AWS Big Data Blog
Using administrative dashboards for a centralized view of Amazon QuickSight objects
“Security is job 0” is the primary maxim of all endeavors undertaken at AWS. Amazon QuickSight, the fast-growing, cloud-native business intelligence (BI) platform from AWS, allows security controls in a variety of means, including web browsers and API calls. These controls apply to various functions, such as user management, authorization, authentication, and data governance.
This post demonstrates how to build a workflow to enable a centralized visualization of QuickSight groups and user information, as well as QuickSight objects access permission auditing information. Combined with AWS CloudTrail logs, the solution enables your security team to detect any abnormal behavior in near-real time to ensure security compliance.
Benefits of a centralized dashboard
A group in QuickSight consists of a set of users. Using groups makes it easy to manage access and security. For example, you can configure three groups, called Marketing
, HR
, and BI Developer
, and each has specific access privileges:
- The users in the
Marketing
group can only view the dashboards with marketing data - The users in the
HR
group can only view the human resources data - The users in the
BI Developer
group can edit all objects, including data sources, datasets, and dashboards
After the users and groups are configured, BI administrators can check and edit the object access permission by choosing Share for dashboards, datasets, and all other objects. The following screenshot shows the Manage dashboard sharing page on the QuickSight console.
As of this writing, individual object permission information is available on the QuickSight console, and user information is provided on the user management view on the QuickSight console. Our solution integrates QuickSight APIs with other AWS services to create an administrative dashboard that provides a centralized view of essential security information. This dashboard covers not only user lists and individual object access permission information available on the current platform, but also additional security information like group lists, user-group mapping information, and overall objects access permissions. This dashboard allows you to acquire unique security insights with its collection of comprehensive security information.
This post provides a detailed workflow that covers the data pipeline, sample Python codes, the AWS CloudFormation template, and a sample administrative dashboard. With the guidance of this post, you can configure a centralized information center in your own environment.
Solution overview
The following diagram illustrates the workflow of the solution.
The workflow involves the following steps:
- A new user creation event in the CloudTrail log triggers the Amazon CloudWatch Events rule
CreateUser
. - The
CreateUser
rule triggers the AWS Lambda functionUser_Initiation
. This function checks if the new user belongs to an existing group (for this post, we assume that their AWS Identity and Access Management (IAM) role equates to the group they should belong to in QuickSight). If such a group exists, the function adds the user into the group (CreateGroupMembership
). Otherwise, it creates a new group (CreateGroup
). The following is the process flow diagram of the Lambda function.
- If the
CreateGroupMembership
event occurs, it triggers the Lambda functionData_Prepare
. This function calls QuickSight APIs to get QuickSight group, user, and object access permissions information and saves the results to an Amazon Simple Storage Service (Amazon S3) bucket.
- If the Lambda function
User_Initiation
creates a new QuickSight group in Step 2, it triggers a CloudWatch ruleCreateGroup
and the Lambda functionGroup_Initiation
. TheGroup_Initiation
function updates the QuickSight objects permission for the new group, such as granting it permission to view a dashboard. - The update object permission event in Step 4 triggers the Lambda function
Data_Prepare
, which updates the object access permissions information and saves the updated information to an S3 bucket. - The
DeleteUser
andDeleteGroup
events also trigger the Lambda functionData_Prepare
. - Based on the file in S3 that contains user-group mapping information and the QuickSight objects access permissions information, an Amazon Athena table is created.
- A QuickSight dataset fetches the data in the Athena table created in Step 7 through
DirectQuery
Another QuickSight dataset is created based on the CloudTrail logs data. Then, based on these two datasets, a QuickSight dashboard is created.
Prerequisites
For this walkthrough, you should have the following prerequisites:
- An AWS account
- Access to the following AWS services:
- QuickSight
- Athena
- Lambda
- Amazon S3
- Basic knowledge of Python
- Security Assertion Markup Language 2.0 (SAML 2.0) or OpenID Connect (OIDC) single sign-on (SSO) configured for QuickSight access
Creating resources
Create your resources by downloading the following AWS Cloud Development Kit (AWS CDK) stack from the GitHub repo.
Pull the Administrative Dashboard
folder and run the command cdk deploy QuickSightStack
to deploy the resources. For more information, see AWS CDK Intro Workshop: Python Workshop.
Implementing the solution
This solution assumes that the users log in to their QuickSight account with identity federation through SAML or OIDC. For instructions on setting up SAML SSO, see Single Sign-On Access to Amazon QuickSight Using SAML 2.0, Federate Amazon QuickSight access with Okta and Enabling Amazon QuickSight federation with Azure AD.
After you set up the IAM policy of the web identity or SAML federation role, you don’t need to invite users manually. A QuickSight user is provisioned automatically when opening QuickSight for the first time.
In this solution, one SAML federation role corresponds to a QuickSight group. There are four sample SAML roles: Marketing
, HR
, BI-Admin
, and BI Developer.
The following code is the sample CreateUser
CloudTrail event:
This event triggers the CloudWatch events rule CreateUser
. The following screenshot shows the details of this rule.
The CreateUser
rule triggers the Lambda function User_Initiation
. This function gets the QuickSight group name (Marketing
, HR
, BI-Admin
, or BI Developer
) and compares the group name with the existing group list. If such a group exists, it adds this new user into that group (CreateGroupMembership
). Otherwise, it creates a new group (CreateGroup
).
The Data_Prepare
Lambda function is triggered by adding a new user into a group event (CreateGroupMembership
). This function calls the QuickSight API describe_data_set_permissions
, describe_dashboard_permissions
, or describe_data_source_permissions
to get the object access permissions. It also calls the APIs list_user_groups
and list_users to get the list of users and the groups of each user. Finally, this function creates two files containing QuickSight group, user, or object access information, and saves these files into a S3 bucket.
If a new QuickSight group is created, it triggers the Lambda function Group_Initiation
to update the QuickSight dashboard, dataset, or data source permission for this new group. For example, if the HR group is created, the Group_Initiation function lets the HR group view the Employee Information dashboard.
The UpdateDashboardPermissions
, UpdateDatasetPermissions
, and UpdateDatasourcePermissions
events trigger the Lambda function Data_Prepare
to update the object access permissions information stored in the S3 bucket.
To create two Athena tables (Groups
and Objects
), run an AWS Glue crawler.
The following screenshot is sample data of the Groups table.
The following screenshot is sample data of the Objects table.
You can create a DirectQuery
dataset in QuickSight with the two new Athena tables joined. See the following screenshot.
The Objects
table contains the information of objects (such as dashboards and datasets) belonging to each group or user. Furthermore, we can create a calculated field called Ownership
based on Permissions
information (the actions
column in objects
table) to provide the objects owner with viewer or user information (the object owner can delete this object, whereas the viewer or user can’t do the deletion action).
The following screenshot shows the relevant code.
For instructions on building an Athena table with CloudTrail events, see Amazon QuickSight Now Supports Audit Logging with AWS CloudTrail. For this post, we create the table cloudtrail_logs
in the default
database.
After that, run the following SQL query to build an Athena view with QuickSight events for the last 24 hours:
Running queries in Athena
Now we have the datasets ready in Athena and can run SQL queries against them to answer some common administrative questions.
To create a QuickSight dataset to catch all orphan users that don’t belong to any group, as well as the events done by these users in the last 24 hours, run the following SQL query:
To create a QuickSight dataset to list objects belonging to each group or user, run the following query:
The following screenshot shows the sample data.
Building dashboards
In addition to running queries directly in Athena, we can build a dashboard using this same data in QuickSight. The following screenshot shows an example dashboard that you can make using our data.
You can interactively play with the sample dashboard in the following Interactive Dashboard Demo.
Cleaning up
To avoid incurring future charges, delete the resources you created by running the following command:
Then, on the Amazon S3 console, delete the S3 bucket administrative-dashboard<your_aws_account_id>
.
Conclusion
This post discussed how BI administrators can use the QuickSight dashboard, Lambda functions, and other AWS services to create a centralized view of groups, users, and objects access permission information and abnormal access auditing. We also presented a serverless data pipeline to support the administrative dashboard. This dashboard can provide you with unique security insights with its collection of comprehensive security information.
About the Author
Ying Wang is a Data Visualization Engineer with the Data & Analytics Global Specialty Practice in AWS Professional Services.