# Amazon managed policies for Amazon Quick
<a name="security-iam-quicksight"></a>







To add permissions to users, groups, and roles, it is easier to use Amazon managed policies than to write policies yourself. It takes time and expertise to [create IAM customer managed policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_create-console.html) that provide your team with only the permissions they need. To get started quickly, you can use our Amazon managed policies. These policies cover common use cases and are available in your Amazon Web Services account. For more information about Amazon managed policies, see [Amazon managed policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.

Amazon services maintain and update Amazon managed policies. You can't change the permissions in Amazon managed policies. Services occasionally add additional permissions to an Amazon managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an Amazon managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an Amazon managed policy, so policy updates won't break your existing permissions.

Additionally, Amazon supports managed policies for job functions that span multiple services. For example, the **ReadOnlyAccess** Amazon managed policy provides read-only access to all Amazon services and resources. When a service launches a new feature, Amazon adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see [Amazon managed policies for job functions](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*.

**Topics**
+ [Amazon managed policy: AWSQuickSightElasticsearchPolicy](#security-iam-quicksight-AWSQuickSightElasticsearchPolicy)
+ [Amazon managed policy: AWSQuickSightOpenSearchPolicy](#security-iam-quicksight-AWSQuickSightOpenSearchPolicy)
+ [Amazon managed policy: AWSQuickSightSageMakerPolicy](#security-iam-quicksight-AWSQuickSightSageMakerPolicy)
+ [Amazon managed policy: AWSQuickSightAssetBundleExportPolicy](#security-iam-quicksight-AWSQuickSightAssetBundleExportPolicy)
+ [Amazon managed policy: AWSQuickSightAssetBundleImportPolicy](#security-iam-quicksight-AWSQuickSightAssetBundleImportPolicy)
+ [Amazon Quick updates to Amazon managed policies](#security-iam-quicksight-updates)









## Amazon managed policy: AWSQuickSightElasticsearchPolicy
<a name="security-iam-quicksight-AWSQuickSightElasticsearchPolicy"></a>

This information is provided for backward compatibility only. The `AWSQuickSightOpenSearchPolicy` Amazon managed policy replaces the `AWSQuickSightElasticsearchPolicy` Amazon managed policy. 

Previously, you used the `AWSQuickSightElasticsearchPolicy` Amazon managed policy to provide access to Amazon Elasticsearch Service resources from Amazon Quick. Starting on or after September 7, 2021, Amazon Elasticsearch Service is renamed to Amazon OpenSearch Service. 

Wherever you are using `AWSQuickSightElasticsearchPolicy`, you can update to the new Amazon managed policy that's called `AWSQuickSightOpenSearchPolicy`. You can attach the policy to your IAM entities. Amazon Quick also attaches the policy to a service role that allows Amazon Quick to perform actions on your behalf. `AWSQuickSightElasticsearchPolicy` is still available and as of August 31, 2021, had the same permissions as the new policy. However, `AWSQuickSightElasticsearchPolicy` is no longer kept up-to-date with latest changes. 

This policy grants read-only permissions that allow access to OpenSearch (previously known as Elasticsearch) resources from Amazon Quick.

**Permissions details**

This policy includes the following permissions:
+ `es` – Allows principals to use `es:ESHttpGet` to access your OpenSearch (previously known as Elasticsearch) domains, cluster settings, and indices. This is required to use the search service from Amazon Quick.
+ `es` – Allows principals to use `es:ListDomainNames` to list your OpenSearch (previously known as Elasticsearch) domains. This is required to initiate access of the search service from Amazon Quick.
+ `es` – Allows principals to use `es:DescribeElasticsearchDomain` to search your OpenSearch (previously known as Elasticsearch) domains. This is required to use the search service from Amazon Quick.
+ `es` – Allows principals to use `es:ESHttpPost` and `es:ESHttpGet` with your OpenSearch (previously known as Elasticsearch) domains. This is required to use a SQL plugin with read-only access to the search service domains from Amazon Quick. 

For information on the contents of this IAM policy, see [AWSQuickSightElasticsearchPolicy](https://console.amazonaws.cn/iam/home#/policies/arn:aws:iam::aws:policy/service-role/AWSQuickSightElasticsearchPolicy$jsonEditor) in the IAM console.

## Amazon managed policy: AWSQuickSightOpenSearchPolicy
<a name="security-iam-quicksight-AWSQuickSightOpenSearchPolicy"></a>

Use the `AWSQuickSightOpenSearchPolicy` Amazon managed policy to provide access to Amazon OpenSearch Service resources from Amazon Quick. `AWSQuickSightOpenSearchPolicy` replaces `AWSQuickSightElasticsearchPolicy`. As of August 31, 2021, this policy had the same permissions as the legacy policy, `AWSQuickSightElasticsearchPolicy`. For now, you can use them interchangeably. For the long term, we recommend updating your policy usage to `AWSQuickSightOpenSearchPolicy`.

You can attach `AWSQuickSightOpenSearchPolicy` to your IAM entities. Amazon Quick also attaches this policy to a service role that allows Amazon Quick to perform actions on your behalf. 

This policy grants read-only permissions that allow access to OpenSearch resources from Amazon Quick.

**Permissions details**

This policy includes the following permissions:
+ `es` – Allows principals to use `es:ESHttpGet` to access your OpenSearch domains, cluster settings, and indices. This is required to use Amazon OpenSearch Service from Amazon Quick.
+ `es` – Allows principals to use `es:ListDomainNames` to list your OpenSearch domains. This is required to initiate access of Amazon OpenSearch Service from Amazon Quick.
+ `es` – Allows principals to use `es:DescribeElasticsearchDomain` and `es:DescribeDomain` to search your OpenSearch domains. This is required to use Amazon OpenSearch Service from Amazon Quick.
+ `es` – Allows principals to use `es:ESHttpPost` and `es:ESHttpGet` with your OpenSearch domains. This is required to use a SQL plugin with read-only access to Amazon OpenSearch Service domains from Amazon Quick. 

For information on the contents of this IAM policy, see [AWSQuickSightOpenSearchPolicy](https://console.amazonaws.cn/iam/home#/policies/arn:aws:iam::aws:policy/service-role/AWSQuickSightOpenSearchPolicy$jsonEditor) in the IAM console.

## Amazon managed policy: AWSQuickSightSageMakerPolicy
<a name="security-iam-quicksight-AWSQuickSightSageMakerPolicy"></a>

Use the `AWSQuickSightSageMakerPolicy` Amazon managed policy to provide access to Amazon SageMaker AI resources from Amazon Quick.

You can attach `AWSQuickSightSageMakerPolicy` to your IAM entities. Amazon Quick also attaches this policy to a service role that allows Amazon Quick to perform actions on your behalf.

This policy grants read-only permissions that allow access to Amazon SageMaker AI resources from Amazon Quick.

To view the `AWSQuickSightSageMakerPolicy`, see [AWSQuickSightSageMakerPolicy](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSQuickSightSageMakerPolicy.html) in the [Amazon Managed Policy reference](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/about-managed-policy-reference.html).

**Permissions details**

This policy includes the following permissions:
+ `sagemaker` – .
+ `s3` – Allows principals to use `s3:GetObject` on all Amazon S3 buckets that start with the prefix `arn:aws-cn:s3:::sagemaker.*` to access data stored in SageMaker AI default buckets. This is required to load models shared from Amazon SageMaker AI Canvas to the default Amazon SageMaker AI Canvas Amazon S3 bucket.
+ `s3` – Allows principals to use `s3:PutObject` to export objects into an Amazon S3 bucket. This is required to support existing datasets from Amazon Quick to Amazon SageMaker AI Canvas to build predictive models.
+ `s3` – Allows principals to use `s3:ListBucket` to allow Amazon Quick to validate an existing Amazon SageMaker AI Canvas bucket in Amazon S3. This is required to allow the export of data from Amazon Quick to Amazon SageMaker AI Canvas to build predictive models.
+ `s3` – Allows principals to use `s3:GetObject` on all Amazon Quick– owned Amazon S3 buckets that start with the prefix `arn:aws-cn:s3:::quicksight-ml`. This is required to allow Amazon Quick to access the predictions that are generated by Amazon SageMaker AI Canvas. The generated predictions can be appended to a Amazon Quick dataset.
+ `sagemaker` – Allows principals to use `sagemaker:CreateTransformJob`, `sagemaker:DescribeTransformJob`, and `sagemaker:StopTransformJob` to perform SageMaker AI transform jobs on your behalf. This is required for Amazon Quick to request predictions from SageMaker AI models that can be appended to a Amazon Quick dataset.
+ `sagemaker` – Allows principals to use `sagemaker:ListModels` to list your SageMaker AI models. This is required to allow generated SageMaker AI models to appear in Amazon Quick.

## Amazon managed policy: AWSQuickSightAssetBundleExportPolicy
<a name="security-iam-quicksight-AWSQuickSightAssetBundleExportPolicy"></a>

Use the `AWSQuickSightAssetBundleExportPolicy` Amazon managed policy to perform asset bundle export operations. You can attach `AWSQuickSightAssetBundleExportPolicy` to your IAM entities.

This policy grants read-only permissions that allow access to Amazon Quick asset resources. To view the details of this policy, see [AWSQuickSightAssetBundleExportPolicy](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSQuickSightAssetBundleExportPolicy.html) in the Amazon Managed Policy reference.

This policy includes the following permissions:
+ `quicksight` – Allows principals to use `quicksight:Describe*` and `quicksight:List*` to find and fetch Amazon Quick assets and their corresponding permissions.
+ `quicksight` – Allows principals to use `quicksight:ListTagsForResource` to fetch tags of Amazon Quick assets.
+ `quicksight` – Allows principals to list, execute, and get the status of an Asset bundle export job. This policy uses the `quicksight:ListAssetBundleExportJob`, `StartAssetBundleExportJob`, and `quicksight:DescribeAssetBundleExportJob` permissions.

## Amazon managed policy: AWSQuickSightAssetBundleImportPolicy
<a name="security-iam-quicksight-AWSQuickSightAssetBundleImportPolicy"></a>

Use the `AWSQuickSightAssetBundleImportPolicy` Amazon managed policy to perform asset bundle import operations. This managed policy does not grant permissions for any run-as-role functionality with the `iam:passrole` that is required for some VPC connection and DataSource operations. This policy also does not grant access to retrieve objects from a users Amazon S3 bucket.

You can attach the `AWSQuickSightAssetBundleImportPolicy` to your IAM entities. This policy grants read and write permissions that allow access to Amazon Quick resources. To view the details of this policy, see [AWSQuickSightAssetBundleImportPolicy](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSQuickSightAssetBundleImportPolicy.html) in the Amazon Managed Policy reference.

This policy includes the following permissions:
+ `quicksight` – Allows principals to use `quicksight:Describe*` and `quicksight:List*` to detect changes in the Amazon Quick assets and their permissions.
+ `quicksight` – Allows principals to use `quicksight:Create*` and `quicksight:Update*` to make changes to the Amazon Quick assets and permissions from the supplied asset bundle.
+ `quicksight` – Allows principals to use `quicksight:ListTagsForResource`, `quicksight:TagResource`, and `quicksight:UntagResource` to update the tags of Amazon Quick assets.
+ `quicksight` – Allows principals to list, execute, and get the status of an Asset bundle import job. This policy uses the `quicksight:ListAssetBundleImportJob`, `quicksight:StartAssetBundleImportJob`, and `quicksight:DescribeAssetBundleImportJob` permissions.



## Amazon Quick updates to Amazon managed policies
<a name="security-iam-quicksight-updates"></a>



View details about updates to Amazon managed policies for Amazon Quick since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the [Amazon Quick Document History](doc-history.md) page.




| Change | Description | Date | 
| --- | --- | --- | 
|  `AWSQuickSightAssetBundleExportPolicy` – New policy  |  Amazon Quick added new permissions to simplify Asset bundle export operations.  |  March 27, 2024  | 
|  `AWSQuickSightAssetBundleImportPolicy` – New policy  |  Amazon Quick added new permissions to simplify Asset bundle import operations.  |  March 27, 2024  | 
|  `AWSQuickSageMakerPolicy` – Update to an existing policy  |  Amazon Quick added new permissions to allow integration with Amazon SageMaker AI Canvas.  |  July 25, 2023  | 
|  `AWSQuickSightElasticsearchPolicy` – Update to an existing policy  |  Amazon Quick added new permissions to provide access to Amazon OpenSearch Service resources.  | September 08, 2021 | 
|  `AWSQuickSightOpenSearchPolicy` – New policy  |  Amazon Quick added a new policy to allow access to Amazon OpenSearch Service resources from Quick.  | September 08, 2021 | 
|  Amazon Quick started tracking changes  |  Amazon Quick started tracking changes for its Amazon managed policies.  | August 2, 2021 |