“Security is job 0” is the primary maxim of all endeavors undertaken at AWS. Amazon QuickSight, the fast-growing, cloud-native business intelligence (BI) platform from AWS, allows security controls in a variety of means, including web browsers and API calls. These controls apply to various functions, such as user management, authorization, authentication, and data governance.
This post demonstrates how to build a workflow to enable a centralized visualization of QuickSight groups and user information, as well as QuickSight objects access permission auditing information. Combined with AWS CloudTrail logs, the solution enables your security team to detect any abnormal behavior in near-real time to ensure security compliance.
Benefits of a centralized dashboard
A group in QuickSight consists of a set of users. Using groups makes it easy to manage access and security. For example, you can configure three groups, called
BI Developer, and each has specific access privileges:
- The users in the
Marketinggroup can only view the dashboards with marketing data
- The users in the
HRgroup can only view the human resources data
- The users in the
BI Developergroup can edit all objects, including data sources, datasets, and dashboards
After the users and groups are configured, BI administrators can check and edit the object access permission by choosing Share for dashboards, datasets, and all other objects. The following screenshot shows the Manage dashboard sharing page on the QuickSight console.
As of this writing, individual object permission information is available on the QuickSight console, and user information is provided on the user management view on the QuickSight console. Our solution integrates QuickSight APIs with other AWS services to create an administrative dashboard that provides a centralized view of essential security information. This dashboard covers not only user lists and individual object access permission information available on the current platform, but also additional security information like group lists, user-group mapping information, and overall objects access permissions. This dashboard allows you to acquire unique security insights with its collection of comprehensive security information.
This post provides a detailed workflow that covers the data pipeline, sample Python codes, the AWS CloudFormation template, and a sample administrative dashboard. With the guidance of this post, you can configure a centralized information center in your own environment.
The following diagram illustrates the workflow of the solution.
The workflow involves the following steps:
- A new user creation event in the CloudTrail log triggers the Amazon CloudWatch Events rule
CreateUserrule triggers the AWS Lambda function
User_Initiation. This function checks if the new user belongs to an existing group (for this post, we assume that their AWS Identity and Access Management (IAM) role equates to the group they should belong to in QuickSight). If such a group exists, the function adds the user into the group (
CreateGroupMembership). Otherwise, it creates a new group (
CreateGroup). The following is the process flow diagram of the Lambda function.
- If the
CreateGroupMembershipevent occurs, it triggers the Lambda function
Data_Prepare. This function calls QuickSight APIs to get QuickSight group, user, and object access permissions information and saves the results to an Amazon Simple Storage Service (Amazon S3) bucket.
- If the Lambda function
User_Initiationcreates a new QuickSight group in Step 2, it triggers a CloudWatch rule
CreateGroupand the Lambda function
Group_Initiationfunction updates the QuickSight objects permission for the new group, such as granting it permission to view a dashboard.
- The update object permission event in Step 4 triggers the Lambda function
Data_Prepare, which updates the object access permissions information and saves the updated information to an S3 bucket.
DeleteGroupevents also trigger the Lambda function
- Based on the file in S3 that contains user-group mapping information and the QuickSight objects access permissions information, an Amazon Athena table is created.
- A QuickSight dataset fetches the data in the Athena table created in Step 7 through
DirectQueryAnother QuickSight dataset is created based on the CloudTrail logs data. Then, based on these two datasets, a QuickSight dashboard is created.
For this walkthrough, you should have the following prerequisites:
- An AWS account
- Access to the following AWS services:
- Amazon S3
- Basic knowledge of Python
- Security Assertion Markup Language 2.0 (SAML 2.0) or OpenID Connect (OIDC) single sign-on (SSO) configured for QuickSight access
Administrative Dashboard folder and run the command
cdk deploy QuickSightStack to deploy the resources. For more information, see AWS CDK Intro Workshop: Python Workshop.
Implementing the solution
This solution assumes that the users log in to their QuickSight account with identity federation through SAML or OIDC. For instructions on setting up SAML SSO, see Single Sign-On Access to Amazon QuickSight Using SAML 2.0, Federate Amazon QuickSight access with Okta and Enabling Amazon QuickSight federation with Azure AD. For OIDC SSO, see Use Amazon QuickSight Federated Single Sign-On with Amazon Cognito User Pools.
After you set up the IAM policy of the web identity or SAML federation role, you don’t need to invite users manually. A QuickSight user is provisioned automatically when opening QuickSight for the first time.
In this solution, one SAML federation role corresponds to a QuickSight group. There are four sample SAML roles:
The following code is the sample
CreateUser CloudTrail event:
This event triggers the CloudWatch events rule
CreateUser. The following screenshot shows the details of this rule.
CreateUser rule triggers the Lambda function
User_Initiation. This function gets the QuickSight group name (
BI Developer) and compares the group name with the existing group list. If such a group exists, it adds this new user into that group (
CreateGroupMembership). Otherwise, it creates a new group (
Data_Prepare Lambda function is triggered by adding a new user into a group event (
CreateGroupMembership). This function calls the QuickSight API
describe_data_source_permissions to get the object access permissions. It also calls the APIs
list_user_groups and list_users to get the list of users and the groups of each user. Finally, this function creates two files containing QuickSight group, user, or object access information, and saves these files into a S3 bucket.
If a new QuickSight group is created, it triggers the Lambda function
Group_Initiation to update the QuickSight dashboard, dataset, or data source permission for this new group. For example, if the HR group is created, the Group_Initiation function lets the HR group view the Employee Information dashboard.
UpdateDatasourcePermissions events trigger the Lambda function
Data_Prepare to update the object access permissions information stored in the S3 bucket.
The following screenshot is sample data of the Groups table.
The following screenshot is sample data of the Objects table.
You can create a
DirectQuery dataset in QuickSight with the two new Athena tables joined. See the following screenshot.
Objects table contains the information of objects (such as dashboards and datasets) belonging to each group or user. Furthermore, we can create a calculated field called
Ownership based on
Permissions information (the
actions column in
objects table) to provide the objects owner with viewer or user information (the object owner can delete this object, whereas the viewer or user can’t do the deletion action).
The following screenshot shows the relevant code.
For instructions on building an Athena table with CloudTrail events, see Amazon QuickSight Now Supports Audit Logging with AWS CloudTrail. For this post, we create the table
cloudtrail_logs in the
After that, run the following SQL query to build an Athena view with QuickSight events for the last 24 hours:
Running queries in Athena
Now we have the datasets ready in Athena and can run SQL queries against them to answer some common administrative questions.
To create a QuickSight dataset to catch all orphan users that don’t belong to any group, as well as the events done by these users in the last 24 hours, run the following SQL query:
To create a QuickSight dataset to list objects belonging to each group or user, run the following query:
The following screenshot shows the sample data.
In addition to running queries directly in Athena, we can build a dashboard using this same data in QuickSight. The following screenshot shows an example dashboard that you can make using our data.
You can interactively play with the sample dashboard in the following Interactive Dashboard Demo.
To avoid incurring future charges, delete the resources you created by running the following command:
Then, on the Amazon S3 console, delete the S3 bucket
This post discussed how BI administrators can use the QuickSight dashboard, Lambda functions, and other AWS services to create a centralized view of groups, users, and objects access permission information and abnormal access auditing. We also presented a serverless data pipeline to support the administrative dashboard. This dashboard can provide you with unique security insights with its collection of comprehensive security information.
About the Author
Ying Wang is a Data Visualization Engineer with the Data & Analytics Global Specialty Practice in AWS Professional Services.