Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

IAM policy examples for Amazon QuickSight

PDF
RSS
Focus mode
IAM policy examples for Amazon QuickSight - Amazon QuickSight
Identity-based policies

This section provides examples of IAM policies that you can use with Amazon QuickSight.

IAM identity-based policies for Amazon QuickSight

This section shows examples of identity-based policies to use with Amazon QuickSight.

IAM identity-based policies for QuickSight IAM console administration

The following example shows the IAM permissions needed for QuickSight IAM console administration actions.

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "Statement1",
           "Effect": "Allow",
           "Action": [
               "quicksight:*",
               "iam:AttachRolePolicy",
               "iam:DetachRolePolicy",
               "iam:ListAttachedRolePolicies",
               "iam:GetPolicy",
               "iam:CreatePolicyVersion",
               "iam:DeletePolicyVersion",
               "iam:GetPolicyVersion",
               "iam:ListPolicyVersions",
               "iam:DeleteRole",
               "iam:CreateRole",
               "iam:GetRole",
               "iam:ListRoles",
               "iam:CreatePolicy",
               "iam:ListEntitiesForPolicy",
               "iam:listPolicies",
               "s3:ListAllMyBuckets",
               "athena:ListDataCatalogs",
               "athena:GetDataCatalog"
           ],
           "Resource": [
               "*"
           ]
       }
    ]
}

IAM identity-based policies for Amazon QuickSight: dashboards

The following example shows an IAM policy that allows dashboard sharing and embedding for specific dashboards.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "quicksight:RegisterUser",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "quicksight:GetDashboardEmbedUrl",
            "Resource": "arn:aws:quicksight:us-west-2:111122223333:dashboard/1a1ac2b2-3fc3-4b44-5e5d-c6db6778df89",
            "Effect": "Allow"
        }
    ]
}

IAM identity-based policies for Amazon QuickSight: namespaces

The following examples show IAM policies that allow a QuickSight administrator to create or delete namespaces.

Creating namespaces

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ds:AuthorizeApplication",
                "ds:UnauthorizeApplication",
                "ds:DeleteDirectory",
                "ds:CreateIdentityPoolDirectory",
                "ds:DescribeDirectories",
                "quicksight:CreateNamespace"
            ],
            "Resource": "*"
        }
    ]
}

Deleting namespaces

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ds:UnauthorizeApplication",
                "ds:DeleteDirectory",
                "ds:DescribeDirectories",
                "quicksight:DeleteNamespace"
            ],
            "Resource": "*"
        }
    ]
}

IAM identity-based policies for Amazon QuickSight: custom permissions

The following example shows an IAM policy that allows a QuickSight administrator or a developer to manage custom permissions.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "quicksight:*CustomPermissions"
            ],
            "Resource": "*"
        }
    ]
}

The following example shows another way to grant the same permissions as shown in the previous example.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "quicksight:CreateCustomPermissions",
                "quicksight:DescribeCustomPermissions",
                "quicksight:ListCustomPermissions",
                "quicksight:UpdateCustomPermissions",
                "quicksight:DeleteCustomPermissions"
 
            ],
            "Resource": "*"
        }
    ]
}

IAM identity-based policies for Amazon QuickSight: customizing email report templates

The following example shows a policy that allows viewing, updating, and creating email report templates in QuickSight, as well as obtaining verification attributes for an Amazon Simple Email Service identity. This policy allows a QuickSight administrator to create and update custom email report templates, and to confirm that any custom email address they want to send email reports from is a verified identity in SES.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "quicksight:DescribeAccountCustomization",
                "quicksight:CreateAccountCustomization",
                "quicksight:UpdateAccountCustomization",
                "quicksight:DescribeEmailCustomizationTemplate",
                "quicksight:CreateEmailCustomizationTemplate",
                "quicksight:UpdateEmailCustomizationTemplate",
                "ses:GetIdentityVerificationAttributes"
            ],
            "Resource": "*"
        }
    ]
}

IAM identity-based policies for Amazon QuickSight: create an Enterprise account with QuickSight managed users

The following example shows a policy that allows QuickSight admins to create an Enterprise edition QuickSight account with QuickSight managed users.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Action": [
                "quicksight:*",
                "iam:AttachRolePolicy",
                "iam:DetachRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:GetPolicy",
                "iam:CreatePolicyVersion",
                "iam:DeletePolicyVersion",
                "iam:GetPolicyVersion",
                "iam:ListPolicyVersions",
                "iam:DeleteRole",
                "iam:CreateRole",
                "iam:GetRole",
                "iam:ListRoles",
                "iam:CreatePolicy",
                "iam:ListEntitiesForPolicy",
                "iam:listPolicies",
                "s3:ListAllMyBuckets",
                "athena:ListDataCatalogs",
                "athena:GetDataCatalog",
                "ds:AuthorizeApplication",
                "ds:UnauthorizeApplication",
                "ds:CheckAlias",
                "ds:CreateAlias",
                "ds:DescribeDirectories",
                "ds:DescribeTrusts",
                "ds:DeleteDirectory",
                "ds:CreateIdentityPoolDirectory"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

IAM identity-based policies for Amazon QuickSight: creating users

The following example shows a policy that allows creating Amazon QuickSight users only. For quicksight:CreateReader, quicksight:CreateUser, and quicksight:CreateAdmin, you can limit the permissions to "Resource": "arn:aws:quicksight::<YOUR_AWS_ACCOUNTID>:user/${aws:userid}". For all other permissions described in this guide, use "Resource": "*". The resource you specify limits the scope of the permissions to the specified resource.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "quicksight:CreateUser"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:quicksight::<YOUR_AWS_ACCOUNTID>:user/${aws:userid}"
        }
    ]
}

IAM identity-based policies for Amazon QuickSight: creating and managing groups

The following example shows a policy that allows QuickSight administrators and developers to create and manage groups.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "quicksight:ListGroups",
                "quicksight:CreateGroup",
                "quicksight:SearchGroups",
                "quicksight:ListGroupMemberships",
                "quicksight:CreateGroupMembership",
                "quicksight:DeleteGroupMembership",
                "quicksight:DescribeGroupMembership",
                "quicksight:ListUsers"
            ],
            "Resource": "*"
        }
    ]
}

IAM identity-based policies for Amazon QuickSight: All access for Standard edition

The following example for Amazon QuickSight Standard edition shows a policy that allows subscribing and creating authors and readers. This example explicitly denies permission to unsubscribe from Amazon QuickSight.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ds:AuthorizeApplication",
        "ds:UnauthorizeApplication",
        "ds:CheckAlias",
        "ds:CreateAlias",
        "ds:DescribeDirectories",
        "ds:DescribeTrusts",
        "ds:DeleteDirectory",
        "ds:CreateIdentityPoolDirectory",
        "iam:ListAccountAliases",
        "quicksight:CreateUser",
        "quicksight:DescribeAccountSubscription",
        "quicksight:Subscribe"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": "quicksight:Unsubscribe",
      "Resource": "*"
    }
  ]
}

IAM identity-based policies for Amazon QuickSight: All access for Enterprise edition with IAM Identity Center (Pro roles)

The following example for Amazon QuickSight Enterprise edition shows a policy that allows a QuickSight user to subscribe to QuickSight, create users, and manage Active Directory in a QuickSight account that is integrated with IAM Identity Center.

This policy also allows users to subscribe to QuickSight Pro roles that grant access to Amazon Q in QuickSight Generative BI capabilities. For more information about Pro roles in Amazon QuickSight, see Get started with Generative BI.

This example explicitly denies permission to unsubscribe from Amazon QuickSight.

{
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Action": [
                "quicksight:*",
                "iam:AttachRolePolicy",
                "iam:DetachRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:GetPolicy",
                "iam:CreatePolicyVersion",
                "iam:DeletePolicyVersion",
                "iam:GetPolicyVersion",
                "iam:ListPolicyVersions",
                "iam:DeleteRole",
                "iam:CreateRole",
                "iam:GetRole",
                "iam:ListRoles",
                "iam:CreatePolicy",
                "iam:ListEntitiesForPolicy",
                "iam:listPolicies",
                "iam:CreateServiceLinkedRole",
                "s3:ListAllMyBuckets",
                "athena:ListDataCatalogs",
                "athena:GetDataCatalog",
                "sso:DescribeApplication",
                "sso:DescribeInstance",
                "sso:CreateApplication",
                "sso:PutApplicationAuthenticationMethod",
                "sso:PutApplicationGrant",
                "sso:DeleteApplication",
                "sso:SearchGroups",
                "sso:GetProfile",
                "sso:CreateApplicationAssignment",
                "sso:DeleteApplicationAssignment",
                "sso:ListInstances",
                "sso:DescribeRegisteredRegions",
                "sso:ListApplications",
                "sso:GetSharedSsoConfiguration",
                "sso:PutApplicationAssignmentConfiguration",
                "sso:PutApplicationAccessScope",
                "sso:GetSSOStatus",
                "organizations:DescribeOrganization",
                "organizations:ListAWSServiceAccessForOrganization",
                "organizations:DisableAWSServiceAccess",
                "organizations:EnableAWSServiceAccess",
                "user-subscriptions:CreateClaim",
                "user-subscriptions:UpdateClaim",
                "user-subscriptions:ListClaims",
                "user-subscriptions:ListUserSubscriptions",
                "user-subscriptions:DeleteClaim",
                "sso-directory:DescribeUsers",
                "sso-directory:DescribeGroups",
                "sso-directory:SearchGroups",
                "sso-directory:SearchUsers",
                "sso-directory:DescribeGroup",
                "sso-directory:DescribeUser",
                "sso-directory:DescribeDirectory",
                "signin:ListTrustedIdentityPropagationApplicationsForConsole",
                "signin:CreateTrustedIdentityPropagationApplicationForConsole",
                "q:CreateAssignment",
                "q:DeleteAssignment"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

IAM identity-based policies for Amazon QuickSight: All access for Enterprise edition with IAM Identity Center

The following example for Amazon QuickSight Enterprise edition shows a policy that allows subscribing, creating users, and managing Active Directory in a QuickSight account that is integrated with IAM Identity Center.

This policy does not grant permissions to create Pro roles in QuickSight. To create a policy that grants permission to subscribe to Pro roles in QuickSight, see IAM identity-based policies for Amazon QuickSight: All access for Enterprise edition with IAM Identity Center (Pro roles).

This example explicitly denies permission to unsubscribe from Amazon QuickSight.

{
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Action": [
                "quicksight:*",
                "iam:AttachRolePolicy",
                "iam:DetachRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:GetPolicy",
                "iam:CreatePolicyVersion",
                "iam:DeletePolicyVersion",
                "iam:GetPolicyVersion",
                "iam:ListPolicyVersions",
                "iam:DeleteRole",
                "iam:CreateRole",
                "iam:GetRole",
                "iam:ListRoles",
                "iam:CreatePolicy",
                "iam:ListEntitiesForPolicy",
                "iam:listPolicies",
                "s3:ListAllMyBuckets",
                "athena:ListDataCatalogs",
                "athena:GetDataCatalog",
                "sso:DescribeApplication",
                "sso:DescribeInstance",
                "sso:CreateApplication",
                "sso:PutApplicationAuthenticationMethod",
                "sso:PutApplicationGrant",
                "sso:DeleteApplication",
                "sso:SearchGroups",
                "sso:GetProfile",
                "sso:CreateApplicationAssignment",
                "sso:DeleteApplicationAssignment",
                "sso:ListInstances",
                "sso:DescribeRegisteredRegions",
                "organizations:DescribeOrganization" 
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

IAM identity-based policies for Amazon QuickSight: all access for Enterprise edition with Active Directory

The following example for Amazon QuickSight Enterprise edition shows a policy that allows subscribing, creating users, and managing Active Directory in a QuickSight account that uses Active Directory for identity management. This example explicitly denies permission to unsubscribe from Amazon QuickSight.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ds:AuthorizeApplication",
                "ds:UnauthorizeApplication",
                "ds:CheckAlias",
                "ds:CreateAlias",
                "ds:DescribeDirectories",
                "ds:DescribeTrusts",
                "ds:DeleteDirectory",
                "ds:CreateIdentityPoolDirectory",
                "iam:ListAccountAliases",
                "quicksight:CreateAdmin",
                "quicksight:Subscribe",
                "quicksight:GetGroupMapping",
                "quicksight:SearchDirectoryGroups",
                "quicksight:SetGroupMapping"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": "quicksight:Unsubscribe",
            "Resource": "*"
        }
    ]
}

IAM identity-based policies for Amazon QuickSight: active directory groups

The following example shows an IAM policy that allows Active Directory group management for an Amazon QuickSight Enterprise edition account.

{
    "Statement": [
        {
            "Action": [
                "ds:DescribeTrusts",
                "quicksight:GetGroupMapping",
                "quicksight:SearchDirectoryGroups",
                "quicksight:SetGroupMapping"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "2012-10-17"
}

IAM identity-based policies for Amazon QuickSight: using the admin asset management console

The following example shows an IAM policy that allows access to the admin asset management console.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [          
                "quicksight:SearchGroups",
                "quicksight:SearchUsers",              
                "quicksight:ListNamespaces",            
                "quicksight:DescribeAnalysisPermissions",
                "quicksight:DescribeDashboardPermissions",
                "quicksight:DescribeDataSetPermissions",
                "quicksight:DescribeDataSourcePermissions",
                "quicksight:DescribeFolderPermissions",
                "quicksight:ListAnalyses",
                "quicksight:ListDashboards",
                "quicksight:ListDataSets",
                "quicksight:ListDataSources",
                "quicksight:ListFolders",
                "quicksight:SearchAnalyses",
                "quicksight:SearchDashboards",
                "quicksight:SearchFolders",
                "quicksight:SearchDatasets",
                "quicksight:SearchDatasources",               
                "quicksight:UpdateAnalysisPermissions",
                "quicksight:UpdateDashboardPermissions",
                "quicksight:UpdateDataSetPermissions",
                "quicksight:UpdateDataSourcePermissions",
                "quicksight:UpdateFolderPermissions"
            ],
            "Resource": "*"
        }
    ]
}

IAM identity-based policies for Amazon QuickSight: using the admin key management console

The following example shows an IAM policy that allows access to the admin key management console.

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "quicksight:DescribeKeyRegistration",
            "quicksight:UpdateKeyRegistration",
            "quicksight:ListKMSKeysForUser",
            "kms:CreateGrant",
            "kms:ListGrants",
            "kms:ListAliases"
         ],
         "Resource":"*"
      }
   ]
}

The "quicksight:ListKMSKeysForUser" and "kms:ListAliases" permissions are required to access customer managed keys from the QuickSight console. "quicksight:ListKMSKeysForUser" and "kms:ListAliases" are not required to use the QuickSight key management APIs.

To specify which keys you want a user to be able to access, add the ARNs of the keys that you want the user to access to the UpdateKeyRegistration condition with the quicksight:KmsKeyArns condition key. Users can only access the keys specified in UpdateKeyRegistration. For more information about supported condition keys for QuickSight, see Condition keys for Amazon QuickSight.

The example below grants Describe permissions for all CMKs that are registered to a QuickSight account and Update permissons to specific CMKs that are registered to the QuickSight account.

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "quicksight:DescribeKeyRegistration"
         ],
         "Resource":"arn:aws:quicksight:us-west-2:123456789012:*"
      },
      {
         "Effect":"Allow",
         "Action":[
            "quicksight:UpdateKeyRegistration"
         ],
         "Resource":"arn:aws:quicksight:us-west-2:123456789012:*",
         "Condition":{
            "ForAllValues:StringEquals":{
               "quicksight:KmsKeyArns":[
                  "arn:aws:kms:us-west-2:123456789012:key/key-id-of-key1",
                  "arn:aws:kms:us-west-2:123456789012:key/key-id-of-key2",
                  "..."
               ]
            }
         }
      },
      {
         "Effect":"Allow",
         "Action":[
            "kms:CreateGrant",
            "kms:ListGrants"
         ],
         "Resource":"arn:aws:kms:us-west-2:123456789012:key/*"
      }
   ]
}

AWS resources Amazon QuickSight: scoping policies in Enterprise edition

The following example for Amazon QuickSight Enterprise edition shows a policy that allows setting default access to AWS resources and scoping policies for permissions to AWS resources.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "quicksight:*IAMPolicyAssignment*",
                "quicksight:AccountConfigurations"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

On this page

Related resources

Amazon QuickSight 
Technical support 
Amazon QuickSight user forum 

Related resources

Amazon QuickSight 
Technical support 
Amazon QuickSight user forum 
PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.