# Configuring Amazon Quick Sight access to Amazon data sources Configuring Amazon Quick Sight access to Amazon data Use this section to help you configure access to resources in other Amazon services. We recommend that you use SSL to secure Amazon Quick Sight connections to your data sources. To use SSL, you must have a certificate signed by a recognized certificate authority (CA). Amazon Quick doesn't accept certificates that are self-signed or issued from a nonpublic CA. For more information, see [Amazon Quick SSL and CA certificates](https://docs.amazonaws.cn/quicksuite/latest/userguide/configure-access.html#network-configuration-requirements). **Topics** + [ # Required permissions ](required-permissions.md) + [ # Network and database configuration requirements ](configure-access.md) + [ # Allowing autodiscovery of Amazon resources ](autodiscover-aws-data-sources.md) + [ # Authorizing connections from Amazon Quick Sight to Amazon data stores ](enabling-access.md) + [ # Exploring your Amazon data in Amazon Quick ](explore-in-quicksight.md) + [ # Amazon service action connectors ](builtin-services-integration.md) # Required permissions When you connect to a Amazon Quick Sight data source that requires a user name, the user name must have `SELECT` permissions on some system tables. These permissions allow Amazon Quick Sight to do things such as discover table schemas and estimate table size. The following table identifies the tables that the account must have `SELECT` permissions for, depending on the type of database you are connecting to. These requirements apply for all database instances you connect to, regardless of their environment. In other words, they apply whether your database instances are on-premises, in Amazon RDS, in Amazon EC2, or elsewhere. **** | Instance type | Tables | | --- | --- | | Amazon Aurora | `INFORMATION_SCHEMA.STATISTICS` `INFORMATION_SCHEMA.TABLES` | | Amazon Redshift | `pg_stats` `pg_class` `pg_namespace` | | MariaDB | `INFORMATION_SCHEMA.STATISTICS` `INFORMATION_SCHEMA.TABLES` | | Microsoft SQL Server | `DBCC SHOW_STATISTICS` `sp_statistics` | | MySQL | `INFORMATION_SCHEMA.STATISTICS` INFORMATION\$1SCHEMA.TABLES | | **Oracle** | DBA\$1TAB\$1COLS ALL\$1TABLES dba\$1segments all\$1segments user\$1segments | | PostgreSQL | `pg_stats` `pg_class` `pg_namespace` | | ServiceNow | `sys_dictionary (column metadata)` `sys_db_object (table metadata)` `sys_glide_object (field type metadata)` | **Note** If you are using MySQL or PostgreSQL, verify that you are connecting from an allowed host or IP address. For more detail, see [Database configuration requirements for self-administered instances](https://docs.amazonaws.cn/quicksuite/latest/userguide/configure-access.html#database-configuration-requirements). # Network and database configuration requirements To serve as data sources, databases need to be configured so that Amazon Quick can access them. Use the following sections to make sure that your database is configured appropriately. **Important** Because a database instance on Amazon EC2 is administered by you rather than Amazon, it must meet both the [Network configuration requirements](https://docs.amazonaws.cn/quicksuite/latest/userguide/configure-access.html#network-configuration-requirements) as well as the [Database configuration requirements for self-administered instances](https://docs.amazonaws.cn/quicksuite/latest/userguide/configure-access.html#database-configuration-requirements). **Topics** + [ ## Network configuration requirements ](#network-configuration-requirements) + [ ## Database configuration requirements for self-administered instances ](#database-configuration-requirements) ## Network configuration requirements | | | --- | |    Intended audience: System administrators  | For you to use your database server from Amazon Quick, your server must be accessible from the internet. It must also allow inbound traffic from Amazon Quick servers. If the database is on Amazon and in the same Amazon Web Services Region as your Amazon Quick account, you can auto-discover the instance to make connecting to it easier. To do this, you must grant Amazon Quick permissions to access it. For more information, see [Accessing data sources](https://docs.amazonaws.cn/quicksight/latest/user/access-to-aws-resources.html). **Topics** + [ ### Network configuration for an Amazon instance in a default VPC ](#network-configuration-aws-default-vpc) + [ ### Network configuration for an Amazon instance in a nondefault VPC ](#network-configuration-aws-nondefault-vpc) + [ ### Network configuration for an Amazon instance in a private VPC ](#network-configuration-aws-private-vpc) + [ ### Network configuration for an Amazon instance that is not in a VPC ](#network-configuration-aws-no-vpc) + [ ### Network configuration for a database instance other than Amazon ](#network-configuration-not-aws) ### Network configuration for an Amazon instance in a default VPC In some cases, your database might be on an Amazon cluster or instance that you created in a default VPC. Thus, it's publicly accessible (that is, you didn't choose to make it private). In such cases, your database is already appropriately configured to be accessible from the internet. However, you still need to enable access from Amazon Quick servers to your Amazon cluster or instance. For further details on how to do this, choose the appropriate topic following: + [Authorizing connections from Amazon Quick to Amazon RDS database instances](https://docs.amazonaws.cn/quicksight/latest/user/enabling-access-rds.html) + [Authorizing connections from Amazon Quick to Amazon Redshift clusters](https://docs.amazonaws.cn/quicksight/latest/user/enabling-access-redshift.html) + [Authorizing connections from Amazon Quick to Amazon EC2 instances](https://docs.amazonaws.cn/quicksight/latest/user/enabling-access-ec2.html) ### Network configuration for an Amazon instance in a nondefault VPC If you are configuring an Amazon instance in a nondefault VPC, make sure that the instance is publicly accessible and that the VPC has the following: + An internet gateway. + A public subnet. + A route in the route table between the internet gateway and the Amazon instance. + Network access control lists (ACLs) in your VPC that allow traffic between the cluster or instance and Amazon Quick servers. These ACLs must do the following: + Allow inbound traffic from the appropriate Amazon Quick IP address range and all ports to the IP address and port that the database is listening on. + Allow outbound traffic from the database’s IP address and port to the appropriate Amazon Quick IP address range and all ports. For more information about Amazon Quick IP address ranges, see [IP address ranges for Amazon Quick](https://docs.amazonaws.cn/quicksuite/latest/userguide/regions.html) following. For more information about configuring VPC ACLs, see [Network ACLs](https://docs.amazonaws.cn/vpc/latest/userguide/VPC_ACLs.html). + Security group rules that allow traffic between the cluster or instance and Amazon Quick servers. For further details on how to create appropriate security group rules, see [Authorizing connections to Amazon data sources](https://docs.amazonaws.cn/quicksight/latest/user/enabling-access.html). For more information about configuring a VPC in the Amazon VPC service, see [Networking in Your VPC](https://docs.amazonaws.cn/vpc/latest/userguide/VPC_Networking.html). ### Network configuration for an Amazon instance in a private VPC If your database is on an Amazon cluster or instance that you created in a private VPC, you can use it with Amazon Quick. For more information, see [Connecting to a Amazon VPC with Amazon Quick](https://docs.amazonaws.cn/quicksight/latest/user/working-with-aws-vpc.html). For more information on Amazon VPC, see [Amazon VPC](https://aws.amazon.com/vpc/) and [Amazon VPC Documentation](https://docs.amazonaws.cn/vpc/). ### Network configuration for an Amazon instance that is not in a VPC If you are configuring an Amazon instance that is not in a VPC, make sure that the instance is publicly accessible. Also, make sure that there is a security group rule that allows traffic between the cluster or instance and Amazon Quick servers. For further details on how to do this, choose the appropriate topic following: + [Authorizing connections from Amazon Quick to Amazon RDS database instances](https://docs.amazonaws.cn/quicksight/latest/user/enabling-access-rds.html) + [Authorizing connections from Amazon Quick to Amazon Redshift clusters](https://docs.amazonaws.cn/quicksight/latest/user/enabling-access-redshift.html) + [Authorizing connections from Amazon Quick to Amazon EC2 instances](https://docs.amazonaws.cn/quicksight/latest/user/enabling-access-ec2.html) ### Network configuration for a database instance other than Amazon To use SSL to secure your connections to your database (*recommended*), make sure that you have a certificate signed by a recognized certificate authority (CA). Amazon Quick doesn't accept certificates that are self-signed or issued from a nonpublic CA. For more information, see [Amazon Quick SSL and CA certificates](https://docs.amazonaws.cn/quicksuite/latest/userguide/configure-access.html#database-configuration-requirements). If your database is on a server other than Amazon, you must change that server's firewall configuration to accept traffic from the appropriate Amazon Quick IP address range. For more information about Amazon Quick IP address ranges, see [IP address ranges for Amazon Quick](https://docs.amazonaws.cn/quicksuite/latest/userguide/regions.html). For any other steps that you need to take to enable internet connectivity, see your operating system documentation. #### Amazon Quick SSL and CA certificates We recommend that you use a public certificate issued by [Amazon Certificate Manager (ACM)](https://docs.aws.amazon.com/acm/latest/userguide/). Amazon Quick supports the same certificate authorities (CAs) as Mozilla, so if you don't use ACM, use a certificate issued by a CA on the [Mozilla Included CA Certificate List](https://wiki.mozilla.org/CA/Included_Certificates). #### IP address ranges for Amazon Quick For more information on the IP address ranges for Amazon Quick in supported Regions, see [Amazon Regions, websites, IP address ranges, and endpoints](https://docs.amazonaws.cn/quicksight/latest/user/regions.html). ## Database configuration requirements for self-administered instances | | | --- | |    Intended audience: System administrators and Amazon Quick administrators  | For a database to be accessible to Amazon Quick, it must meet the following criteria: + It must be accessible from the internet. To enable internet connectivity, see your database management system documentation. + It must be configured to accept connections and authenticate access using the user credentials that you provide as part of creating the data set. + If you are connecting to MySQL or PostgreSQL, the database engine must be accessible from your host or IP range. This optional security limitation is specified in MySQL or PostgreSQL connection settings. If this limitation is in place, any attempt to connect from a nonspecified host or IP address is rejected, even if you have the correct username and password. + In MySQL, the server accepts the connection only if the user and host are verified in the user table. For more information, see [Access Control, Stage 1: Connection Verification](https://dev.mysql.com/doc/refman/5.7/en/connection-access.html) in the MySQL documentation. + In PostgreSQL, you control client authentication by using the `pg_hba.conf` file in the database cluster's data directory. However, this file might be named and located differently on your system. For more information, see [Client Authentication](https://www.postgresql.org/docs/9.3/static/client-authentication.html) in the PostgreSQL documentation. # Allowing autodiscovery of Amazon resources | | | --- | |    Applies to: Enterprise Edition and Standard Edition  | | | | --- | |    Intended audience: System administrators  | Each Amazon service that you access from Amazon Quick needs to allow traffic from Quick. Instead of opening each service console separately to add permissions, a Quick administrator can do this in the administration screen. Before you begin, make sure that you have addressed the following prerequisites. If you choose to enable autodiscovery of Amazon resources for your Quick account, Quick creates an Amazon Identity and Access Management (IAM) role in your Amazon Web Services account. This IAM role grants your account permission to identify and retrieve data from your Amazon data sources. Because Amazon limits the number of IAM roles that you can create, make sure that you have at least one free role. You need this role for Amazon Quick to use if you want Amazon Quick to autodiscover your Amazon resources. You can have Amazon Quick autodiscover Amazon RDS DB instances or Amazon Redshift clusters that are associated with your Amazon Web Services account. These resources must be located in the same Amazon Web Services Region as your Amazon Quick account. If you choose to enable autodiscovery, choose one of the following options to make the Amazon resource accessible: + For Amazon RDS DB instances that you created in a default VPC and didn't make private, or that aren't in a VPC (EC2-Classic instances), see [Authorizing connections from Amazon Quick to Amazon RDS instances](https://docs.amazonaws.cn/quicksight/latest/user/enabling-access-rds.html). In this topic, you can find information on creating a security group to allow connections from Amazon Quick servers. + For Amazon Redshift clusters that you created in a default VPC and didn't choose to make private, or that aren't in a VPC (that is, EC2-Classic instances), see [Authorizing connections from Amazon Quick to Amazon Redshift clusters](https://docs.amazonaws.cn/quicksight/latest/user/enabling-access-redshift.html). In this topic, you can find information on creating a security group to allow connections from Amazon Quick servers. + For an Amazon RDS DB instance or Amazon Redshift cluster that is in a nondefault VPC, see [Authorizing connections from Amazon Quick to Amazon RDS instances](https://docs.amazonaws.cn/quicksight/latest/user/enabling-access-rds.html) or [Authorizing connections from Amazon Quick to Amazon Redshift clusters](https://docs.amazonaws.cn/quicksight/latest/user/enabling-access-redshift.html). In these topics, you can find information on first creating a security group to allow connections from Amazon Quick servers. In addition, you can find information on then verifying that the VPC meets the requirements described in [Network configuration for an Amazon instance in a nondefault VPC](https://docs.amazonaws.cn/quicksight/latest/user/configure-access.html#network-configuration-aws-nondefault-vpc). + If you don't use a private VPC, set up the Amazon RDS instance to allow connections from the Amazon Quick Region's public IP address. Enabling autodiscovery is the easiest way to make this data available in Amazon Quick. You can still manually create data connections whether or not you enable autodiscovery. # Authorizing connections from Amazon Quick Sight to Amazon data stores Using data in Amazon | | | --- | |    Applies to: Enterprise Edition and Standard Edition  | | | | --- | |    Intended audience: System administrators  | For Amazon Quick Sight to access your Amazon resources, you must create security groups for them that authorize connections from the IP address ranges used by Amazon Quick Sight servers. You must have Amazon credentials that permit you to access these Amazon resources to modify their security groups. Use the procedures in the following sections to enable Amazon Quick Sight connections. **Topics** + [ # Authorizing connections from Amazon Quick Sight to Amazon RDS DB instances ](enabling-access-rds.md) + [ # Authorizing connections from Amazon Quick Sight to Amazon Redshift clusters ](enabling-access-redshift.md) + [ # Authorizing connections from Amazon Quick to Amazon EC2 instances ](enabling-access-ec2.md) + [ # Authorizing connections through Amazon Lake Formation ](lake-formation.md) + [ # Authorizing connections to Amazon OpenSearch Service ](opensearch.md) + [ # Authorizing connections to Amazon Athena ](athena.md) + [ # Data access integrations ](data-access-integrations.md) # Authorizing connections from Amazon Quick Sight to Amazon RDS DB instances Amazon RDS | | | --- | |    Applies to: Enterprise Edition and Standard Edition  | | | | --- | |    Intended audience: System administrators  | For Amazon Quick Sight to connect to an Amazon RDS DB instance, you must create a new security group for that DB instance. This security group contains an inbound rule authorizing access from the appropriate IP address range for the Quick servers in that Amazon Web Services Region. To learn more about authorizing Quick connections, see [Manually enabling access to an Amazon RDS instance in a VPC](https://docs.amazonaws.cn/quicksight/latest/user/rds-vpc-access.html) or [Manually enabling access to an Amazon RDS instance that is not in a VPC](https://docs.amazonaws.cn/quicksight/latest/user/rds-classic-access.html). To learn more about authorizing Amazon Quick Sight connections manually, see [Manually enabling access to an Amazon RDS instance in a VPC](https://docs.amazonaws.cn/quicksight/latest/user/rds-vpc-access.html) or [Manually enabling access to an Amazon RDS instance that is not in a Amazon VPC](https://docs.amazonaws.cn/quicksight/latest/user/rds-classic-access.html). To create and assign a security group for an Amazon RDS DB instance, you must have Amazon credentials that permit access to that DB instance. Enabling connection from Amazon Quick servers to your instance is just one of several prerequisites for creating a data set based on an Amazon database data source. For more information about what is required, see [Creating a dataset from a database](https://docs.amazonaws.cn/quicksight/latest/user/create-a-database-data-set.html). **Topics** + [ ## Manually enabling Amazon Quick Sight access to an Amazon RDS instance in a VPC ](#rds-vpc-access) + [ ## Manually enabling access from Amazon Quick Sight to an Amazon RDS instance that is not in a VPC ](#rds-classic-access) ## Manually enabling Amazon Quick Sight access to an Amazon RDS instance in a VPC Amazon RDS with a VPC Use the following procedure to enable Amazon Quick Sight access to an Amazon RDS DB instance in a VPC. If your Amazon RDS DB instance is in subnet that is private (in relation to Amazon Quick) or that has Internet Gateways attached, see [Connecting to a VPC with Amazon Quick](https://docs.amazonaws.cn/quicksight/latest/user/working-with-aws-vpc.html). **To enable Amazon Quick Sight access to an Amazon RDS DB instance in a VPC** 1. Sign in to the Amazon Web Services Management Console and open the Amazon RDS console at [https://console.amazonaws.cn/rds/](https://console.amazonaws.cn/rds/). 1. Choose **Databases**, locate the DB instance, and view its details. To do this, you click directly on its name (a hyperlink in the **DB identifier** column). 1. Locate **Port** and note the **Port** value. This can be a number or a range. 1. Locate **VPC** and note the **VPC** value. 1. Choose the **VPC** value to open the VPC console. In the Amazon VPC Management Console, choose **Security Groups** in the navigation pane. 1. Choose **Create Security Group**. 1. On the **Create Security Group** page, enter the security group information as follows: + For **Name tag** and **Group name**, enter **Amazon-QuickSight-access**. + For **Description**, enter **Amazon-QuickSight-access**. + For **VPC**, choose the VPC for your instance. This VPC is the one with the **VPC ID** that you noted previously. 1. Choose **Create**. On the confirmation page, note the **Security Group ID**. Choose **Close** to exit this screen. 1. Choose your new security group from the list, and then choose **Inbound Rules** from the tab list below. 1. Choose **Edit rules** to create a new rule. 1. On the **Edit inbound rules** page, choose **Add rule** to create a new rule. Use the following values: + For **Type**, choose **Custom TCP Rule**. + For **Protocol**, choose **TCP**. + For **Port Range**, enter the port number or range of the Amazon RDS cluster. This port number (or range) is the one that you noted previously. + For **Source**, choose **Custom** from the list. Next to the word "Custom", enter the CIDR address block for the Amazon Web Services Region where you plan to use Amazon Quick. For example, for Europe (Ireland) you would enter Europe (Ireland)'s CIDR address block: `52.210.255.224/27`. For more information on the IP address ranges for Amazon Quick in supported Amazon Web Services Regions, see [Amazon Regions, websites, IP address ranges, and endpoints](https://docs.amazonaws.cn/quicksight/latest/user/regions.html). **Note** If you have activated Amazon Quick in multiple Amazon Web Services Regions, you can create inbound rules for each Amazon Quick endpoint CIDR. Doing this allows Amazon Quick to have access to the Amazon RDS DB instance from any Amazon Region defined in the inbound rules. Anyone who uses Amazon Quick in multiple Amazon Web Services Regions is treated as a single user. In other words, even if you are using Amazon Quick in every Amazon Web Services Region, both your Amazon Quick subscription (sometimes called an 'account') and your users are global. 1. For **Description**, enter a useful description, for example "*Europe (Ireland) QuickSight*". 1. Choose **Save rules** to save your new inbound rule. Then choose **Close**. 1. Go back to the detailed view of the DB instance. Return the Amazon RDS console ([https://console.aws.amazon.com/rds/](https://console.aws.amazon.com/rds/)) and choose **Databases**. 1. Choose the DB identifier for the relevant RDS instance. Choose **Modify**. The same screen displays whether you choose Modify from the databases screen or the DB instance screen: **Modify DB Instance**. 1. Locate the **Network & Security** section (the third section from the top). The currently assigned security group or groups are already chosen for **Security Group**. Don't remove any of the existing ones unless you are sure. Instead, choose your new security group to add it to the other groups that are selected. If you followed the name suggested previously, this group might be named something similar to **Amazon-QuickSight-access**. 1. Scroll to the bottom of the screen. Choose **Continue**. and then choose **Modify DB Instance**. 1. Choose **Apply during the next scheduled maintenance** (the screen indicates when this will occur). Don't choose **Apply immediately**. Doing this also applies any additional changes that are in the pending modifications queue. Some of these changes might require downtime. If you bring the server down outside the maintenance window, this can cause a problem for users of this DB instance. Consult your system administrators before applying immediate changes. 1. Choose **Modify DB Instance** to confirm your changes. Then, wait for the next maintenance window to pass. ## Manually enabling access from Amazon Quick Sight to an Amazon RDS instance that is not in a VPC Amazon RDS without a VPC Use the following procedure to access an Amazon RDS DB instance that is not in a VPC. You can associate a security group with a DB instance by using **Modify** on the RDS console, the `ModifyDBInstance` Amazon RDS API, or the `modify-db-instance` Amazon CLI command. **Note** This section included for backwards compatibility purposes. **To use the console to access an Amazon RDS DB instance that is not in a VPC** 1. Sign in to the Amazon Web Services Management Console and open the Amazon RDS console at [https://console.amazonaws.cn/rds/](https://console.amazonaws.cn/rds/). 1. Choose **Databases**, select the DB instance, and choose **Modify**. 1. Choose **Security Groups** in the navigation pane. 1. Choose **Create DB Security Group**. 1. Enter **Amazon-QuickSight-access** for the **Name** and **Description** values, and then choose **Create**. 1. The new security group is selected by default. Select the details icon next to the security group, as shown following. 1. For **Connection Type**, choose **CIDR/IP**. 1. For **CIDR/IP to Authorize**, enter the appropriate CIDR address block. For more information on the IP address ranges for Amazon Quick in supported Amazon Web Services Regions, see [Amazon Regions, websites, IP address ranges, and endpoints](https://docs.amazonaws.cn/quicksight/latest/user/regions.html). 1. Choose **Authorize**. 1. Return to the **Instances** page of the Amazon RDS Management Console, choose the instance that you want to enable access to, choose **Instance Actions**, and then choose **Modify**. 1. In the **Network & Security** section, the currently assigned security group or groups already is chosen for **Security Group**. Press CTRL and choose **Amazon-QuickSight-access** in addition to the other selected groups. 1. Choose **Continue**, and then choose **Modify DB Instance**. # Authorizing connections from Amazon Quick Sight to Amazon Redshift clusters Amazon Redshift | | | --- | |    Applies to: Enterprise Edition and Standard Edition  | | | | --- | |    Intended audience: System administrators  | You can provide access to Amazon Redshift data using three authentication methods: trusted identity propagation, run-as IAM role, or Amazon Redshift database credentials. With trusted identity propagation, a user's identity is passed to Amazon Redshift with single sign-on that is managed by IAM Identity Center. A user that accesses a dashboard in Amazon Quick Sight has their identity propagated to Amazon Redshift. In Amazon Redshift, fine grained data permissions are applied on the data before the data is presented in a Amazon Quick asset to the user. Amazon Quick authors can also connect to Amazon Redshift data sources without a password input or IAM role. If Amazon Redshift Spectrum is used, all permission management is centralized in Amazon Redshift. Trusted identity propagation is supported when Amazon Quick and Amazon Redshift use the same organization instance of IAM Identity Center. Trusted identity propagation is not currently supported for the following features. + SPICE datasets + Custom SQL on data sources + Alerts + Email reports + Amazon Quick Q + CSV, Excel, and PDF exports + Anomaly detection For Amazon Quick to connect to an Amazon Redshift instance, you must create a new security group for that instance. This security group contains an inbound rule that authorizes access from the appropriate IP address range for the Amazon Quick servers in that Amazon Web Services Region. To learn more about authorizing Amazon Quick connections, see [Manually enabling access to an Amazon Redshift cluster in a VPC](https://docs.amazonaws.cn/quicksight/latest/user/redshift-vpc-access.html). Enabling connection from Amazon Quick servers to your cluster is just one of several prerequisites for creating a data set based on an Amazon database data source. For more information about what is required, see [Creating a dataset from a database](https://docs.amazonaws.cn/quicksuite/latest/userguide/create-a-database-data-set.html). **Topics** + [ ## Enabling trusted identity propagation with Amazon Redshift ](#redshift-trusted-identity-propagation) + [ ## Manually enabling access to an Amazon Redshift cluster in a VPC ](#redshift-vpc-access) + [ ## Enabling access to Amazon Redshift Spectrum ](#redshift-spectrum-access) ## Enabling trusted identity propagation with Amazon Redshift Enabling trusted identity propagation Trusted identity propagation authenticates the end user in Amazon Redshift when they access Amazon Quick assets that leverage a trusted identity propagation enabled data source. When an author creates a data source with trusted identity propagation, the identity of the data source consumers in Amazon Quick Sight is propagated and logged in CloudTrail. This allows database administrators to centrally manage data security in Amazon Redshift and automatically apply all data security rules to data consumers in Amazon Quick. With other authentication methods, the data permissions of the author who created the data source are applied to all data source consumers. The data source author can choose to apply additional row and column level security to the data sources that they create in Amazon Quick Sight. Trusted identity propagation data sources are supported only in Direct Query datasets. SPICE datasets do not currently support trusted identity propagation. **Topics** + [ ### Prerequisites ](#redshift-trusted-identity-propagation-prerequisites) + [ ### Enabling trusted identity propagation in Amazon Quick Sight ](#redshift-trusted-identity-propagation-enable) + [ ### Connecting to Amazon Redshift with trusted identity propagation ](#redshift-trusted-identity-propagation-connect) ### Prerequisites Before you get started, make sure that you have all of the required prerequisites ready. + Trusted identity propagation is only supported for Amazon Quick accounts that are integrated with IAM Identity Center. For more information, see [Configure your Amazon Quick account with IAM Identity Center](https://docs.amazonaws.cn/quicksight/latest/user/sec-identity-management-identity-center.html). + An Amazon Redshift application that is integrated with IAM Identity Center. The Amazon Redshift cluster that you use must be in the same organization in Amazon Organizations as the Amazon Quick account that you want to use. The cluster must also be configured with the same organization instance in IAM Identity Center that your Amazon Quick account is configured to. For more information about configuring a Amazon Redshift cluster, see [Integrating IAM Identity Center](https://docs.amazonaws.cn/redshift/latest/mgmt/redshift-iam-access-control-idp-connect.html). ### Enabling trusted identity propagation in Amazon Quick Sight To configure Amazon Quick Sight to connect to Amazon Redshift data sources with trusted identity propagation, configure Amazon Redshift OAuth scopes to your Amazon Quick account. To add a scope that allows Amazon Quick to authorize identity propagation to Amazon Redshift, specify the Amazon Web Services account ID of the Amazon Quick account and the service that you want to authorize identity propagation with, in this case `'REDSHIFT'`. Specify the IAM Identity Center application ARN of the Amazon Redshift cluster that you are authorizing Amazon Quick to propagate user identities to. This information can be found in the Amazon Redshift console. If you don't specify authorized targets for the Amazon Redshift scope, Amazon Quick authorizes users from any Amazon Redshift cluster that share the same IAM Identity Center instance. The example below configures Amazon Quick to connect to Amazon Redshift data sources with trusted identity propagation. ``` aws quicksight update-identity-propagation-config --aws-account-id "AWSACCOUNTID" --service "REDSHIFT" --authorized-targets "arn:aws-cn:sso::XXXXXXXXXXXX:application/ssoins-XXXXXXXXXXXX/apl-XXXXXXXXXXXX" "arn:aws-cn:sso::XXXXXXXXXXXX:application/ssoins-XXXXXXXXXXXX/apl-XXXXXXXXXXXX" ``` The following example deletes OAuth scopes from a Amazon Quick account. ``` aws quicksight delete-identity-propagation-config --aws-account-id "AWSACCOUNTID" --service "REDSHIFT" --authorized-targets "arn:aws-cn:sso::XXXXXXXXXXXX:application/ssoins-XXXXXXXXXXXXapl-XXXXXXXXXXXX "arn:aws-cn:sso::XXXXXXXXXXXX:application/ssoins-XXXXXXXXXXXX/apl-XXXXXXXXXXXX" ``` The following example lists all OAuth scopes that are currently on a Amazon Quick account. ``` aws quicksight list-identity-propagation-configs --aws-account-id "AWSACCOUNTID" ``` ### Connecting to Amazon Redshift with trusted identity propagation Use the procedure below to connect to Amazon Redshift trusted identity propagation. **To connect to Amazon Redshift with trusted identity propagation** 1. Create a new dataset in Amazon Quick. For more information about creating a dataset, see [Creating datasets](https://docs.amazonaws.cn/quicksight/latest/user/creating-data-sets.html). 1. Choose Amazon Redshift as the data source for the new dataset. **Note** The authentication type of an existing data source can't be changed to trusted identity propagation 1. Choose IAM Identity Center as the identity option for the data source, and then choose **Create data source**. ## Manually enabling access to an Amazon Redshift cluster in a VPC Enabling access to an Amazon Redshift cluster in a VPC | | | --- | |  Applies to: Enterprise Edition  | Use the following procedure to enable Amazon Quick Sight access to an Amazon Redshift cluster in a VPC. **To enable Amazon Quick Sight access to an Amazon Redshift cluster in a VPC** 1. Sign in to the Amazon Web Services Management Console and open the Amazon Redshift console at [https://console.amazonaws.cn/redshiftv2/](https://console.amazonaws.cn/redshiftv2/). 1. Navigate to the cluster that you want to make available in Amazon Quick. 1. In the **Cluster Properties** section, find **Port**. Note the **Port** value. 1. In the **Cluster Properties** section, find **VPC ID** and note the **VPC ID** value. Choose **VPC ID** to open the Amazon VPC console. 1. On the Amazon VPC console, choose **Security Groups** in the navigation pane. 1. Choose **Create Security Group**. 1. On the **Create Security Group** page, enter the security group information as follows: + For **Security group name**, enter **redshift-security-group**. + For **Description**, enter **redshift-security-group**. + For **VPC**, choose the VPC for your Amazon Redshift cluster. This is the VPC with the VPC ID that you noted. 1. Choose **Create security group**. Your new security group should appear on the screen. 1. Create a second security group with the following properties. + For **Security group name**, enter **quicksight-security-group**. + For **Description**, enter **quicksight-security-group**. + For **VPC**, choose the VPC for your Amazon Redshift cluster. This is the VPC with the VPC ID that you noted. 1. Choose **Create security group**. 1. After you create the new security groups, create inbound rules for the new groups. Choose the new `redshift-security-group` security group, and input the following values. + For **Type**, choose **Amazon Redshift**. + For **Protocol**, choose **TCP**. + For **Port Range**, enter the port number of the Amazon Redshift cluster to which you are providing access. This is the port number that you noted in an earlier step. + For **Source**, enter the security group ID of `quicksight-security-group`. 1. Choose **Save rules** to save your new inbound rule. 1. Repeat the previous step for `quicksight-security-group` and enter the following values. + For **Type**, choose **All traffic**. + For **Protocol**, choose **All**. + For **Port Range**, choose **All**. + For **Source**, enter the security group ID of `redshift-security-group`. 1. Choose **Save rules** to save your new inbound rule. 1. In Amazon Quick, navigate to the **Manage Amazon Quick** menu. 1. Choose **Manage VPC connections**, and then choose **Add VPC connection**. 1. Configure the new VPC connection with the following values. + For **VPC connection name**, choose a meaningful name for the VPC connection. + For **VPC ID**, choose the VPC in which the Amazon Redshift cluster exists. + For **Subnet ID**, choose the subnet for the Availability Zone (AZ) that is used for Amazon Redshift. + For **Security group id**, copy and paste the security group ID for `quicksight-security-group`. 1. Choose **Create**. It might take several minutes for the new VPC to generate. 1. In the Amazon Redshift console, navigate to the Amazon Redshift cluster that `redshift-security-group` is configured to. Choose **Properties**. under**Network and security settings**, enter the name of the security group. 1. In Amazon Quick, choose **Datasets**, and then choose **New dataset**. Create a new dataset with the following values. + For **Data source**, choose **Amazon Redshift Auto-discovered**. + Give the data source a meaningful name. + The instance ID should auto populate with the VPC connection that you created in Amazon Quick. If the instance ID doesn't auto populate, choose the VPC that you created from the dropdown list. + Enter the database credentials. If your Amazon Quick account uses trusted identity propagation, choose **Single sign-on**. 1. Validate the connection, and then choose **Create data source**. If you want to restrict the default outbound rules further, update the outbound rule of `quicksight-security-group` to allow only Amazon Redshift traffic to `redshift-security-group`. You can also delete the outbound rule that's located in the `redshift-security-group`. ## Enabling access to Amazon Redshift Spectrum Enabling acesss to Redshift Spectrum Using Amazon Redshift Spectrum, you can connect Amazon Quick to an external catalog with Amazon Redshift. For example, you can access the Amazon Athena catalog . You can then query unstructured data on your Amazon S3 data lake using an Amazon Redshift cluster instead of the Athena query engine. You can also combine data sets that include data stored in Amazon Redshift and in S3. Then you can access them using the SQL syntax in Amazon Redshift. After you've registered your data catalog (for Athena) or external schema (for a [Hive metastore](https://aws.amazon.com/blogs/big-data/migrate-external-table-definitions-from-a-hive-metastore-to-amazon-athena/)), you can use Amazon Quick to choose the external schema and Amazon Redshift Spectrum tables. This process works just as for any other Amazon Redshift tables in your cluster. You don't need to load or transform your data. For more information on using Amazon Redshift Spectrum, see [Using Amazon Redshift Spectrum to query external data](https://docs.amazonaws.cn/redshift/latest/dg/c-using-spectrum.html) in the *Amazon Redshift Database Developer Guide.* To connect using Redshift Spectrum, do the following: + Create or identify an IAM role associated with the Amazon Redshift cluster. + Add the IAM policies `AmazonS3ReadOnlyAccess` and `AmazonAthenaFullAccess` to the IAM role. + Register an external schema or data catalog for the tables that you plan to use. Redshift Spectrum lets you separate storage from compute, so you can scale them separately. You only pay for the queries that you run. To connect to Redshift Spectrum tables, you don't need to grant Amazon Quick access to Amazon S3 or Athena. Amazon Quick needs access only to the Amazon Redshift cluster. For full details on configuring Redshift Spectrum, see [Getting started with Amazon Redshift Spectrum](https://docs.amazonaws.cn/redshift/latest/dg/c-getting-started-using-spectrum.html) in the *Amazon Redshift Database Developer Guide*. # Authorizing connections from Amazon Quick to Amazon EC2 instances Amazon EC2 | | | --- | |    Applies to: Enterprise Edition and Standard Edition  | | | | --- | |    Intended audience: System administrators  | For Amazon Quick Sight to connect to an Amazon EC2 instance, you must create a new security group for that instance. This security group contains an inbound rule authorizing access from the appropriate IP address range for the Quick servers in that Amazon Web Services Region. To modify the security groups for these Amazon EC2 instances, you must have Amazon credentials that permit you to access to the instances. Enabling connection from Quick servers to your instance is just one of several prerequisites for creating a data set based on an Amazon database data source. For more information about what is required, see [Creating a dataset from a database](https://docs.amazonaws.cn/quicksight/latest/user/create-a-database-data-set.html). **To enable Amazon Quick access to an Amazon EC2 instance** 1. Sign in to the Amazon Web Services Management Console and open the Amazon EC2 console at [https://console.amazonaws.cn/ec2/](https://console.amazonaws.cn/ec2/). 1. If your EC2 instance is in a VPC, choose the instance to view the instance details pane. Find its VPC ID and note that ID for later use. 1. Choose **Security Groups** in the **NETWORK & SECURITY** section of the navigation pane. Then choose **Create Security Group**, as shown following. 1. Enter the security group information as follows: + For **Security group name**, enter **Amazon-QuickSight-access**. + For **Description**, enter **Amazon-QuickSight-access**. + For **VPC**, choose the VPC ID that you noted in step 2 if your Amazon EC2 instance is in a VPC. Otherwise, choose **No VPC**. 1. Choose **Add Rule** on the **Inbound** tab. 1. Create a new rule with the following values: + For **Type**, choose **Custom TCP Rule**. + For **Protocol**, choose **TCP**. + (Optional) For **Port Range**, enter the port number used by the instance on this Amazon EC2 instance to which you are providing access. + For **Source**, enter the CIDR address block for the Amazon Web Services Region where you plan to use Amazon Quick. For example, here is the CIDR address block for Europe (Ireland): `52.210.255.224/27`. For more information on the IP address ranges for Amazon Quick in supported Amazon Regions, see [Amazon Regions, websites, IP address ranges, and endpoints](https://docs.amazonaws.cn/quicksight/latest/user/regions.html). **Note** If you have activated Amazon Quick in multiple Amazon Web Services Regions, you can create inbound rules for each Amazon Quick endpoint CIDR. Doing this allows Amazon Quick to have access to the Amazon RDS DB instance from any Amazon Web Services Region defined in the inbound rules. An Amazon Quick user or administrator who uses Amazon Quick in multiple Amazon Regions is treated as a single user. In other words, even if you are using Amazon Quick in every Amazon Web Services Region, both your Amazon Quick account and your users are global. 1. Choose **Create**. 1. Choose **Instances** in the **INSTANCES** section of the navigation pane, and then choose the instance that you want to enable access to. 1. Choose **Actions**, then **Networking**, and then **Change Security Groups**. 1. In **Change Security Groups**, choose the **Amazon-QuickSight-access** security group. Then choose **Assign Security Groups**, as shown following. # Authorizing connections through Amazon Lake Formation Lake Formation | | | --- | |  Applies to: Enterprise Edition  | | | | --- | |    Intended audience: System administrators  | If you are querying data with Amazon Athena, you can use Amazon Lake Formation to simplify how you secure and connect to your data from Amazon Quick Sight. Lake Formation adds to the Amazon Identity and Access Management (IAM) permissions model by providing its own permissions model that is applied to Amazon analytics and machine learning services. This centrally defined permissions model controls data access at a granular level through a simple grant and revoke mechanism. You can use Lake Formation instead of, or in addition to, using scoped-down policies with IAM. When you set up Lake Formation, you register your data sources to allow it to move the data into a new data lake in Amazon S3. Lake Formation and Athena both work seamlessly with Amazon Glue Data Catalog, making it easy to use them together. Athena databases and tables are metadata containers. These containers describe the underlying schema of the data, the data definition language (DDL) statements, and the location of the data in Amazon S3. After Lake Formation is configured, you can use Amazon Quick to access databases and tables by name or through SQL queries. Amazon Quick provides a full-featured editor where you can write SQL queries. Or you can use the Athena console, the Amazon CLI, or your favorite query editor. For more information, see [Accessing Athena](https://docs.amazonaws.cn/athena/latest/ug/accessing-ate.html) in the *Amazon Athena User Guide.* Use the topics below to configure a Lake Formation connection through Lake Formation or through Amazon Quick. **Topics** + [ ## Enabling connection from Lake Formation ](#lake-formation-lf-steps) + [ ## Enabling connection from Amazon Quick ](#lake-formation-qs-steps) ## Enabling connection from Lake Formation Before you begin using this solution with Quick, make sure that you can access your data using Athena with Lake Formation. After you verify that the connection is working through Athena, you need to verify only that Amazon Quick can connect to Athena. Doing this means you don't have to troubleshoot connections through all three products at once. One easy way to test the connection is to use the [Athena query console](https://console.aws.amazon.com/athena/) to run a simple SQL command, for example `SELECT 1 FROM table`. To set up Lake Formation, the person or team who works on it needs access to create a new IAM role and to Lake Formation. They also need the information shown in the following list. For more information, see [Setting up lake formation](https://docs.amazonaws.cn/lake-formation/latest/dg/getting-started-setup.html) in the *Amazon Lake Formation Developer Guide.* + Collect the Amazon Resource Names (ARNs) of the Quick users and groups that need to access the data in Lake Formation. These users should be Amazon Quick authors or administrators. **To find Amazon Quick user and group ARNs** 1. Use the Amazon CLI to find user ARNs for Amazon Quick authors and admins. To do this, run the following `list-users` command in your terminal (Linux or Mac) or at your command prompt (Windows). ``` aws quicksight list-users --aws-account-id 111122223333 --namespace default --region us-east-1 ``` The response returns information for each user. We show the Amazon Resource Name (ARN) in bold in the following example. ``` RequestId: a27a4cef-4716-48c8-8d34-7d3196e76468 Status: 200 UserList: - Active: true Arn: arn:aws-cn:quicksight:us-east-1:111122223333:user/default/SaanviSarkar Email: SaanviSarkar@example.com PrincipalId: federated/iam/AIDAJVCZOVSR3DESMJ7TA Role: ADMIN UserName: SaanviSarkar ``` To avoid using the Amazon CLI, you can construct the ARNs for each user manually. 1. (Optional) Use the Amazon CLI to find ARNs for Amazon Quick groups by running the following `list-group` command in your terminal (Linux or Mac) or at your command prompt (Windows). ``` aws quicksight list-groups --aws-account-id 111122223333 --namespace default --region us-east-1 ``` The response returns information for each group. The ARN appears in bold in the following example. ``` GroupList: - Arn: arn:aws-cn:quicksight:us-east-1:111122223333:group/default/DataLake-Scorecard Description: Data Lake for CXO Balanced Scorecard GroupName: DataLake-Scorecard PrincipalId: group/d-90671c9c12/6f9083c2-8400-4389-8477-97ef05e3f7db RequestId: c1000198-18fa-4277-a1e2-02163288caf6 Status: 200 ``` If you don't have any Amazon Quick groups, add a group by using the Amazon CLI to run the `create-group` command. There currently isn't an option to do this from the Amazon Quick console. For more information, see [Creating and managing groups in Amazon Quick](https://docs.amazonaws.cn/quicksight/latest/user/creating-quicksight-groups.html). To avoid using the Amazon CLI, you can construct the ARNs for each group manually. ## Enabling connection from Amazon Quick To work with Lake Formation and Athena, make sure that you have Amazon resource permissions configured in Amazon Quick: + Enable access to Amazon Athena. + Enable access to the correct buckets in Amazon S3. Usually S3 access is enabled when you enable Athena. However, because you can change S3 permissions outside of that process, it's a good idea to verify them separately. For information about how to verify or change Amazon resource permissions in Quick, see [Allowing autodiscovery of Amazon resources](https://docs.amazonaws.cn/quicksight/latest/user/autodiscover-aws-data-sources.html) and [Accessing data sources](https://docs.amazonaws.cn/quicksight/latest/user/access-to-aws-resources.html). # Authorizing connections to Amazon OpenSearch Service OpenSearch | | | --- | |  Applies to: Enterprise Edition  | | | | --- | |    Intended audience: System administrators  | Before you can use OpenSearch in a Amazon Quick Sight dataset, there are a few tasks for the Quick administrator to complete with the cooperation of a person who has access to the OpenSearch console. To get started, identify each OpenSearch domain that you want to connect to. Then gather the following information for each domain: + The name of the OpenSearch domain. + The OpenSearch version used by this domain. + The Amazon Resource Name (ARN) of the OpenSearch domain. + The HTTPS endpoint. + The OpenSearch Dashboards URL, if you use Dashboards. You can extrapolate the Dashboards URL by appending "`/dashboards/`" to an endpoint. + If the domain has a VPC endpoint, gather all the related information on the VPC tab of the OpenSearch Service console: + The VPC ID + The VPC security groups + The associated IAM role or roles + The associated Availability Zones + The associated subnets + If the domain has a regular endpoint (not a VPC endpoint), note that it uses the public network. + The start hour for the daily automated snapshot (if your users want to know). Before you proceed, the Amazon Quick administrator enables authorized connections from Amazon Quick to OpenSearch Service. This process is required for every Amazon service that you connect to from Amazon Quick. You need to do this only once per Amazon Web Services account for each Amazon service that you use as a data source. For OpenSearch Service, the authorization process adds the Amazon managed policy `AWSQuickSightOpenSearchPolicy` to your Amazon Web Services account. **Important** Make sure that the IAM policy for your OpenSearch domain doesn't conflict with the permissions in `AWSQuickSightOpenSearchPolicy`. You can find the domain access policy in the OpenSearch Service console. For more information, see [Configuring access policies](https://docs.amazonaws.cn/opensearch-service/latest/developerguide/ac.html#ac-creating) in the *Amazon OpenSearch Service Developer Guide*. **To turn on or turn off connections from Amazon Quick to OpenSearch Service** 1. Within Amazon Quick, choose **Administrator** and **Manage Amazon Quick**. 1. Choose **Security & permissions**, **Add or remove**. 1. To enable connections, select the **Amazon OpenSearch Service** check box. To disable connections, clear the **Amazon OpenSearch Service** check box. 1. Choose **Update** to confirm your choices. If needed, use the topics below to configure a OpenSearch VPC connection and permissions for Amazon Quick to access OpenSearch. **Topics** + [ ## Using a VPC connection ](#opensearch-and-vpc-connection) + [ ## Using OpenSearch permissions ](#opensearch-permissions) ## Using a VPC connection In some cases, your OpenSearch domain is in a virtual private cloud (VPC) based on the Amazon VPC service. If so, make sure to determine if Amazon Quick is already connected to the VPC ID that the OpenSearch domain uses. You can reuse an existing VPC connection. If you're not sure if it's working, you can test it. For more information, see [Testing the connection to your Amazon VPC data source](https://docs.amazonaws.cn/quicksight/latest/user/vpc-creating-a-quicksight-data-source-profile.html). If a connection isn't already defined in Amazon Quick for the VPC that you want to use, you can create one. This task is a multistep process that you need to complete before you proceed. To learn how to add Amazon Quick to a VPC and add a connection from Amazon Quick to the VPC, see [Connecting to a Amazon VPC with Amazon Quick](https://docs.amazonaws.cn/quicksight/latest/user/working-with-aws-vpc.html). ## Using OpenSearch permissions After you configure Amazon Quick to connect to OpenSearch Service, you might need to enable permissions in OpenSearch. For this part of the setup process, you can use the OpenSearch Dashboards link for each OpenSearch domain. Use the following list to help determine what permissions you need: 1. For domains that use fine-grained access control, configure permissions in the form of a role. This process is similar to using scoped-down policies in Amazon Quick. 1. For each domain that you create a role for, add a role mapping. For more information, see following. If your OpenSearch domain has [fine-grained access control](https://docs.amazonaws.cn/opensearch-service/latest/developerguide/fgac.html) enabled, there are some permissions to configure so the domain is accessible from Amazon Quick. Perform these steps for each domain that you want to use. The following procedure uses OpenSearch Dashboards, which is an open-source tool that works with OpenSearch. You can find the link to Dashboards on the domain dashboard on the OpenSearch Service console. **To add permissions to a domain to allow access from Amazon Quick** 1. Open OpenSearch Dashboards for the OpenSearch domain that you want to work with. The URL is `opensearch-domain-endpoint/dashboards/`. 1. Choose **Security** from the navigation pane. If you don't see the navigation pane, open it by using the menu icon at upper left. To keep the menu open, choose **Dock navigation** at lower left. 1. Choose **Roles**, **Create role**. 1. Name the role **quicksight\$1role**. You can choose a different name, but we recommend this one because we use it in our documentation and it's thus easier to support. 1. Under **Cluster permissions**, add the following permissions: + `cluster:monitor/main` + `cluster:monitor/health` + `cluster:monitor/state` + `indices:data/read/scroll` + `indices:data/read/scroll/clear`, 1. Under **Index permissions** specify **\$1** as the index pattern. 1. For **Index permissions**, add the following permissions: + `indices:admin/get` + `indices:admin/mappings/get` + `indices:admin/mappings/fields/get*` + `indices:data/read/search*` + `indices:monitor/settings/get` 1. Choose **Create**. 1. Repeat this procedure for each OpenSearch domain that you're planning to use. Use the following procedure to add a role mapping for the permissions that you added in the previous procedure. You might find it more efficient to add the permissions and the role mapping as part of a single process. These instructions are separate for clarity. **To create a role mapping for the IAM role you added** 1. Open OpenSearch Dashboards for the OpenSearch domain that you want to work with. The URL is `opensearch-domain-endpoint/dashboards/`. 1. Choose **Security** from the navigation pane. 1. Search for and open **quicksight\$1role** from the list. 1. On the **Mapped users** tab, choose **Manage mapping**. 1. In the **Backend roles** section, enter the ARN of the Amazon-managed IAM role for Amazon Quick. Following is an example. ``` arn:aws:iam::AWS-ACCOUNT-ID:role/service-role/aws-quicksight-service-role-v0 ``` 1. Choose **Map**. 1. Repeat this procedure for each OpenSearch domain that you want to use. # Authorizing connections to Amazon Athena Amazon Athena If you need use Amazon Quick Sight with Amazon Athena or Amazon Athena Federated Query, you first need to authorize connections to Athena and the associated buckets in Amazon Simple Storage Service (Amazon S3). Amazon Athena is an interactive query service that makes it easy to analyze data directly in Amazon S3 using standard SQL. Athena Federated Query provides access to more types of data by using Amazon Lambda. Using a connection from Quick to Athena, you can write SQL queries to interrogate data that's stored in relational, non-relational, object, and custom data sources. For more information, see [ Using Athena federated query](https://docs.amazonaws.cn/athena/latest/ug/connect-to-a-data-source.html) in the Amazon Athena User Guide. Review the following considerations when setting up access to Athena from Quick: + Athena stores query results from Amazon Quick Sight in a bucket. By default, this bucket has a name similar to `aws-athena-query-results-AWSREGION-AWSACCOUNTID`, for example `aws-athena-query-results-us-east-2-111111111111`. Therefore, it's important to make sure Amazon Quick Sight has permissions to access the bucket Athena is currently using. + If your data file is encrypted with an Amazon KMS key, grant permissions to the Amazon Quick Sight IAM role to decrypt the key. The easiest way to do this is to use the Amazon CLI. You can run the KMS [create-grant](https://docs.amazonaws.cn/cli/latest/reference/kms/create-grant.html) API operation in Amazon CLI to do this. ``` aws kms create-grant --key-id / --grantee-principal --operations Decrypt ``` The Amazon Resource Name (ARN) for the Amazon Quick role has the format `arn:aws-cn:iam:::role/service-role/aws-quicksight-s3-consumers-role-v` and can be accessed from the IAM console. To find your KMS key ARN, use the S3 console. Go to the bucket that contains your data file and choose the **Overview** tab. The key is located near **KMS key ID**. + For Amazon Athena, Amazon S3, and Athena Query Federation connections, Amazon Quick uses the following IAM role by default: ``` arn:aws-cn:iam::AWS-ACCOUNT-ID:role/service-role/aws-quicksight-s3-consumers-role-v0 ``` If the `aws-quicksight-s3-consumers-role-v0` is not present, then Amazon Quick uses: ``` arn:aws-cn:iam::AWS-ACCOUNT-ID:role/service-role/aws-quicksight-service-role-v0 ``` + If you assigned scope-down policies to your users, verify that the policies contain the `lambda:InvokeFunction` permission. Without this permission, your users can't access Athena Federated Queries. For more information about assigning IAM policies to your users in Amazon Quick, see [Setting granular access to Amazon services through IAM](https://docs.amazonaws.cn/quicksight/latest/user/scoping-policies-iam-interface.html). For more information about the lambda:InvokeFunction permission, see [Actions, resources, and condition keys for Amazon Lambda](https://docs.amazonaws.cn/IAM/latest/UserGuide/list_awslambda.html) in the *IAM User Guide*. **To authorize Amazon Quick to connect to Athena or Athena federated data sources** 1. (Optional) If you are using Amazon Lake Formation with Athena, you also need to enable Lake Formation. For more information, see [Authorizing connections through Amazon Lake Formation](https://docs.amazonaws.cn/quicksight/latest/user/lake-formation.html). 1. Open your profile menu at top right and choose **Manage QuickSight**. You must be a Amazon Quick administrator to do this. If you don't see **Manage QuickSight** on the profile menu, you don't have sufficient permissions. 1. Choose **Security & permissions**, **Add or remove**. 1. Choose the box near Amazon Athena, **Next**. If it was already enabled, you might have to double-click it. Do this even if Amazon Athena is already enabled, so you can view the settings. No changes are saved until you choose **Update** at the end of this procedure. 1. Enable the S3 buckets you want to access. 1. (Optional) To enable Athena federated queries, select the Lambda functions you want to use. **Note** You can only see Lambda functions for the Athena catalogs in the same region of Amazon Quick. 1. To confirm your changes, choose **Finish**. To cancel, choose **Cancel**. 1. To save changes to security and permissions, choose **Update**. **To test the connection authorization settings** 1. From the Amazon Quick start page, choose **Datasets**, **New dataset**. 1. Choose the Athena card. 1. Follow the screen prompts to create a new Athena data source using the resources you need to connect to. Choose **Validate connection** to test the connection. 1. If the connection validates, you have successfully configured an Athena or Athena Federated Query connection. If you don't have sufficient permissions to connect to an Athena dataset or run an Athena query, an error displays directing you to contact a Amazon Quick administrator. This error means need to recheck your connection authorization settings to find the discrepancy. 1. After you can connect successfully, you or your Amazon Quick authors can create data sources connections and share them with other Amazon Quick authors. The authors can then create multiple datasets from the connections, to use in Amazon Quick dashboards. For troubleshooting information on Athena, see [Connectivity issues when using Athena with Amazon Quick](https://docs.amazonaws.cn/quicksight/latest/user/troubleshoot-athena.html). ## Using trusted identity propagation with Athena Trusted identity propagation gives Amazon services access to Amazon resources based on the user’s identity context and securely shares this user’s identity with other Amazon services. These capabilities enable user access to be more easily defined, granted, and logged. When administrators configure Quick, Athena, Amazon S3 Access Grants, and Amazon Lake Formation with IAM Identity Center, they can now enable trusted identity propagation across these services and allow the user’s identity to be propagated across services. When data is accessed from Quick by an IAM Identity Center user, Athena or Lake Formation can make authorization decisions using the permissions defined for their user or group membership from the organization’s identity provider. Trusted identity propagation with Athena only works when permissions are managed through Lake Formation. User permissions to data reside in Lake Formation. ### Prerequisites Before you get started, make sure that you have the following required prerequisites completed. **Important** As you complete the following prerequisites, note that your IAM Identity Center instance, Athena workgroup, Lake Formation and Amazon S3 Access Grants must all be deployed in the same Amazon Region. + Configure your Quick account with IAM Identity Center. Trusted identity propagation is only supported for Quick accounts that are integrated with IAM Identity Center. For more information, see [Configure your Amazon Quick account with IAM Identity Center](setting-up-sso.md#sec-identity-management-identity-center). **Note** To create Athena data sources, you must be an IAM Identity Center user (author) in a Quick account that uses IAM Identity Center. + An Athena workgroup that is enabled with IAM Identity Center. The Athena workgroup that you use must be using the same IAM Identity Center instance as the Quick account. For more information about configuring an Athena workgroup, see [Creating an IAM Identity Center enabled Athena workgroup.](https://docs.amazonaws.cn/athena/latest/ug/workgroups-identity-center.html#workgroups-identity-center-creating-an-identity-center-enabled-athena-workgroup) in the *Amazon Athena User Guide*. + Access to Athena query results bucket is managed with Amazon S3 Access Grants. For more details, see [Managing access with Amazon S3 Access Grants](https://docs.amazonaws.cn/AmazonS3/latest/userguide/access-grants.html) in the *Amazon S3 User Guide*. If your query results are encrypted with an Amazon KMS key, the Amazon S3 Access Grant IAM role and the Athena workgroup role both need permissions to Amazon KMS. + For more information, see [Amazon S3 Access Grants and corporate directory identities](https://docs.amazonaws.cn/AmazonS3/latest/userguide/access-grants.html) in the Amazon S3 User Guide. + The Amazon S3 Access Grant role should have the `STS:SetContext` action in its trust policy for identity propagation. To see an example, see [Register a location](https://docs.amazonaws.cn/AmazonS3/latest/userguide/access-grants-location-register.html) in the Amazon S3 User Guide. + Permissions to data must be managed with Lake Formation and Lake Formation must be configured with the same IAM Identity Center instance as Quick and the Athena workgroup. For configuration information, see [Integrating IAM Identity Center](https://docs.amazonaws.cn/lake-formation/latest/dg/identity-center-integration.html) in the *Amazon Lake Formation Developer Guide*. + The data lake administrator needs to grant permissions to IAM Identity Center users and groups in Lake Formation. For more details, [Granting permissions to users and groups](https://docs.amazonaws.cn/lake-formation/latest/dg/grant-permissions-sso.html) in the *Amazon Lake Formation Developer Guide*. + The Quick administrator needs to authorize connections to Athena. For details, see [Authorizing connections to Amazon Athena](#athena). Note, with trusted identity propagation, you do not need to give the Quick role Amazon S3 bucket permissions or Amazon KMS permissions. You need to keep your users and groups that have permissions to the workgroup in Athena in sync with the Amazon S3 bucket that stores query results with Amazon S3 Access Grants permissions so that users can successfully run queries and retrieve query results in the Amazon S3 bucket using trusted identity propagation. ### Configure IAM role with required permissions To use trusted identity propagation with Athena, your Quick account must have the required permissions to access your resources. To provide those permissions, you must configure your Quick account to use an IAM role with the permissions. If your Quick account is already using a custom IAM role, you can modify that one. If you do not have an existing IAM role, create one by following the instructions in [Create a role for an IAM user](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*. The IAM role you create or modify must contain the following trust policy and permissions. #### Required trust policy For information about updating the trust policy of an IAM role, see [Update a role trust policy](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_update-role-trust-policy.html). #### Required Athena permissions For information about updating the trust policy of an IAM role, see [Update permissions for a role](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_update-role-permissions.html). **Note** The `Resource` uses the `*` wildcard. We recommend that you update it to include only the Athena resources you want to use with Quick. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "athena:BatchGetQueryExecution", "athena:CancelQueryExecution", "athena:GetCatalogs", "athena:GetExecutionEngine", "athena:GetExecutionEngines", "athena:GetNamespace", "athena:GetNamespaces", "athena:GetQueryExecution", "athena:GetQueryExecutions", "athena:GetQueryResults", "athena:GetQueryResultsStream", "athena:GetTable", "athena:GetTables", "athena:ListQueryExecutions", "athena:RunQuery", "athena:StartQueryExecution", "athena:StopQueryExecution", "athena:ListWorkGroups", "athena:ListEngineVersions", "athena:GetWorkGroup", "athena:GetDataCatalog", "athena:GetDatabase", "athena:GetTableMetadata", "athena:ListDataCatalogs", "athena:ListDatabases", "athena:ListTableMetadata" ], "Resource": "*" } ] } ``` ------ ### Configure your Quick account to use the IAM role After configuring the IAM role in the previous step, you must configure your Quick account to use it. For information about how to do that, see [Using existing IAM roles in Quick](security-create-iam-role.md#security-create-iam-role-use). ### Update the identity propogation config with the Amazon CLI To authorize Quick to propagate end user identities to Athena workgroups, run the following `update-identity-propagation-config` API from the Amazon CLI, replacing the following values: + Replace *us-west-2* with the Amazon Region that your IAM Identity Center instance is in. + Replace *111122223333* with your Amazon account ID. ``` aws quicksight update-identity-propagation-config \ --service ATHENA \ --region us-west-2 \ --aws-account-id 111122223333 ``` ### Create an Athena dataset in Quick Now, create an Athena dataset in Quick configured with the IAM Identity Center enabled Athena workgroup you want to connect to. For information about how to create an Athena dataset, see [Creating a dataset using Amazon Athena data](create-a-data-set-athena.md). ### Key callouts, considerations, and limits The following list contains some important considerations when using trusted identity propagation with Quick and Athena. + Quick Athena data sources that use trusted identity propagation have Lake Formation permissions evaluated against the IAM Identity Center end user and the IAM Identity Center groups that the user might belong to. + When using Athena data sources that use trusted identity propagation, we recommend any fine tuned access control is done in Lake Formation. However, If you elect to use Quick’s scope down policy feature, scope down policies will be evaluated against the end user. + The following features are disabled for data sources and data sets that use trusted identity propagation: SPICE datasets, Custom SQL on data sources, threshold alerts, email reports, Q Topics, stories, scenarios, CSV, Excel, and PDF exports, anomaly detection. + If you experience high latency or timeouts, it may be because of a combination of high number of IAM Identity Center groups, Athena databases, tables, and Lake Formation rules. We recommend trying to use only the necessary number of those resources. # Data access integrations Data access integrations in Amazon Quick establish secure connections to external data sources. They serve as the foundation for creating knowledge bases. Unlike action connectors that perform actions, data access integrations focus on accessing and indexing content from third-party applications and services. Data access integrations only configure authentication and point to the project or organization of the service. They cannot be used directly for analysis or by AI agents. You must create a connected knowledge base to make the data accessible. ## How data access integrations work Data access integrations configure authentication and establish connections to third-party service organizations or projects. You cannot use these integrations directly for analysis. You must create knowledge bases connected to the data access integration to make the data accessible for AI agents, chat interfaces, and spaces. The relationship between data access integrations and knowledge bases is one-to-many: + One data access integration can support multiple knowledge bases. + Each knowledge base selects specific content from the connected data source. + Knowledge bases inherit authentication and access permissions from their parent data access integration. ## Create a data access integration Use the following procedure to create a data access integration that establishes authentication and connection details for knowledge base creation. The following example demonstrates the process for setting up a Microsoft OneDrive data access integration, but the general steps are applicable to other data access integrations. **To create a data access integration** 1. Scroll to the Set up a new integration area of the page. Find the application that you want to create an integration and knowledge base. Select "OneDrive". **Note** The Integration page defaults Knowledge bases tab and there may be existing knowledge bases that have been set up by others and shared. If you have previously set up an integration, check the data tab and use the action menu to create a knowledge base from there. 1. Select the plus (\$1) icon button on the application to create a new integration and knowledge base. 1. Select Bring data from Microsoft OneDrive option and click Next button. **Note** Some application integrations support data ingestion and read/write actions. The set up varies for each one. To set up actions, you'll need more information from your admin. 1. Complete the authentication process: 1. A Microsoft OneDrive sign in popup will appear automatically. If it doesn't, click Sign in to Microsoft OneDrive button. 1. Sign in using your Amazon credentials. 1. Wait until a success banner appears. 1. Click the "Next" button. 1. Select the data that should be ingested into the knowledge base using the file picker for OneDrive and click Add button. 1. Type in a knowledge base a Name and Description (optional), then click Create. 1. There will be a success toast notification and the data ingestion and sync will begin. 1. The data can take several minutes to sync, depending on the number files that are being ingested. The Status column will stay in the Syncing status until it is ready changing to Available. 1. When the knowledge base is ready, use the chat to ask questions and interact with it. **Note** By default, the chat uses 'all data and apps' that you have access to and that are set up on your behalf. If you want to chat with a single knowledge base, select the knowledge base in the chat data picker. **Note** You can also attach a knowledge base to a Space by navigating to the Space and adding it. After successful creation, your data access integration appears in the integrations list. You can now create knowledge bases that use this integration to access and index content from the connected data source. **Note** For detailed configuration steps specific to each data source, see [Supported integrations](supported-integrations.md). ## Supported data sources Amazon Quick supports data access integrations with the following applications and services. These integrations allow you to create knowledge bases from external data sources: + **Amazon S3** - Access documents and files stored in S3 buckets using Amazon credentials. + **Atlassian Confluence** - Index pages, spaces, and attachments using user authentication or service authentication. + **Google Drive** - Connect to personal and shared drives using OAuth 2.0 authentication. + **Microsoft OneDrive** - Access OneDrive for Business content using user authentication or service authentication. + **Microsoft SharePoint** - Index SharePoint Online and Server content using OAuth 2.0 authentication. + **Web Crawler** - Index content from internal and external websites using basic authentication or form/SAML authentication. Each data source supports different authentication methods and content access capabilities. The relationship between data access integrations and knowledge bases is one-to-many - one integration can support multiple knowledge bases, each selecting specific content from the connected data source. ## Data source categories Data access integrations are organized into the following categories based on the type of content and access patterns: **Cloud storage and file systems** + Amazon S3 - Access documents and files stored in S3 buckets. + Google Drive - Index content from personal and shared drives. + Microsoft OneDrive - Connect to OneDrive for Business content. **Content management systems** + Atlassian Confluence - Access pages, spaces, and attachments. + Microsoft SharePoint - Index SharePoint Online and Server content. **Web content** + Web Crawler - Index content from internal and external websites. ### Authentication and security Data access integrations use secure authentication methods to protect your data and maintain access controls. The authentication method depends on the specific data source and your organization's security requirements. **OAuth authentication** Most cloud-based integrations (Google Drive, OneDrive, Confluence Cloud) use OAuth 2.0 for secure, token-based authentication. This method allows Amazon Quick to access your data without storing your credentials. **Service account authentication** Enterprise integrations may use service accounts for programmatic access. This method is common for Amazon S3 and other infrastructure-based data sources. **No authentication** Some integrations, such as web crawlers accessing public websites, may not require authentication. However, access controls are still enforced based on your Amazon Quick permissions. **Note** Authentication requirements and available methods vary by user tier. Readers may have limited authentication options compared to Authors. ### Access control and permissions Data access integrations maintain security by enforcing access controls at multiple levels. When users query content through knowledge bases, Amazon Quick ensures they can only access content they have permission to view. + **Source-level permissions** - Users must have appropriate permissions in the source system (Google Drive, SharePoint, etc.). + **Integration-level permissions** - Access to the integration itself is controlled by Amazon Quick permissions. + **Knowledge base permissions** - Individual knowledge bases can have their own access controls. + **Entity-level access controls** - When users query content, Amazon Quick verifies permissions for each document or item. ### Key features and capabilities Data access integrations provide several features to enhance your data integration experience: + **Real-time synchronization** - Content is automatically updated when changes occur in the source system. + **Selective indexing** - Choose specific folders, sites, or content types to include in your knowledge bases. + **Content type support** - Index various file formats including documents, spreadsheets, presentations, and web pages. + **Metadata preservation** - Maintain important metadata such as creation dates, authors, and tags. + **Natural language querying** - Enable AI-powered search and question-answering across your indexed content. ### Before you begin Before creating data access integrations, ensure you have the following requirements in place: + **Amazon Quick permissions** - Author or Admin role to create and manage integrations. + **Source system access** - Appropriate permissions in the target system (administrative access may be required for some integrations). + **Authentication credentials** - Valid credentials or service accounts for the target system. + **Network connectivity** - Ensure Amazon Quick can access your data sources. Network requirements differ by integration type: + **Knowledge bases** - Do not support VPC connectivity. Data sources must be accessible over the public internet. + **Action connectors** - Support VPC connectivity for resource servers within your VPC. However, authentication servers must remain publicly accessible. # Exploring your Amazon data in Amazon Quick | | | --- | |    Applies to: Enterprise Edition and Standard Edition  | | | | --- | |    Intended audience: System administrators  | Use this section to learn how to explore Amazon data in Amazon Quick using the Amazon Web Services Management Console. Using the **Explore in Amazon Quick Sight** shortcut, you can access a customizable dashboard template showing your data. Just as with any Amazon Quick Sight dashboard, this dashboard can be refreshed on a schedule, published, and shared with other users in your organization. To use this feature, you must first enable Amazon S3 analytics storage class analysis for your Amazon S3 buckets. For more on enabling storage class analysis in Amazon S3, see [Amazon Amazon S3 analytics – Storage class analysis](https://docs.amazonaws.cn/AmazonS3/latest/userguide/analytics-storage-class.html) in the *Amazon Amazon S3 Developer Guide. * After you have enabled storage class analysis, you can use Amazon Quick to explore your Amazon S3 analytics data. **To explore Amazon S3 analytics data in Amazon Quick** 1. Open the Amazon S3 console at [https://console.amazonaws.cn/s3/](https://console.amazonaws.cn/s3/). 1. Choose a bucket to explore. The bucket must have storage class analysis enabled, with at least one filter. 1. Choose the **Management** tab. 1. Then choose **Analytics**. 1. Choose **Explore in QuickSight**. **Note** If you don't have an Amazon Quick account, you're prompted to create one before you can use the dashboard. When you choose the option to explore in Amazon Quick, your Amazon S3 analytics data is automatically loaded into the dashboard template. The dashboard contains multiple visualizations to help you to understand the storage access pattern of your bucket. Use the template as is, or customize it to suit your needs. For example, one visual on the default template helps you identify infrequently accessed data. It compares the amount of data retrieved to the amount of storage consumed, for objects of different ages. You can also add your own visualizations to the dashboard. For example, you can break down the data access patterns, using filters for storage class analysis that you already have defined in Amazon S3 analytics. To learn more about using S3 analytics and storage class analysis, see [Amazon Amazon S3 analytics – Storage class analysis](https://docs.amazonaws.cn/AmazonS3/latest/userguide/analytics-storage-class.html) in the *Amazon Amazon S3 Developer Guide.* # Amazon service action connectors Amazon service action connectors With Amazon service action connectors in Amazon Quick, you can create action connectors that interact directly with Amazon services like Amazon Bedrock, Amazon Textract, and Amazon Comprehend. These connectors enable automated workflows that leverage Amazon AI and machine learning capabilities. ## What you can do Amazon service action connectors enable you to integrate powerful Amazon capabilities into your automated workflows. For example, you can use Amazon Bedrock to generate content with foundation models, Amazon Textract to extract text and data from documents, or Amazon Comprehend to analyze sentiment and extract insights from text. These action connectors allow you to build sophisticated automation workflows that combine multiple Amazon services for document processing, content generation, and data analysis—all while maintaining security through IAM role-based authentication. **Note** Amazon services action connectors can only be used with Amazon Quick Automate because they require an IAM identity for authentication. These connectors are created through the admin console and provide direct access to Amazon service APIs. ## Supported Amazon services Amazon Quick supports the following Amazon services for action connectors: + **Amazon Bedrock Agent** - Invoke Bedrock agents for complex AI workflows. + **Amazon Bedrock Runtime** - Access foundation models for text generation and conversation. + **Amazon Bedrock Data Automation** - Automate data processing workflows with AI. + **Amazon Comprehend** - Analyze text for sentiment, entities, and key phrases. + **Amazon Comprehend Medical** - Extract medical information from healthcare text. + **Amazon Textract** - Extract text and data from documents and images. + **Amazon S3** - Manage objects and buckets in S3. ## Before you begin Before you set up an Amazon service action connectors, make sure you have the following: + Amazon account with access to the desired Amazon services. + IAM role with appropriate permissions for the Amazon services you want to use. + Amazon Quick Admin access to create action connectors. + Amazon Quick Automate access to use the action connectors in workflows. ## Prepare IAM role and permissions Before setting up the action connectors in Amazon Quick, prepare your IAM role with the necessary permissions for the Amazon services you want to use. ### Required IAM permissions Configure your IAM role with the appropriate permissions based on the Amazon services you plan to use. Make sure your IAM role includes a trust policy that allows Amazon Quick to assume the role for executing actions. ### IAM Role for Resource Access First, you will need to create an IAM role that will be used by Amazon Quick to call the Amazon service needed in your Amazon Quick Automate workflow. 1. Log in to the Amazon Console of the Amazon account where the Amazon Quick subscription resides. 1. Open IAM and create a new IAM role. 1. Give it all the permissions for the Amazon service you want to invoke via action connectors. For example, you can assign a managed policy like `AmazonS3FullAccess` if you need to invoke Amazon S3. 1. In the trust relationship, give the assume role permission to `quicksight.amazonaws.com`. This allows Amazon Quick to assume this role and call Amazon services on your behalf. 1. Once the Customer Role is created, take a note of the IAM role ARN. Example trust policy: ``` { "Version": "2012-10-17" , "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Principal": { "Service": [ "quicksight.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] } ``` ## Create Amazon services action connector After preparing your IAM role and permissions, follow these steps to set up Amazon Actions in Quick Suite. **Note** You need administrative access to Amazon Quick Suite to perform the following steps. See documentation on [Configure Amazon Quick subscriptions](managing-qbs-subscriptions.md) to learn more. ### Steps to create a new Amazon integration 1. Choose the **profile icon**, then select **Manage Quick Suite**. 1. Select **Amazon actions** under the **Permissions** section. 1. Choose **New Action** to create a new Amazon integration. 1. Choose one of the **supported Amazon services**. 1. Select **Next** to review available actions for this service. 1. Select **Next** to configure the connection details: + **Name** – Enter a descriptive name for your integration. + **Description** – Optionally, add notes about how this integration will be used. + **Role ARN** – Enter the ARN of the IAM role to be used for this Amazon service. 1. Select **Next** to share the integration with users and/or user groups. + Provide **Owner access** for any users who need to edit, share, and delete the integration. **Note** Owner access is required to add integrations to Automation Groups in order to give access within Quick Automate. + Provide **User access** for any users who need to invoke actions across Quick Suite. For a list of integrations supported in various Quick Suite capabilities, see [Action connector compatibility matrix](action-connector-apis-supported-types.md#action-connector-compatibility-matrix). 1. Select **Add** to finish creating the integration. See [Integration workflows](integration-workflows.md) to learn more. ## Next steps After creating your action integration, you can: + Share the integration with additional users or groups as needed. + Add the integration to an **Automation Group** in order to use it in Quick Automate. See [Setup tasks](getting-started-quick-automate.md#automate-setup-tasks) for more details. + Monitor the integration's usage and performance through the admin console. + Update the integration's configuration or permissions as requirements change.