Automate governance of Amazon Quick Suite features using custom permissions

Amazon QuickSight is evolving to Amazon Quick Suite on October 9, 2025, expanding from a single BI product to a comprehensive suite that includes AI agents for business insights, research, and automation in one integrated experience. Quick Suite helps users work smarter and faster – all while maintaining security and user access policies. Business users of any skill level can find answers across relevant data sources in minutes instead of days, analyze data through natural language, create sophisticated visualizations, immediately act on insights without switching tools, and automate any task. At the heart of these enhancements is the unification of structured and unstructured data sources, driving its powerful new capabilities.

Quick Suite offers a sophisticated permission management system. This multi-tiered approach—spanning account, role, and user levels—helps organizations implement precise access controls tailored to their specific needs. One of the key enhancements to the current architecture makes it possible for administrators to enforce the principle of least privilege, limiting user access to specific functionalities at the account level while maintaining a seamless user experience. By offering both coarse-grained and fine-grained access restrictions, Quick Suite helps businesses confidently adopt the latest AI innovations while adhering to enterprise-grade security and compliance standards. This balance of innovation and control positions Quick Suite as a pivotal tool for organizations navigating the complexities of modern data analytics and AI-driven decision-making.

This post provides a comprehensive guide to programmatically implement feature-level restrictions at the account level using custom permissions, helping organizations adopt the latest innovations in generative AI, while supporting enterprise-grade security, compliance, and control. We walk through how to apply custom permissions to turn off AI-based capabilities at the account level for both new and existing Quick Suite account subscriptions.

Solution overview

The solution uses Quick Suite along with the following AWS services to apply custom permissions in your AWS account:

• AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. It records actions taken in your AWS account, including actions taken through the AWS Management Console, AWS Command Line Interface (AWS CLI), and AWS SDKs and APIs.
• Amazon EventBridge is a serverless service that uses events to connect application components, making it effortless to build scalable, event-driven applications. You can create rules to match events and route them to one or more target functions or streams.
• AWS Lambda is a serverless, event-driven compute service that lets you run code for applications or backend services without provisioning or managing servers. You can trigger Lambda from over 200 AWS services and software as a service (SaaS) applications and only pay for what you use.
• AWS CloudFormation is an infrastructure as code (IaC) service that lets you model, provision, and manage AWS and third-party resources by writing templates in a declarative language. You can create and manage a collection of AWS resources as a single unit, making it straightforward to create and maintain infrastructure in a repeatable way.
• AWS Identity and Access Management (IAM) helps you securely control access to AWS resources for your users. You can use IAM to control who can use your AWS resources (authentication), what resources they can use, and how they can use them (authorization). For more information, see the IAM User Guide.

Scenario 1: New Quick Suite account subscriptions

The following diagram shows the solution architecture for new Quick Suite account subscriptions.

The solution architecture is packaged as a CloudFormation stack, which deploys the necessary resources in your AWS account. These resources are now ready to be triggered upon creating a new Quick Suite subscription. You can create a subscription through the AWS CLI, console, or other programmatic approaches. After deploying the stack, EventBridge triggers a rule every two minutes to execute the Lambda function, with this rule being disabled after a successful subscription to Quick Suite occurs. This function orchestrates the creation and assignment of custom permissions at the account level through public Quick APIs. The specific custom permission created through this code will disable the new Quick Suite AI capabilities at the account level.

This approach is ideal when you want to have an environment for BI only capabilities or temporarily disable new capabilities while evaluating new features for broader adoption. To learn more about how to apply different sets of custom permissions to different users, such as for testing purposes, refer to Establishing enterprise governance in Amazon Quick Suite using custom permissions.

Prerequisites

You must have the following prerequisites:

• No existing Quick Suite subscription
• Administrator access to an AWS account
• CloudTrail enabled
• EventBridge enabled

Create resources with CloudFormation

Complete the following steps to create your resources with CloudFormation:

1. Choose Launch Stack to provision the necessary resources to automatically apply account-level custom permissions:

2. Choose Next.

3. Enter a name for the stack (for example, custom-permissions-qs-stack) and choose Next.

4. Acknowledge the creation of IAM policies and roles for various resources and choose Next.

5. Review the settings and choose Submit.

Scenario 2: Existing Quick Suite account subscriptions

This section provides a CloudFormation template to deploy for existing Quick Suite account subscriptions.

Prerequisites

You must have the following prerequisites:

• An existing Quick Suite subscription
• Administrator access to an AWS account

Create resources with CloudFormation

Complete the following steps to create your resources:

1. Choose Launch Stack to provision your resources:

2. Choose Next.

3. Enter a name for your stack (for example, quicksight-custom-permissions) and choose Next.

4. Acknowledge the creation of IAM policies and roles for the Lambda function and choose Next.

5. Review the settings and choose Submit.

The CloudFormation template creates the necessary resources in your AWS account. After you deploy the stack, the Lambda function orchestrating the creation and assignment of custom permissions at the account level through public Quick APIs is automatically triggered. The specific custom permission created through this code will disable the new Quick Suite AI capabilities at the account level.

Validate the solution

To validate your settings, complete the following steps:

1. Navigate to the Quick Suite home page and confirm that all the new AI capabilities are turned off.

2. Alternatively, as an administrator, navigate to the Manage account page by choosing the user icon at the top right corner.
3. On the landing page, confirm that a custom permission is applied at the account level restricting new AI capabilities.

4. To customize these permissions further, choose Manage and then choose the options menu (three dots) next to the profile and choose Edit.

5. Confirm that each capability is selected, indicating the restriction of that specific capability.

Clean up

To clean up, delete the CloudFormation stack to remove the resources provisioned within the stack:

1. On the CloudFormation console, choose Stacks in the navigation pane.
2. Select the stack you created and choose Delete.

This will remove the CloudTrail event, EventBridge rule, and Lambda function, along with associated roles and policies for each resource.

Conclusion

This post showed how to programmatically apply custom permissions to restrict new AI capabilities for both new and existing Quick Suite subscriptions. The solution makes it possible to disable these features at the account level in an automated way. You can apply different sets of permissions to different users in your account, such as having a set of users designated to test before rolling out to all users in an account. For more information, see Establishing enterprise governance in Amazon Quick Suite using custom permissions.

As organizations continue to embrace AI-powered analytics and automation capabilities within Quick Suite, the robust custom permissions framework can help innovation proceed securely and in alignment with organizational governance requirements. This comprehensive approach to access control positions Quick Suite as not just a powerful analytics service, but a secure, enterprise-ready solution that grows with your organization’s needs.

Properly configuring custom permissions can help you achieve enhanced security posture, regulatory compliance, and operational confidence as your organization scales its use of the advanced capabilities of Quick Suite. For more details, refer to Creating a custom permissions profile in Amazon Quick Suite.

If you have any questions or feedback, please leave a comment.

For additional discussions and help getting answers to your questions, check out the Quick Suite Community.

About the authors

Srikanth Baheti is a Specialized World Wide Principal Solution Architect for Amazon Quick Suite. He started his career as a consultant and worked for multiple private and government organizations. Later he worked for PerkinElmer Health and Sciences & eResearch Technology Inc, where he was responsible for designing and developing high-traffic web applications and highly scalable and maintainable data pipelines for reporting platforms using AWS services and Serverless computing.

Andy Son is a Solutions Architect for Amazon Quick Suite. Prior to joining AWS, Andy was a pre-sales engineer who worked with clients across various industries to successfully drive adoption and implementation of analytics.

Ashok Dasineni is a Solutions Architect for Amazon Quick Suite. Before joining AWS, Ashok worked with clients and organizations in the banking and financial domain, focusing on fraud research and prevention. He designed and implemented innovative solutions to improve business process, reduce cost, and increase revenue, helping companies around the world achieve their highest potential through data.

Vaidy Janardhanam is a Solutions Architect at AWS, focusing on generative business intelligence. Vaidy works with customers to help them design and build data and analytics applications in the cloud. He has accelerated the path to production for customers across the globe using AWS services.