Posted On: Nov 10, 2021

Amazon QuickSight now supports 4 new features that make it easier for AWS administrators to secure and roll out Amazon QuickSight to more users and accounts within their organizations - IP-based access restrictions, AWS Service Control Policy-based restrictions, automated email syncing for federated SSO users and bring-your-own-role during QuickSight account sign up.

IP-based access restrictions allow administrators to enforce source IP restrictions on access to the Amazon QuickSight UI, mobile app as well as embedded pages. For example, admins can create an IP rule that allows users to access Amazon QuickSight account only from IP addresses associated with the company’s office or remote virtual private network (VPN). For more information, see Turning On Internet Protocol (IP) Restrictions in Amazon QuickSight.

Service Control Policy (SCP)-based sign up allows AWS administrators to restrict Amazon QuickSight account setup options within their AWS accounts. Administrators can restrict the Amazon QuickSight edition (Standard vs Enterprise), and also the type of authentication mechanisms they can use with QuickSight. For example, admins can set up service control policy that denies sign up for Amazon QuickSight Standard Edition and turns off the ability to invite any users other than via federated Single-Sign On (SSO). For more information, see Using Service Control Policies to Restrict Amazon QuickSight Sign-up Options

Automated email sync for federated SSO users allows Admins to setup QuickSight/SSO such that email addresses for end-users are automatically synced at first time login, avoiding any manual errors during entry. For example, administrators can setup their QuickSight accounts so that only corporate-assigned email addresses are used when users are provisioned to their Amazon QuickSight account through their Identity Providers. For more information, see Configuring Email Syncing for Federated Users in Amazon QuickSight.

Lastly, Bring-your-own-role during Amazon QuickSight account setup allows users setting up a QuickSight account to pick from an existing role in their AWS account that Amazon QuickSight will use, instead of Amazon QuickSight creating a custom service role for the account. This launch allows customers set up their own role for a group of co-dependent AWS Service that they want to provide access to. For more information, see Passing IAM Roles to Amazon QuickSight.

IP-based access restriction, Email Syncing for Federated Users and Bring your own role are available in Amazon QuickSight Enterprise Edition only, while Service Control Policy support for sign up restrictions in available in both Amazon QuickSight Standard and Enterprise editions. All features available in Amazon QuickSight Enterprise Edition in all Amazon QuickSight regions - US East (N. Virginia), US East (Ohio), US West (Oregon), Europe (Frankfurt), Europe (Ireland), Europe (London), Asia Pacific (Mumbai), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), and AWS GovCloud (US-West).