Tag based Row Level Security for Anonymous Users in Amazon QuickSight

Introduction

In the age of advanced analytics and the abundance of big data, the protection of data and the assurance that it is accessible only to authorized individuals is of utmost importance. Amazon QuickSight, a cloud-based business intelligence service, offers a robust capability known as tag-based row-level security. This feature empowers organizations to strengthen data security, extending its benefits even to users who remain anonymous. In this blog post, we will delve into the application of tag-based row-level security and its potential to create dynamic and secure data visualizations within Amazon QuickSight, serving the needs of authenticated and unauthenticated users.

Pioneers in Cloud Consulting & Migration Services

Reduced infrastructural costs
Accelerated application deployment

Get Started

What is Row-Level Security in Amazon Quicksight?

Amazon QuickSight is a cloud-based business intelligence service that is fully managed and serverless, simplifying the creation of interactive data visualizations. Amazon QuickSight row-level security feature empowers you to regulate data access by considering user attributes or roles.

Although traditionally focused on authenticated users, the introduction of tag-based row-level security broadens the scope, now offering advanced data protection even for anonymous users.

What is Tag Based Row Level Security?

The tag-based row-level security in Amazon QuickSight talks about linking data rows with one or multiple tags. Additionally, users, including anonymous visitors, are assigned specific tags, and access to data is governed by the alignment of the tags assigned to the data and those assigned to the user. This method introduces a dynamic approach to data access control that doesn’t depend solely on fixed user roles.

Steps for Tag Based Row Level Security for Anonymous Users

Add RLS tag to the dataset:

From Amazon Quicksight, choose the dataset to which you want to add tags and open that.
On the dataset details page, at Row-level security, select Set up. Then, the setup row level security page opens, and select tag based rules.

step1

In the column drop down choose manager_name ( it only shows string type columns).
At the tag block, enter any tag you prefer. In our case, I’m giving it as manager_name_tag.
Choose ‘,’(comma) as a delimiter in the delimiter block. This is used when we are giving multiple values for the tag.
In Match All blocks, choose the *, or you can enter your preferred character or characters.
Now select Add, and the tag will be shown below. You can repeat the same steps if you want to add multiple tags.
Now Tap on Apply Rules to apply the tags you have added.
On the Turn on tag-based securityPage that opens, choose Apply and activate.

step1b

The tag-based rules are now active. On the Set up row-level security page, a toggle appears for you to turn tag rules on and off for the dataset.

2. Assign values to RLS tags at runtime for Anonymous User:

Create an AWS Lambda function by giving access to Amazon QuickSight in the AWS IAM Role and select the language as Python 3.9.
Below is the Python code for the AWS Lambda function to generate an embed URL.

import boto3
from botocore.exceptions import ClientError
import time
quicksightClient = boto3.client('quicksight',region_name='ap-south-1')
sts = boto3.client('sts')
def lambda_handler(event, context):
    try:
        response = quicksightClient.generate_embed_url_for_anonymous_user(
            AwsAccountId = 'XXXXXXXXX',
            Namespace = 'default',
            AuthorizedResourceArns =['arn:aws:quicksight:ap-south-1:278814536435:dashboard/08640bc1-3d71-4476-9fda-95bfcb2eecc0'], 
         ExperienceConfiguration = {'Dashboard':{'InitialDashboardId':'08640bc1-3d71-4476-9fda-95bfcb2eecc0'}},
            SessionTags =[
                             {'Key':'manager_name_tag', 'Value':'vikas'}
                          ],     
            SessionLifetimeInMinutes = 600
        )
        return response['EmbedUrl']
    except ClientError as e:
        print(e)
        return "Error generating embeddedURL: " + str(e)

import boto3

from botocore.exceptions import ClientError

import time

quicksightClient = boto3.client('quicksight',region_name='ap-south-1')

sts = boto3.client('sts')

def lambda_handler(event, context):

try:

response = quicksightClient.generate_embed_url_for_anonymous_user(

AwsAccountId = 'XXXXXXXXX',

Namespace = 'default',

AuthorizedResourceArns =['arn:aws:quicksight:ap-south-1:278814536435:dashboard/08640bc1-3d71-4476-9fda-95bfcb2eecc0'],

ExperienceConfiguration = {'Dashboard':{'InitialDashboardId':'08640bc1-3d71-4476-9fda-95bfcb2eecc0'}},

SessionTags =[

{'Key':'manager_name_tag', 'Value':'vikas'}

SessionLifetimeInMinutes = 600

)

return response['EmbedUrl']

except ClientError as e:

print(e)

return "Error generating embeddedURL: " + str(e)

In the above code, replace configuration details like Dashboardid,region_name, Account id with your details. Then, it will generate an embed URL for the dashboard with the details of manager_tag_key values given.
Below is the dashboard shown by the generated URL.

step2

Attach the policy below to the role that AWS Lambda is using. In the role below, replace the dashboard ID with your dashboard ID.

AWS IAM Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "quicksight:GenerateEmbedUrlForAnonymousUser"
            ],
            "Resource": [
                "arn:aws:quicksight:*:*:namespace/default",
                "arn:aws:quicksight:*:*:dashboard/02c742cc-a546-4c03-a599-4567570ce950"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
]
            }

{

"Version": "2012-10-17",

"Statement": [

{

"Action": [

"quicksight:GenerateEmbedUrlForAnonymousUser"

"Resource": [

"arn:aws:quicksight:*:*:namespace/default",

"arn:aws:quicksight:*:*:dashboard/02c742cc-a546-4c03-a599-4567570ce950"

"Effect": "Allow"

{

"Action": [

"logs:CreateLogGroup",

"logs:CreateLogStream",

"logs:PutLogEvents"

"Resource": "*",

"Effect": "Allow"

}

]

}

Conclusion

Implementing Tag-based row-level security in Amazon QuickSight offers multiple opportunities to improve data visualization and protect data, catering to authenticated users and anonymous visitors. This approach allows organizations to uphold strong data security measures while delivering a customized and regulated user experience.

Drop a query if you have any questions regarding Amazon QuickSight and we will get back to you quickly.

Making IT Networks Enterprise-ready – Cloud Management Services

Accelerated cloud migration
End-to-end view of the cloud environment

Get Started

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

FAQs

1. Can tag ley take multiple values?

ANS: – Yes, we can pass multiple values for a single tag key. For example: {‘Key’:’manager_name_tag’, ‘Value’:’vikas,varun’}

2. Is there any Additional pricing for anonymous users?

ANS: – Yes, we have enabled session capacity pricing in Amazon QuickSight to generate the URL. For more details, refer to Reader session capacity pricing from Amazon QuickSight Pricing – Business Intelligence Service – Amazon Web Services.

3. Can tag based row level security be done only for anonymous users?

ANS: – No, tag based row level security can also be done for registered users.