were provisioned by Amazon Quick Sight. This display is because these users aren't a known IAM identity type.
## Tracking non-API events by using CloudTrail logs
Following is a list of the non-API events you can track.
**User management**
+ **CreateAccount** – Create Account
+ **BatchCreateUser** – Create User
+ **BatchResendUserInvite** – Invite User
+ **UpdateGroups** – Update Groups
This event works with Enterprise edition only.
+ **UpdateSpiceCapacity** – Update SPICE Capacity
+ **DeleteUser** – Delete User
+ **Unsubscribe** – Unsubscribe User
**Subscription**
+ **CreateSubscription** – Create Subscription
+ **UpdateSubscription** – Update Subscription
+ **DeleteSubscription** – Delete Subscription
**Dashboard**
+ **GetDashboard** – Get Dashboard
+ **CreateDashboard** – Create Dashboard
+ **UpdateDashboard** – Update Dashboard
+ **UpdateDashboardAccess** – Update Dashboard Access
+ **DeleteDashboard** – Delete Dashboard
**Analysis**
+ **GetAnalysis** – Get Analysis
+ **CreateAnalysis** – Create Analysis
+ **UpdateAnalysisAccess** – Update Analysis Access
+ **UpdateAnalysis** – Update Analysis
+ **RenameAnalysis** – Rename Analysis
+ **CreateVisual** – Create Visual
+ **RenameVisual** – Rename Visual
+ **DeleteVisual** – Delete Visual
+ **DeleteAnalysis** – Delete Analysis
**Data source**
+ **CreateDataSource** – Create Data Source
+ **FlatFile** – Flat file
+ **External** – External
+ **S3** – S3
+ **ImportS3ManifestFile** – S3 Manifest File
+ **Presto** – Presto
+ **RDS** – RDS
+ **Redshift** – Redshift (manual)
+ **UpdateDataSource** – Update Data Source
+ **DeleteDataSource** – Delete Data Source
**Data set**
+ **CreateDataSet** – Create Data Set
+ **CustomSQL** – Custom SQL
+ **SQLTable** – SQL Table
+ **File** – CSV or XLSX
+ **UpdateDataSet** – Update SQL Join Dataset
+ **UpdateDatasetAccess** – Update Dataset Access
+ **DeleteDataSet** – Delete Dataset
+ **Querydatabase** – During a dataset refresh, query data source.
## Example: Amazon Quick Sight log file entries
A trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you specify. CloudTrail log files contain one or more log entries. An event represents a single request from any source and includes information about the requested action, the date and time of the action, request parameters, and so on. CloudTrail log files aren't an ordered stack trace of the public API calls, so they don't appear in any specific order.
The following example shows a CloudTrail log entry that demonstrates the BatchCreateUser action.
```
{
"eventVersion":"1.05",
"userIdentity":
{
"type":"Root",
"principalId":"123456789012",
"arn":"arn:aws:iam::123456789012:root",
"accountId":"123456789012",
"userName":"test-username"
},
"eventTime":"2017-04-19T03:16:13Z",
"eventSource":"quicksight.amazonaws.com",
"eventName":"BatchCreateUser",
"awsRegion":"us-west-2",
"requestParameters":null,
"responseElements":null,
"eventID":"e7d2382e-70a0-3fb7-9d41-a7a913422240",
"readOnly":false,
"eventType":"AwsServiceEvent",
"recipientAccountId":"123456789012",
"serviceEventDetails":
{
"eventRequestDetails":
{
"users":
{
"test-user-11":
{
"role":"USER"
},
"test-user-22":
{
"role":"ADMIN"
}
}
},
"eventResponseDetails":
{
"validUsers":[
],
"InvalidUsers":[
"test-user-11",
"test-user-22"
]
}
}
}
```
# Monitoring data in Amazon Quick Sight using CloudWatch
Amazon Quick sends metrics to Amazon CloudWatch that you can use to observe and respond to the availability and performance of your Amazon Quick environment in near real time. Currently, you can monitor metrics for Amazon Quick Sight dashboards, visuals, and dataset ingestions, as well as unstructured datasets and Quick Action Connectors, to provide your readers with a consistent, high-performing, and uninterrupted experience experience on Amazon Quick.
For more information about using Amazon CloudWatch, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com//AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html).
## Accessing Quick metrics in Amazon CloudWatch
Use the following procedure to access Amazon Quick metrics in Amazon CloudWatch.
**To access Amazon Quick metrics in CloudWatch**
1. Sign in to the AWS account that's associated with your Amazon Quick account.
1. In the upper-left corner of the AWS Management Console home page, choose **Services**, and then choose **CloudWatch**.
1. In the navigation pane, choose **Metrics**, **All metrics**, **QuickSight**.
**Topics**
+ [Graph metrics with the Amazon CloudWatch console](#cw-graph)
+ [Creating alarms with the Amazon CloudWatch console](#cw-alerts)
+ [Metrics](#cw-metrics)
+ [Aggregate metrics](#cw-aggregate-metrics)
+ [Aggregate SPICE metrics](#aggregate-spice-metrics)
+ [Dimensions](#cw-dimensions)
### Graph metrics with the Amazon CloudWatch console
You can also use the Amazon CloudWatch console to graph metric data generated by Quick. For more information, see [Graphing metrics](https://docs.aws.amazon.com//AmazonCloudWatch/latest/monitoring/graph_metrics.html) in the *Amazon CloudWatch User Guide.*
### Creating alarms with the Amazon CloudWatch console
You can create a Amazon CloudWatch alarm that monitors CloudWatch metrics for your Quick assets. When the metric reaches a threshold that you specify, CloudWatch automatically sends you a notification. For examples, see [Creating Amazon CloudWatch alarms](https://docs.aws.amazon.com//AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html) in the *Amazon CloudWatch User Guide*.
### Metrics
The `AWS/QuickSight` namespace includes the following metrics for monitoring traffic and latency of your Amazon Quick assets.
**Topics**
+ [Per-dashboard metrics](#per-dashboard-metrics)
+ [Per-dataset ingestion metrics](#per-ingestion-metrics)
+ [Per-visual metrics](#per-visual-metrics)
+ [Per-unstructured dataset metrics](#per-unstructured-dataset-metrics)
+ [Per-action connector metrics](#per-action-connector-metrics)
#### Per-dashboard metrics
The following metrics track dashboard view counts and load times. You can find these metrics under the `AWS/QuickSight/Dashboard Metrics` group in CloudWatch.
| Metric | Description | Dimension | Unit |
| --- | --- | --- | --- |
| DashboardViewCount | The number of times that a dashboard has been viewed. This number includes all access patterns such as web, mobile, and embedded. The most useful statistic for this metric is `SUM`, which represents the total number of dashboard views during a set period of time. | DashboardId | Count |
| DashboardViewLoadTime | The amount of time that it takes for a Amazon Quick Sight dashboard to load. The measurement begins when a user reaches the Amazon Quick Sight dashboard and ends when all of the dashboard's visuals finish rendering. The most useful statistic for this metric is `AVERAGE`, which represents the average load time of a Amazon Quick Sight dashboard during a set period of time. | DashboardId | Millisecond |
#### Per-dataset ingestion metrics
The following metrics track ingestions for specific [SPICE](https://docs.aws.amazon.com/quicksight/latest/user/spice.html) datasets. You can find these metrics under the `AWS/QuickSight/Ingestion Metrics` group in CloudWatch.
| Metric | Description | Dimension | Unit |
| --- | --- | --- | --- |
| IngestionErrorCount | The number of failed ingestions. The most useful statistic for this metric is `SUM`, which represents the total number of failed ingestions during a set period of time. | DatasetId | Count |
| IngestionInvocationCount | The number of ingestions that have been initiated. This includes scheduled and manual ingestions that are initiated through the console and the Amazon Quick Sight API operations. The most useful statistic for this metric is `SUM`, which represents the total number of ingestions initiated during a set period of time. | DatasetId | Count |
| IngestionLatency | The time period between the initiation of an ingestion to the completion of the ingestion. The most useful statistic for this metric is `AVERAGE`, which represents the average runtime of ingestions during a set period of time. | DatasetId | Second |
| IngestionRowCount | The number of successful row ingestions. The most useful statistic for this metric is `SUM`, which represents the total amount of data ingested during a set period of time. | DatasetId | Count |
#### Per-visual metrics
The following metrics track the load times and error counts of individual visuals on a Amazon Quick Sight dashboard. You can find these metrics under the `AWS/QuickSight/Visual Metrics` group in CloudWatch.
| Metric | Description | Dimension | Unit |
| --- | --- | --- | --- |
| VisualLoadTime | The time that it takes for a Amazon Quick Sight visual to receive the necessary query data for an initial paint of the visual. This includes the round-trip query time from the client, to the Amazon Quick Sight service, and then back to client. The most useful statistic for this metric is `AVERAGE`, which represents the average load time of a visual during a set period of time. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/quick/latest/userguide/monitoring-quicksight.html) | Millisecond |
| VisualLoadErrorCount | The number of times that a Amazon Quick Sight visual fails to complete a data query for the initial paint. Any error that occurs during a visual's loading period is included in this metric. The most useful statistic for this metric is `SUM`, which represents the total number of failed visual loads during a set period. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/quick/latest/userguide/monitoring-quicksight.html) | Count |
#### Per-unstructured dataset metrics
The following metrics track document statistics and indexing status for Amazon Quick Sight unstructured datasets. You can find these metrics under the `AWS/QuickSight/QuickInstanceId` group in CloudWatch.
| Metric | Description | Dimension | Unit |
| --- | --- | --- | --- |
| QuickIndexDocumentCount | The number of documents in the unstructured Quick index. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/quick/latest/userguide/monitoring-quicksight.html) | Count |
| QuickIndexExtractedTextSize | The extracted text size of the unstructured Quick index. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/quick/latest/userguide/monitoring-quicksight.html) | Bytes |
| QuickIndexPurchasedInMB | The amount of storage that has been purchased for the unstructured Quick index. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/quick/latest/userguide/monitoring-quicksight.html) | MB |
| QuickIndexCapacityConsumedRawFileSizeInGB | The raw file size consumed by the unstructured Quick index. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/quick/latest/userguide/monitoring-quicksight.html) | GB |
| QuickIndexCapacityRawFileSizeLimitInGB | The raw file size limit of the unstructured Quick index. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/quick/latest/userguide/monitoring-quicksight.html) | GB |
| DocumentsCrawled | The number of uploaded documents crawled in the unstructured Quick index. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/quick/latest/userguide/monitoring-quicksight.html) | Count |
| DocumentsIndexed | The number of documents indexed in the unstructured Quick index. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/quick/latest/userguide/monitoring-quicksight.html) | Count |
| DocumentsDeleted | The number of documents deleted from the unstructured Quick index. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/quick/latest/userguide/monitoring-quicksight.html) | Count |
| DocumentsModified | The number of documents modified in the unstructured Quick index. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/quick/latest/userguide/monitoring-quicksight.html) | Count |
| DocumentsFailedToIndex | The number of documents that failed to index in the unstructured Quick index. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/quick/latest/userguide/monitoring-quicksight.html) | Count |
| ExtractedTextSize | The total text size extracted during a connector level sync in the unstructured Quick index. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/quick/latest/userguide/monitoring-quicksight.html) | MB |
#### Per-action connector metrics
The following metrics track the number of invocations made to Quick Action Connectors. You can find these metrics under the `AWS/QuickSight` namespace in CloudWatch.
| Metric | Description | Dimension | Unit |
| --- | --- | --- | --- |
| ActionInvocationCount | The number of times your Action Connector was invoked. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/quick/latest/userguide/monitoring-quicksight.html) | Count |
| ActionInvocationError | The number of times your Action Connector failed to invoke. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/quick/latest/userguide/monitoring-quicksight.html) | Count |
### Aggregate metrics
The `AWS/QuickSight` namespace includes the following aggregate metrics for monitoring traffic and latency of your Amazon Quick assets.
**Topics**
+ [Aggregate dashboard metrics](#aggregate-dashboard-metrics)
+ [Aggregate ingestion metrics](#aggregate-ingestion-metrics)
+ [Aggregate visual metrics](#aggregate-visual-metrics)
+ [Aggregate unstructured dataset metrics](#aggregate-unstructured-dataset-metrics)
+ [Aggregate action connector metrics](#aggregate-action-connector-metrics)
#### Aggregate dashboard metrics
The following metrics track view counts and load times of all dashboards in a Amazon Quick account and region. You can find these metrics under the `AWS/QuickSight/Aggregate Metrics` group in CloudWatch.
| Metric | Description | Unit |
| --- | --- | --- |
| DashboardViewCount | The number of times that all Amazon Quick Sight dashboards have been viewed across the entire Amazon Quick account in the region. This number is an aggregate that includes all access patterns such as web, mobile, and embedded. The most useful statistic for this metric is `SUM`, which represents the total number of Amazon Quick Sight dashboard views during a set period of time. | Count |
| DashboardViewLoadTime | The amount of time that it takes for all Amazon Quick Sight dashboards to load. The measurement begins when a user navigates to the Amazon Quick Sight dashboard and ends when all of the dashboard's visuals finish rendering. The most useful statistic for this metric is `AVERAGE`, which represents the average load time of all Amazon Quick Sight dashboard during a set period of time. | Millisecond |
#### Aggregate ingestion metrics
The following metrics track all ingestions associated with a Amazon Quick account and AWS Region. You can find these metrics under the `AWS/QuickSight/Aggregate Metrics` group in CloudWatch.
| Metric | Description | Unit |
| --- | --- | --- |
| IngestionErrorCount | The number of failed ingestions. The most useful statistic for this metric is `SUM`, which represents the total number of failed ingestion during a set period. | Count |
| IngestionInvocationCount | The number of ingestions that have been initiated. This includes scheduled and manual ingestions that are initiated through the console and the Amazon Quick Sight API operations. The most useful statistic for this metric is `SUM`, which represents the total number of ingestions initiated during a set period of time. | Count |
| IngestionLatency | The time period between the initiation of an ingestion to the completion of the ingestion. The most useful statistic for this metric is `AVERAGE`, which represents the average runtime of ingestions during a set period of time. | Second |
| IngestionRowCount | The number of successful row ingestions. The most useful statistic for this metric is `SUM`, which represents the total amount of data ingested during a set period of time. | Count |
#### Aggregate visual metrics
The following metrics track load times and error counts of all visuals on a dashboard and in a Amazon Quick account in a Region. You can find these metrics under the `AWS/QuickSight/Aggregate Metrics` group for CloudWatch.
| Metric | Description | Unit |
| --- | --- | --- |
| VisualLoadTime | The time that it takes for all Amazon Quick Sight visuals to receive the necessary query data for an initial paint of the visuals. This includes the round-trip query time from the client, to the Amazon Quick service, and then back to the client. The most useful statistic for this metric is `AVERAGE`, which represents the average load time of all visuals during a set period of time. | Millisecond |
| VisualLoadErrorCount | The number of times that all Amazon Quick Sight visuals that belong to the Amazon Quick account fail to complete a data query for an initial paint. The most useful statistic for this metric is `SUM`, which represents the total number of failed visuals during a set period. | Count |
#### Aggregate unstructured dataset metrics
The following metrics track all unstructured dataset metrics within a a Amazon Quick account in a Region. You can find these metrics under the `AWS/QuickSight/Aggregate Metrics` group for CloudWatch.
| Metric | Description | Unit |
| --- | --- | --- |
| QuickIndexDocumentCount | The number of documents in the unstructured Quick index. The most useful statistic for this metric is `SUM`, which represents the total number of documents added to your index during a set period of time. | Count |
| QuickIndexExtractedTextSize | The extracted text size of the unstructured Quick index. The most useful statistic for this metric is `SUM`, which represents the total size of all text across all documents in your index. | Bytes |
| QuickIndexPurchasedInMB | The amount of storage that has been purchased for the unstructured Quick index. The most useful statistic for this metric is `SUM`, which represents the total size of purchased storage in MB across your index. | MB |
| QuickIndexCapacityConsumedRawFileSizeInGB | The raw file size consumed by the unstructured Quick index. The most useful statistic for this metric is `SUM`, which represents the total raw file size consumed across your index in GB. | GB |
| QuickIndexCapacityRawFileSizeLimitInGB | The raw file size limit of the unstructured Quick index. The most useful statistic for this metric is `SUM`, which represents the total raw file size limit across your index in GB. | GB |
| DocumentsCrawled | The number of uploaded documents crawled in the unstructured Quick index. The most useful statistic for this metric is `SUM`, which represents the total number of documents crawled in your index. | Count |
| DocumentsIndexed | The number of documents indexed in the unstructured Quick index. The most useful statistic for this metric is `SUM`, which represents the total number of documents indexed. | Count |
| DocumentsDeleted | The number of documents deleted from the unstructured Quick index. The most useful statistic for this metric is `SUM`, which represents the total number of documents deleted from your index. | Count |
| DocumentsModified | The number of documents modified in the unstructured Quick index. The most useful statistic for this metric is `SUM`, which represents the total number of documents modified in your index. | Count |
| DocumentsFailedToIndex | The number of documents that failed to index in the unstructured Quick index. The most useful statistic for this metric is `SUM`, which represents the total number of documents that failed to index. | Count |
| ExtractedTextSize | The total text size extracted during a connector level sync in the unstructured Quick index. The most useful statistic for this metric is `SUM`, which represents the total size of documents extracted during a connector level sync. | MB |
#### Aggregate action connector metrics
The following metrics track all Quick action connector invocations associated with a Amazon Quick account in an AWS Region. You can find these metrics under the `AWS/QuickSight/Aggregate Metrics` group for CloudWatch.
| Metric | Description | Unit |
| --- | --- | --- |
| ActionInvocationCount | The number of action connector invocations made. The most useful statistic for this metric is `SUM`, which represents the total number of action connector invocations initiated during a set period of time. | Count |
| ActionInvocationError | The number of failed action connector invocations. The most useful statistic for this metric is `SUM`, which represents the total number of action connector invocations that failed during a set period of time. | Count |
### Aggregate SPICE metrics
The following metrics monitor SPICE consumption information to help you avoid reaching the SPICE consumption limit that can cause your ingestions to fail. Statistics are stored for up to 15 months so that you can access historical information to better understand the consumption trends of your Amazon Quick account. You can find these metrics in the `AWS/QuickSight/Aggregate Metrics` group for CloudWatch.
| Metric | Description | Unit |
| --- | --- | --- |
| SPICECapacityLimitInMB | This value represents the provisioned SPICE capacity at a specific point in time. This metric refreshes when an update of 1 MB or more in consumed or purchased capacity is made. | MegaBytes |
| SPICECapacityConsumedInMB | This value represents the consumed SPICE capacity at a specific point in time. This metric refreshes when an update of 1 MB or more in consumed or purchased capacity is made. | MegaBytes |
### Dimensions
Following is a list of Quick metric dimensions that appear in Amazon CloudWatch.
| Dimension | Description |
| --- | --- |
| DashboardId | The public ID of a Amazon Quick Sight dashboard. You can use the `ListDashboards` API operation to see a list of every dashboard in your Amazon Quick account. For more information, see [ ListDashboards](https://docs.aws.amazon.com//quicksight/latest/developerguide/list-dashboards.html) in the *Amazon Quick Sight API Reference*. |
| DatasetId | The public ID of a Amazon Quick Sight dataset. You can use the `ListDataSets` API operation to see a list of every dataset in your Amazon Quick Sight account. For more information, see [ ListDataSets](https://docs.aws.amazon.com//quicksight/latest/developerguide/list-datasets.html) in the *Amazon Quick Sight API Reference*. |
| SheetId | The public ID of a Amazon Quick Sight sheet. |
| VisualId | The public ID of a Amazon Quick Sight visual. |
| KnowledgeBaseId | The public ID of a Amazon Quick Sight knowledge base. |
| QuickInstanceId | The public ID of the Quick instance. |
| ActionConnectorId | The public ID of the Quick Action Connector. |
| ActionConnectorType | The type of the Quick Action Connector. |
| ActionId | The public ID of the Quick Action. |
| InvokeErrorCode | The error code related to a failed Quick Action Connector invocation. |
# Compliance validation for Amazon Quick
Third-party auditors assess the security and compliance of Quick as part of multiple AWS compliance programs. These include FedRamp, HIPAA, PCI DSS, SOC, and ISO (9001, 27001, 27018, and 27019).
For information about this service and ISO 27001, a security management standard that specifies security management best practices, see [ISO 27001 Overview](https://aws.amazon.com/compliance/iso-27001-faqs/).
For the most current list of AWS services in scope of specific compliance programs, see [AWS services in scope by compliance program](https://aws.amazon.com/compliance/services-in-scope/). For general information, see [AWS compliance programs](https://aws.amazon.com/compliance/programs/).
You can download third-party audit reports using AWS Artifact. For more information, see [Downloading reports in AWS Artifact](https://docs.aws.amazon.com/artifact/latest/ug/downloading-documents.html).
Your compliance responsibility when using Amazon Quick is determined by the sensitivity of your data, your company's compliance objectives, and applicable laws and regulations. AWS provides the following resources to help with compliance:
+ [Security and compliance quick start guides](https://aws.amazon.com/quickstart/?awsf.quickstart-homepage-filter=categories%23security-identity-compliance) – These deployment guides discuss architectural considerations and provide steps for deploying security- and compliance-focused baseline environments on AWS.
+ [Architecting for HIPAA security and compliance paper](https://tinyurl.com/AWS-HIPAA-Compliance) – This paper describes how companies can use AWS to create HIPAA-compliant applications.
This is a HIPAA Eligible Service. For more information about AWS, U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA), and using AWS services to process, store, and transmit protected health information (PHI), see [HIPAA Overview](https://aws.amazon.com/compliance/hipaa-compliance/).
+ [AWS compliance resources](https://aws.amazon.com/compliance/resources/) – This collection of workbooks and guides might apply to your industry and location.
+ [AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) – This AWS service assesses how well your resource configurations comply with internal practices, industry guidelines, and regulations.
+ [AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) – This AWS service provides a comprehensive view of your security state within AWS that helps you check your compliance with security industry standards and best practices.
# Resilience in Amazon Quick
Quick is built by AWS and runs on AWS-managed infrastructure. It takes full advantage of the high availability features provided by AWS.
The AWS global infrastructure is built around AWS Regions and Availability Zones. AWS Regions provide multiple physically separated and isolated Availability Zones, which are connected with low-latency, high-throughput, and highly redundant networking. With Availability Zones, you can design and operate applications and databases that automatically fail over between Availability Zones without interruption. Availability Zones are more highly available, fault tolerant, and scalable than traditional single or multiple data center infrastructures.
Because Amazon Quick is an AWS-managed application, all patches and updates are applied by AWS as needed.
For more information about AWS Regions and Availability Zones, see [AWS global infrastructure](https://aws.amazon.com/about-aws/global-infrastructure/).
# Infrastructure security in Amazon Quick
| |
| --- |
| Intended audience: Amazon Quick administrators |
Quick is delivered as a web application, hosted on dedicated Amazon EC2 hosts, separate from AWS virtual private clouds (VPCs). Instead of deploying Amazon Quick on your own hosts, you access the Amazon Quick service through Regional public endpoints. Amazon Quick accesses data sources over a secured internet connection from Regional endpoints. To access data sources that are located inside a corporate network, configure the network to allow access from one of the Amazon Quick public IP address blocks. We recommend that you consider using a VPC (a virtual network dedicated to your AWS account).
For more information, see the following:
+ [Global Infrastructure: The Most Extensive, Reliable, and Secure Global Cloud Infrastructure](https://aws.amazon.com/about-aws/global-infrastructure)
+ [AWS Regions, websites, IP address ranges, and endpoints](https://docs.aws.amazon.com/quicksight/latest/user/regions.html)
+ [Connecting to a Amazon VPC with Amazon Quick](https://docs.aws.amazon.com/quicksight/latest/user/working-with-aws-vpc.html)
As a managed service, Quick is protected by the AWS global network security procedures that are described in the [Amazon Web Services: Overview of Security Processes](https://tinyurl.com/AWSSecurityPaper) paper.
If you use AWS published API calls to access Amazon Quick through the network, clients must support Transport Layer Security (TLS) 1.2 or later. Clients must also support cipher suites with perfect forward secrecy (PFS) such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE). Most modern systems such as Java 7 and later support these modes.
Additionally, requests must be signed by using an access key ID and a secret access key that is associated with an AWS Identity and Access Management (IAM) principal. Or you can use the [AWS Security Token Service](https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html) (AWS STS) to generate temporary security credentials to sign requests.
You can call these API operations from any network location, but Amazon Quick does support resource-based access policies, which can include restrictions based on the source IP address. You can also use Amazon Quick policies to control access from specific Amazon Virtual Private Cloud (Amazon VPC) endpoints or specific VPCs. Effectively, this isolates network access to a given Amazon Quick resource from only the specific VPC within the AWS network. For more information on using Amazon Quick in a VPC, see [Connecting to a Amazon VPC with Amazon Quick](https://docs.aws.amazon.com/quicksight/latest/user/working-with-aws-vpc.html).
# Best practices for security in Amazon Quick
Amazon Quick provides a number of security features to consider as you develop and implement your own security policies. The following best practices are general guidelines and don’t represent a complete security solution. Because these best practices might not be appropriate or sufficient for your environment, treat them as helpful considerations rather than prescriptions.
****Firewall**** – To allow users to access Amazon Quick, allow access to HTTPS and WebSockets Secure (wss://) protocol. To allow Amazon Quick to reach a database that is on a non-AWS server, change that server's firewall configuration to accept traffic from the applicable Amazon Quick IP address range.
****SSL**** – Use SSL to connect to your databases, especially if you are using public networks. Using SSL with Amazon Quick requires the use of certificates signed by a publicly-recognized certificate authority (CA).
****Enhanced security**** – Use Amazon Quick Enterprise edition to make use of its enhanced security capabilities, including the following.
+ Store data in SPICE with encryption at rest.
+ Integrate Active Directory and IAM Identity Center authentication.
+ Securely access data in private VPCs and on-premises.
+ Limit access to data with row level security.
****VPC**** – (Enterprise Edition) Use a virtual private cloud (VPC) for data in AWS data sources and for data in on-premises servers without public connectivity. For AWS sources, VPC access for Amazon Quick uses an elastic network interface for secure, private communication with data sources in a VPC. For your local data, VPC allows you to use Direct Connect to create a secure, private link with your on-premises resources.
# AWS managed policies for Amazon Quick
To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to [create IAM customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html) that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.
Additionally, AWS supports managed policies for job functions that span multiple services. For example, the **ReadOnlyAccess** AWS managed policy provides read-only access to all AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*.
**Topics**
+ [AWS managed policy: AWSQuickSightElasticsearchPolicy](#security-iam-quicksight-AWSQuickSightElasticsearchPolicy)
+ [AWS managed policy: AWSQuickSightOpenSearchPolicy](#security-iam-quicksight-AWSQuickSightOpenSearchPolicy)
+ [AWS managed policy: AWSQuickSightSageMakerPolicy](#security-iam-quicksight-AWSQuickSightSageMakerPolicy)
+ [AWS managed policy: AWSQuickSightAssetBundleExportPolicy](#security-iam-quicksight-AWSQuickSightAssetBundleExportPolicy)
+ [AWS managed policy: AWSQuickSightAssetBundleImportPolicy](#security-iam-quicksight-AWSQuickSightAssetBundleImportPolicy)
+ [Amazon Quick updates to AWS managed policies](#security-iam-quicksight-updates)
## AWS managed policy: AWSQuickSightElasticsearchPolicy
This information is provided for backward compatibility only. The `AWSQuickSightOpenSearchPolicy` AWS managed policy replaces the `AWSQuickSightElasticsearchPolicy` AWS managed policy.
Previously, you used the `AWSQuickSightElasticsearchPolicy` AWS managed policy to provide access to Amazon Elasticsearch Service resources from Amazon Quick. Starting on or after September 7, 2021, Amazon Elasticsearch Service is renamed to Amazon OpenSearch Service.
Wherever you are using `AWSQuickSightElasticsearchPolicy`, you can update to the new AWS managed policy that's called `AWSQuickSightOpenSearchPolicy`. You can attach the policy to your IAM entities. Amazon Quick also attaches the policy to a service role that allows Amazon Quick to perform actions on your behalf. `AWSQuickSightElasticsearchPolicy` is still available and as of August 31, 2021, had the same permissions as the new policy. However, `AWSQuickSightElasticsearchPolicy` is no longer kept up-to-date with latest changes.
This policy grants read-only permissions that allow access to OpenSearch (previously known as Elasticsearch) resources from Amazon Quick.
**Permissions details**
This policy includes the following permissions:
+ `es` – Allows principals to use `es:ESHttpGet` to access your OpenSearch (previously known as Elasticsearch) domains, cluster settings, and indices. This is required to use the search service from Amazon Quick.
+ `es` – Allows principals to use `es:ListDomainNames` to list your OpenSearch (previously known as Elasticsearch) domains. This is required to initiate access of the search service from Amazon Quick.
+ `es` – Allows principals to use `es:DescribeElasticsearchDomain` to search your OpenSearch (previously known as Elasticsearch) domains. This is required to use the search service from Amazon Quick.
+ `es` – Allows principals to use `es:ESHttpPost` and `es:ESHttpGet` with your OpenSearch (previously known as Elasticsearch) domains. This is required to use a SQL plugin with read-only access to the search service domains from Amazon Quick.
For information on the contents of this IAM policy, see [AWSQuickSightElasticsearchPolicy](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/service-role/AWSQuickSightElasticsearchPolicy$jsonEditor) in the IAM console.
## AWS managed policy: AWSQuickSightOpenSearchPolicy
Use the `AWSQuickSightOpenSearchPolicy` AWS managed policy to provide access to Amazon OpenSearch Service resources from Amazon Quick. `AWSQuickSightOpenSearchPolicy` replaces `AWSQuickSightElasticsearchPolicy`. As of August 31, 2021, this policy had the same permissions as the legacy policy, `AWSQuickSightElasticsearchPolicy`. For now, you can use them interchangeably. For the long term, we recommend updating your policy usage to `AWSQuickSightOpenSearchPolicy`.
You can attach `AWSQuickSightOpenSearchPolicy` to your IAM entities. Amazon Quick also attaches this policy to a service role that allows Amazon Quick to perform actions on your behalf.
This policy grants read-only permissions that allow access to OpenSearch resources from Amazon Quick.
**Permissions details**
This policy includes the following permissions:
+ `es` – Allows principals to use `es:ESHttpGet` to access your OpenSearch domains, cluster settings, and indices. This is required to use Amazon OpenSearch Service from Amazon Quick.
+ `es` – Allows principals to use `es:ListDomainNames` to list your OpenSearch domains. This is required to initiate access of Amazon OpenSearch Service from Amazon Quick.
+ `es` – Allows principals to use `es:DescribeElasticsearchDomain` and `es:DescribeDomain` to search your OpenSearch domains. This is required to use Amazon OpenSearch Service from Amazon Quick.
+ `es` – Allows principals to use `es:ESHttpPost` and `es:ESHttpGet` with your OpenSearch domains. This is required to use a SQL plugin with read-only access to Amazon OpenSearch Service domains from Amazon Quick.
For information on the contents of this IAM policy, see [AWSQuickSightOpenSearchPolicy](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/service-role/AWSQuickSightOpenSearchPolicy$jsonEditor) in the IAM console.
## AWS managed policy: AWSQuickSightSageMakerPolicy
Use the `AWSQuickSightSageMakerPolicy` AWS managed policy to provide access to Amazon SageMaker AI resources from Amazon Quick.
You can attach `AWSQuickSightSageMakerPolicy` to your IAM entities. Amazon Quick also attaches this policy to a service role that allows Amazon Quick to perform actions on your behalf.
This policy grants read-only permissions that allow access to Amazon SageMaker AI resources from Amazon Quick.
To view the `AWSQuickSightSageMakerPolicy`, see [AWSQuickSightSageMakerPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSightSageMakerPolicy.html) in the [AWS Managed Policy reference](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/about-managed-policy-reference.html).
**Permissions details**
This policy includes the following permissions:
+ `sagemaker` – .
+ `s3` – Allows principals to use `s3:GetObject` on all Amazon S3 buckets that start with the prefix `arn:aws:s3:::sagemaker.*` to access data stored in SageMaker AI default buckets. This is required to load models shared from Amazon SageMaker AI Canvas to the default Amazon SageMaker AI Canvas Amazon S3 bucket.
+ `s3` – Allows principals to use `s3:PutObject` to export objects into an Amazon S3 bucket. This is required to support existing datasets from Amazon Quick to Amazon SageMaker AI Canvas to build predictive models.
+ `s3` – Allows principals to use `s3:ListBucket` to allow Amazon Quick to validate an existing Amazon SageMaker AI Canvas bucket in Amazon S3. This is required to allow the export of data from Amazon Quick to Amazon SageMaker AI Canvas to build predictive models.
+ `s3` – Allows principals to use `s3:GetObject` on all Amazon Quick– owned Amazon S3 buckets that start with the prefix `arn:aws:s3:::quicksight-ml`. This is required to allow Amazon Quick to access the predictions that are generated by Amazon SageMaker AI Canvas. The generated predictions can be appended to a Amazon Quick dataset.
+ `sagemaker` – Allows principals to use `sagemaker:CreateTransformJob`, `sagemaker:DescribeTransformJob`, and `sagemaker:StopTransformJob` to perform SageMaker AI transform jobs on your behalf. This is required for Amazon Quick to request predictions from SageMaker AI models that can be appended to a Amazon Quick dataset.
+ `sagemaker` – Allows principals to use `sagemaker:ListModels` to list your SageMaker AI models. This is required to allow generated SageMaker AI models to appear in Amazon Quick.
## AWS managed policy: AWSQuickSightAssetBundleExportPolicy
Use the `AWSQuickSightAssetBundleExportPolicy` AWS managed policy to perform asset bundle export operations. You can attach `AWSQuickSightAssetBundleExportPolicy` to your IAM entities.
This policy grants read-only permissions that allow access to Amazon Quick asset resources. To view the details of this policy, see [AWSQuickSightAssetBundleExportPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSightAssetBundleExportPolicy.html) in the AWS Managed Policy reference.
This policy includes the following permissions:
+ `quicksight` – Allows principals to use `quicksight:Describe*` and `quicksight:List*` to find and fetch Amazon Quick assets and their corresponding permissions.
+ `quicksight` – Allows principals to use `quicksight:ListTagsForResource` to fetch tags of Amazon Quick assets.
+ `quicksight` – Allows principals to list, execute, and get the status of an Asset bundle export job. This policy uses the `quicksight:ListAssetBundleExportJob`, `StartAssetBundleExportJob`, and `quicksight:DescribeAssetBundleExportJob` permissions.
## AWS managed policy: AWSQuickSightAssetBundleImportPolicy
Use the `AWSQuickSightAssetBundleImportPolicy` AWS managed policy to perform asset bundle import operations. This managed policy does not grant permissions for any run-as-role functionality with the `iam:passrole` that is required for some VPC connection and DataSource operations. This policy also does not grant access to retrieve objects from a users Amazon S3 bucket.
You can attach the `AWSQuickSightAssetBundleImportPolicy` to your IAM entities. This policy grants read and write permissions that allow access to Amazon Quick resources. To view the details of this policy, see [AWSQuickSightAssetBundleImportPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSightAssetBundleImportPolicy.html) in the AWS Managed Policy reference.
This policy includes the following permissions:
+ `quicksight` – Allows principals to use `quicksight:Describe*` and `quicksight:List*` to detect changes in the Amazon Quick assets and their permissions.
+ `quicksight` – Allows principals to use `quicksight:Create*` and `quicksight:Update*` to make changes to the Amazon Quick assets and permissions from the supplied asset bundle.
+ `quicksight` – Allows principals to use `quicksight:ListTagsForResource`, `quicksight:TagResource`, and `quicksight:UntagResource` to update the tags of Amazon Quick assets.
+ `quicksight` – Allows principals to list, execute, and get the status of an Asset bundle import job. This policy uses the `quicksight:ListAssetBundleImportJob`, `quicksight:StartAssetBundleImportJob`, and `quicksight:DescribeAssetBundleImportJob` permissions.
## Amazon Quick updates to AWS managed policies
View details about updates to AWS managed policies for Amazon Quick since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the [Amazon Quick Document History](doc-history.md) page.
| Change | Description | Date |
| --- | --- | --- |
| `AWSQuickSightAssetBundleExportPolicy` – New policy | Amazon Quick added new permissions to simplify Asset bundle export operations. | March 27, 2024 |
| `AWSQuickSightAssetBundleImportPolicy` – New policy | Amazon Quick added new permissions to simplify Asset bundle import operations. | March 27, 2024 |
| `AWSQuickSageMakerPolicy` – Update to an existing policy | Amazon Quick added new permissions to allow integration with Amazon SageMaker AI Canvas. | July 25, 2023 |
| `AWSQuickSightElasticsearchPolicy` – Update to an existing policy | Amazon Quick added new permissions to provide access to Amazon OpenSearch Service resources. | September 08, 2021 |
| `AWSQuickSightOpenSearchPolicy` – New policy | Amazon Quick added a new policy to allow access to Amazon OpenSearch Service resources from Quick. | September 08, 2021 |
| Amazon Quick started tracking changes | Amazon Quick started tracking changes for its AWS managed policies. | August 2, 2021 |