Secure access to Amazon QuickSight with Amazon WorkSpaces Secure Browser

Introduction

As more organizations use Amazon QuickSight for data-driven decision making, Amazon WorkSpaces Secure Browser provides end users secure access to dashboards containing sensitive information. With WorkSpaces Secure Browser, administrators provide dashboard authors and readers a protected browser environment while ensuring sensitive data remains off end-user devices.

This blog post describes a solution that leverages WorkSpaces Secure Browser, Virtual Private Cloud (VPC) endpoints (powered by AWS PrivateLink), and AWS IAM Identity Center to provide secure and centralized access to QuickSight. We will walk through the implementation steps, best practices, and key considerations to enable secure data visualization and analysis across your organization.

The goals of this architecture are to:

• Prevent data exfiltration from the end-user device and strengthen security posture.
• Enforce QuickSight access from a secure browser environment within a VPC.
• Provide a user-friendly experience to build high-sensitivity dashboards securely.

The following architecture diagram illustrates how to restrict traffic to your QuickSight dashboard from a VPC endpoint. Within the VPC, WorkSpaces Secure Browser provides a secure web environment for authors and readers to access the QuickSight dashboard.

Prerequisites:

• IAM user with access to the AWS Console and CLI (via AWS CloudShell)
• IAM Identity Center with users and groups
  • If you have not previously set up IAM Identity Center, AWS recommends reviewing the IAM Identity Center prerequisites
• VPC with 2 private subnets – consider leveraging existing sample templates from AWS Labs

Note:
This blog covers both QuickSight and WorkSpaces Secure Browser applications that have been integrated with IAM Identity Center. QuickSight IP and VPC Endpoint restriction features will work regardless of the authentication method your organization uses. Additionally, this blog uses US-West-2 (Oregon). Modify endpoint names if you use a different AWS region.

Creating a User and Group within AWS IAM Identity Center

For this blog, you will only need one user and one group. For simplicity, you will create administrative user, John Smith and a group named QuickSight Administrators.

Note:
These steps are not required if your organization has already deployed Identity Center. If you already have a user and group, skip to ‘Configuring QuickSight’.

Next, leverage the AWS CLI to create a group within AWS IAM Identity Center. Alternatively, you may leverage existing identity providers and sync your Identity Center instance with supported IDPs. The group is used for assignment within QuickSight when integrating with AWS IAM Identity Center.

To create the group within AWS IAM Identity Center, launch CloudShell and run the command:

aws identitystore create-group --identity-store-id [Your Identity Store ID] --display-name "QuickSight-Administrators"

Note:
The CLI options must reference the identity store within Identity Center. This is found in the Identity Center console under Settings → Identity Source.

To create a User in the default directory (console)

1. Open IAM Identity Center
2. Select Users from the side menu and select Add user
3. For Username, enter john.smith
4. For Password, select Send an email to this user with password setup instructions (Recommended)
5. For Email address, enter an accessible email address
6. For First Name and Last Name, enter John Smith
7. Leave the rest of the optional fields empty, select Next
8. In Groups, select QuickSight-Administrators
9. Select Next
10. Review details and select Add user

When complete, review John Smith’s general information and group membership.

Configuring QuickSight

Once you have the user and group created, create the QuickSight dashboard.

Note:
To sign up for a QuickSight Enterprise Edition account with an IAM Identity Center application, you need the correct permissions. For more information on the permissions needed to use this method, see IAM identity-based policies for Amazon QuickSight.

To create a QuickSight account (console)

1. Open QuickSight from the AWS console
2. Select Sign Up For QuickSight
3. For Contact Information, enter an accessible email address
4. For Authentication method, select Use AWS IAM Identity Center
5. For QuickSight account name, enter QuickSightDemo
6. Select Configure
7. For Admin group, search for and select QuickSight-Administrators 
8. For IAM Role, select Use QuickSight-managed role (default)
9. For Optional add-on, de-select Add-Paginated Reports as this will not be used for the demo

Once you are redirected into QuickSight, continue to the next section of this blog.

Deploying WorkSpaces Secure Browser

To create WorkSpaces Secure Browser Web Portal (console)

1. Open the WorkSpaces Secure Browser console
2. Choose Create Portal
3. In the Network connection details, choose the VPC you created
   • For Subnet, select 2 private subnets
   • For Security groups, select default VPC security group
4. Choose Next
5. In Portal details, for Display Name, enter a name for your WorkSpaces Secure Browser portal
6. In Instance type settings
   • For Instance Type, select Standard Regular
   • For Maximum concurrent sessions, enter 5

The recommendation for sizing the WorkSpaces Secure Browser portals based on the use case are found on the pricing page.

7. For User access logging, leave Kinesis Data Stream Name empty
8. For IP Access Control Group details, leave IP Access Control Group empty
9. For Policy settings:
   • For Startup URL – optional, enter the AWS access portal URL from the IAM Identity Center console.
   • For Private browsing, select Disabled
   • For History deletion, select Disabled
10. Choose Next
11. For User setting details:
    • For Allow users to use the WorkSpaces Secure Browser extension for single sign-on, select Allowed
      • This setting allows single sign on (SSO) via browser cookies from the users local browser to the WorkSpaces Secure Browser managed browser. When logging into WorkSpaces Secure Browser for the first time, the user will add the extension to their local Chrome or Firefox browser.
    • For Domain, enter awsapps.com
    • For Clipboard permissions, select Paste to remote session only
    • For File transfer permissions, select Upload only
    • For Print to local device, select Not allowed

Note:
Clipboard permissions and file transfer permissions determine which actions a user may take while in the WorkSpaces Secure Browser session. To prevent users from downloading sensitive data to their local device, limit the clipboard actions to only allow users to copy into the session. You can permit the user to upload files into the session but not download. A potential use case for this is uploading a CSV to QuickSight for analysis with other datasets. 

12. For User session details:

• • For Disconnect timeout in minutes, enter 60
  • For Idle disconnect timeout in minutes, enter 15

13. Choose Next

14. Configure identity provider:

• • For Identity provider (IdP) details, select AWS IAM Identity Center (successor to AWS SSO)
  • Choose Continue with IAM Identity Center

15. In Setup details for AWS IAM Identity Center (successor to AWS SSO):

• • Select user john.smith or whichever user you created previously
  • Choose Next to review the details, then choose Launch Portal

Deploying the WorkSpaces Secure Browser portal will take ~10 minutes. You can check the status in the WorkSpaces Secure Browser console. Once the portal is created, assigned users will see the application tile in their Identity Center access portal.

Registering the VPC Interface Endpoints with Route53 A records

To ensure all access to the QuickSight dashboard comes from WorkSpaces Secure Browser, you will deploy a VPC interface endpoint, create a Route53 Private Hosted zone, and an A record for the endpoint. This will route traffic within the VPC to the QuickSight VPC endpoint. Then, the VPC endpoint will be registered within QuickSight’s IP/VPC restriction list.

Create a VPC interface endpoint for QuickSight

To create a VPC interface endpoint for QuickSight (console)

1. Open VPC console
2. In the left side of Virtual private cloud menu, select Endpoints
3. In Endpoint settings:
   • For Name tag, enter QuickSightVPCe
   • For Service category, select AWS services
4. In Services, search for QuickSight and select amazonaws.us-west-2.quicksight-website
5. In VPC, select the VPC into which you have deployed WorkSpaces Secure Browser
6. In Subnets:
   • Select all Availability Zones into which WorkSpaces Secure Browser has been deployed
   • For Subnet ID, select the private subnet for each availability zone
7. In Security Groups, select default security group
   • If not using the default security group, ensure your security group allows traffic to the QuickSight VPC endpoint created later in this blog
8. Choose Create Endpoint

After creation, note the IPv4 addresses of each endpoint and the VPC Endpoint ID as these are used later. You will reference these in our Route53 private hosted zone to direct traffic to the QuickSight VPC endpoint.

This step has created a VPC endpoint for QuickSight in each private subnet. This enables traffic to be routed via the AWS networking backbone instead of the public internet.

Route53 Private Hosted Zone

Within Route53 you will create a private hosted zone. A private hosted zone is a container that holds information about how you want Amazon Route 53 to respond to DNS queries for a domain and its subdomains within one or more VPCs that you create with the Amazon VPC service. For more on Route53 Private Hosted Zones read here.

DNS A records are used to resolve a domain name to an IPv4 address, such as a web server. You will create an A record to resolve the QuickSight domain name to specific QuickSight VPC endpoints. This will route traffic within the VPC to the VPC endpoints as opposed to the public QuickSight endpoints.

For the private hosted zone A record, enter the record name of [region].quicksight.aws.amazon.com. This will ensure that when launching QuickSight from the WorkSpace Secure Browser session, traffic is resolved to the VPC endpoints. The A record is used to map the QuickSight service name to the QuickSight VPC endpoint.

To create a Route53 Private Hosted Zone (PHZ) and A Record (console)

1. Open Route53 console
2. In the side menu, choose Hosted Zones
3. In Hosted zone configuration:
   • For Domain name, enter quicksight.aws.amazon.com
   • For Type, select Private hosted zone
4. In VPCs to associate with the hosted zone:
   • For Region, select US West (Oregon)
   • For VPC ID, select the VPC in which the WorkSpaces Secure Browser is deployed
5. Select Create hosted zone
6. Once the zone is created, choose Create record
7. In Quick create record:
   • For Record name, enter us-west-2 
   • For Record type, select A – Routes traffic to an IPv4 address and some AWS resources
   • For Value, enter the IPv4 addresses of each endpoint from the previous section where you created the QuickSight endpoints
   • Choose Save

Once you have created the A record, you will see the new record reflected in the hosted zones console. This record addition will correctly route traffic to the QuickSight dashboard through the VPC endpoints that you created.

Restricting QuickSight to the WorkSpaces Secure Browser VPC

QuickSight natively allows administrators to restrict traffic to the dashboard from specific CIDR, VPC endpoints, or VPC IDs. You will add your local machine CIDR (for development purposes) and the VPC endpoint of the WorkSpaces Secure Browser VPC. This will block any traffic that is not originating from either the local workstation or the WorkSpaces Secure Browser portal.

To add IP and VPC endpoint restrictions in QuickSight (console) 

1. Open QuickSight and select the user icon in the top right corner of the page
2. Choose Manage QuickSight
3. Select the Security & Permissions
4. Scroll down to IP and VPC endpoint restrictions, select Manage
5. In the Restriction List, enter 2 entries
   • In Restriction, enter Your IP address with a /32 appended
   • Enter a description such as Local Laptop
   • Select Add
   • In Restriction, enter the VPC Endpoint ID you created
   • Enter a description such as WorkSpaces Secure Browser VPC Endpoint
   • Select Add
6. Toggle on the Enforce Restrictions field
   • When you toggle Enforce Restrictions, only traffic originating from these sources are allowed to access the QuickSight Dashboard.

Note:
If you do not add the CIDR of your local device, your access to QuickSight will be denied. To modify your IP/VPC endpoint restrictions programmatically, disable the restriction list via the AWS CLI command:
aws quicksight update-ip-restriction --account-id [YOUR AWS ACCOUNT ID] --enabled  FALSE 

Once the restriction list has been enforced, you can now attempt to access the QuickSight dashboard in the following steps:

• Navigate to the AWS IAM Identity Center application launcher
• Launch WorkSpaces Secure Browser
  • This will take ~1 minute the first time to launch
• Within the WorkSpaces Secure Browser session, launch QuickSight from the IAM Identity Center applications tab

Additionally, you can test the restriction lists by using a different device and following the below steps:

• Navigate to the AWS IAM Identity Center application launcher
• Launch QuickSight

User experience walkthrough:

1. User John Smith authenticated into his organization’s Identity Center AWS access portal
2. John is shown the applications which he has been granted access to and launches QuickSight
3. QuickSight denies access to the dashboard using IP/VPC restrictions
4. John launches WorkSpaces Secure Browser
5. John’s administrators set the Identity Center AWS access portal as the default homepage and have set up Single Sign-On. John’s local browser’s cookies are synchronized to the WorkSpaces Secure Browser session
6. John launches the QuickSight Dashboard from within the WorkSpaces Secure Browser session and is not blocked by QuickSight’s IP/VPC restrictions

The expected behavior is shown below. John Smith, is unable to access the QuickSight Dashboard from his local browser, but is able to access after launching from WorkSpaces Secure Browser:

Additional Considerations:

VPC Endpoint Policies

In this blog, we did not cover VPC endpoint policies, but we recommend they be evaluated for production workloads. You can attach an endpoint policy to restrict usage to specific QuickSight accounts or accounts under specific AWS organizations. More information on VPC Endpoint policies for QuickSight can be found here.

Conclusion

In this blog, we covered how to restrict access to a QuickSight Dashboard to a specific VPC. In that VPC, we deployed WorkSpaces Secure Browser to limit what file transfer actions/clipboard commands a user can take when accessing the high sensitivity dashboard. The implemented controls prevent users from downloading and copying/pasting data from the WorkSpaces Secure Browser session to their local workstation. To learn about additional WorkSpaces Secure Browser use cases, review the service detail page.

Cleaning Up

To delete the resources created in this blog, refer to the associated documentation for each service:

• QuickSight
• WorkSpaces Secure Browser
• Route53 Private Hosted Zone

Marc Weiss is a Solutions Architect on the US Federal Financials team where he supports regulatory customers. Outside of work, Marc enjoys non-fiction books and watching Ohio State football.

Joshua Wright is a Sr. Solutions Architect at Amazon Web Services. Joshua works with Federal Financial customers to design and secure their data management environments. He enjoys travel and backpacking.