Best practices for security in Amazon QuickSight - Amazon QuickSight
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Best practices for security in Amazon QuickSight

Amazon QuickSight provides a number of security features to consider as you develop and implement your own security policies. The following best practices are general guidelines and don’t represent a complete security solution. Because these best practices might not be appropriate or sufficient for your environment, treat them as helpful considerations rather than prescriptions.

Firewall – To allow users to access Amazon QuickSight, allow access to HTTPS and WebSockets Secure (wss://) protocol. To allow Amazon QuickSight to reach a database that is on a non-Amazon server, change that server's firewall configuration to accept traffic from the applicable Amazon QuickSight IP address range.

SSL – Use SSL to connect to your databases, especially if you are using public networks. Using SSL with Amazon QuickSight requires the use of certificates signed by a publicly-recognized certificate authority (CA).

Enhanced security – Use Amazon QuickSight Enterprise edition to make use of its enhanced security capabilities, including the following.

  • Store data in SPICE with encryption at rest.

  • Integrate Active Directory and IAM Identity Center authentication.

  • Securely access data in private VPCs and on-premises.

  • Limit access to data with row level security.

VPC – (Enterprise Edition) Use a virtual private cloud (VPC) for data in Amazon data sources and for data in on-premises servers without public connectivity. For Amazon sources, VPC access for Amazon QuickSight uses an elastic network interface for secure, private communication with data sources in a VPC. For your local data, VPC allows you to use Amazon Direct Connect to create a secure, private link with your on-premises resources.