Best practices for security in Amazon QuickSight

Amazon QuickSight provides a number of security features to consider as you develop and implement your own security policies. The following best practices are general guidelines and don’t represent a complete security solution. Because these best practices might not be appropriate or sufficient for your environment, treat them as helpful considerations rather than prescriptions.

Firewall – To allow users to access Amazon QuickSight, allow access to HTTPS and WebSockets Secure (wss://) protocol. To allow Amazon QuickSight to reach a database that is on a non-AWS server, change that server's firewall configuration to accept traffic from the applicable Amazon QuickSight IP address range.

SSL – Use SSL to connect to your databases, especially if you are using public networks. Using SSL with Amazon QuickSight requires the use of certificates signed by a publicly-recognized certificate authority (CA).

Enhanced security – Use Amazon QuickSight Enterprise edition to make use of its enhanced security capabilities, including the following.

Store data in SPICE with encryption at rest.
Integrate Active Directory and IAM Identity Center authentication.
Securely access data in private VPCs and on-premises.
Limit access to data with row level security.

VPC – (Enterprise Edition) Use a virtual private cloud (VPC) for data in AWS data sources and for data in on-premises servers without public connectivity. For AWS sources, VPC access for Amazon QuickSight uses an elastic network interface for secure, private communication with data sources in a VPC. For your local data, VPC allows you to use AWS Direct Connect to create a secure, private link with your on-premises resources.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Testing the connection

AWS managed policies