AWS Big Data Blog

Amazon QuickSight Now Supports Audit Logging with AWS CloudTrail

We launched Amazon QuickSight to democratize BI. Our goal is to make it easier and cheaper to roll out advanced business analytics capabilities to everyone in an organization. Overall, this enables better understanding of business, and allows faster data-driven decisions in an organization. In the past, the ability to share data presented an administrative challenge – that of knowing who has access to what data. Solving this problem ensures compliance with policies, and also provides an opportunity for businesses to see how employees use data to drive crucial decisions.

Today, we are happy to announce support for AWS CloudTrail in Amazon QuickSight, which allows logging of QuickSight events across an AWS account. Whether you have an enterprise setting or a small team scenario, this integration will allow QuickSight administrators to accurately answer questions such as who last changed an analysis, or who has connected to sensitive data. With CloudTrail, administrators have better governance, auditing and risk management of their QuickSight usage

You can get started with CloudTrail with just a few clicks. Any AWS account that is enabled for CloudTrail will automatically see QuickSight activity included in the CloudTrail logs. When enabled, CloudTrail starts logging events including:

  • Account subscribe/unsubscribe
  • Data source create/update/delete
  • Data set create/update/delete
  • Analysis create/access/update/delete
  • Dashboard create/access/update/delete
  • SPICE capacity purchases
  • User subscription purchases

A full list of all supported events can be found in the QuickSight documentation.

With CloudTrail logging enabled, you can easily track QuickSight activities in your account, starting with the question of who signed up for the service.

Beyond sign up, the QuickSight CloudTrail integration logs details of both data access and user management actions within the account. For example, attempts to connect to an external data source (below).

Or, sharing of a dataset:

Or even a simple dashboard access (below):

Through these details, administrators can track the origins of malicious activity, better understand user activity, or simply ensure that QuickSight activity is in compliance with policy. As with all CloudTrail data, the log is hosted in an S3 bucket configured by the AWS Account administrator. QuickSight users will not have access to this bucket, unless permitted by the administrator.

Finally, what better way to understand access and usage than to visualize the data in QuickSight! Using the native Amazon Athena integration, you can follow the steps here to pull the CloudTrail data from S3 into Athena. You can choose to query your data using Athena, or to bring data into SPICE for fast visualizations with QuickSight.

Here, I chose to pull data into SPICE, using a custom SQL statement to pull in only the specific fields that I was interested in.

Once QuickSight ingests the data into SPICE, I can analyze it using a variety of visualization types and filter capabilities.

First, I created a visual to display all the events recorded in this AWS account. As an administrator, I can view account activity at a glance, quickly identifying anything out of the ordinary. For example, if there are spikes in connection attempts, as the administrator, I might want to look into the specific user attempting to connect, and then try to understand whether this is malicious activity, or simply a case of an expired password.

To add the ability to view activity by username, I added the username field as a drill-down option in the QuickSight field wells.

This immediately makes the hierarchy available in the visual, allowing me to view the users who performed a specific activity.

It can also be useful to look at usage patterns. This allows administrators to better understand user behavior. You can see when users are just consuming dashboards and analyses, when they connect to specific data sources, when they purchase SPICE capacity, and so on. This allows you to detect hotspots in user behavior for abnormal activity, or to save costs by identifying inactive user accounts.

With Athena and QuickSight, you can get rich insights from your CloudTrail data in a few minutes!

AWS CloudTrail logging for QuickSight is available for both Standard and Enterprise Editions, across all supported QuickSight regions. Standard CloudTrail pricing applies for events generated via QuickSight.

Learn more

To learn more about these capabilities and start using them in your dashboards, check out the QuickSight User Guide.

Stay engaged

If you have questions and suggestions, you can post them on the QuickSight Discussion Forum.

Not a QuickSight user

Click here to get started for FREE.