Using service control policies to restrict Amazon Quick Suite sign-up options
If you're an administrator in Amazon Organizations, you can use service control policies (SCPs) to restrict how individuals in your organization can sign up for Amazon Quick Suite. You can restrict the edition of Quick Suite they can sign up for, and also the type of user that they can sign up for.
Amazon Organizations is a user account management service that you can use to consolidate multiple Amazon accounts into an organization that you create and centrally manage. You can use SCPs in Amazon Organizations to manage the permissions in your organization. For more information, see What is Amazon Organizations? and Service control policies in the Amazon Organizations User Guide.
In the following topic, you can learn about two ways to restrict Quick Suite sign-up options using SCPs in Amazon Organizations. The topic includes an example SCP. To learn more about creating SCPs, see the following topics in the Amazon Organizations User Guide:
Restricting the Quick Suite edition
To restrict the edition of Quick Suite that your managed accounts can sign up
for, use the quicksight:Edition condition key in your SCP. The values for
this key are listed and described in the following table.
| Key Name | Key Value | Description |
|---|---|---|
|
|
|
Amazon Quick Suite Standard Edition |
|
|
Amazon Quick Suite Enterprise Edition |
Restricting user management options
To restrict the user management options that individuals in your organization can use
to sign up for Quick Suite, use the quicksight:DirectoryType
condition key in your SCP. The values for this key are listed and described in the
following table.
| Key Name | Key Value | Description |
|---|---|---|
|
|
|
IAM federated identities and Amazon Quick Suite-managed users |
|
|
Only IAM federated identities |
|
|
|
Users managed in Microsoft Active Directory on Amazon Directory Service for Microsoft Active Directory |
|
|
|
Users managed in on-premises Active Directory and connected through AD_Connector to Amazon Directory Service for Microsoft Active Directory |
|
|
|
Users managed in a Amazon Quick Suite account that is integrated with IAM Identity Center. |
Example SCP
The following example for Quick Suite shows a service control policy that denies
signing up for a Amazon Quick Suite Standard Edition and turns off the ability to sign up
using Amazon Quick Suite or Active Directory credentials. This policy uses the
quicksight:subscribe action, in addition to the condition keys
previously described. For a list of Amazon Quick Suite-specific keys for use in IAM
permission policies, see Actions,
resources, and condition keys for Quick Suite in the
Service Authorization Reference.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Deny", "Action": [ "quicksight:Subscribe" ], "Resource": [ "*" ], "Condition": { "ForAnyValue:StringEquals": { "quicksight:DirectoryType": [ "iam_identity_center" ] } } }, { "Sid": "Statement2", "Effect": "Deny", "Action": [ "quicksight:Subscribe" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "quicksight:Edition": "standard" } } } ] }
With this policy in effect, individuals in an organization can sign up only for Amazon Quick Suite Enterprise Edition. Additionally, they can sign up only by using the IAM Identity Center enabled application option. If they try to sign up for Amazon Quick Suite Standard Edition or use another form of authentication, they are restricted from signing up. They receive a message explaining that they don't have the right permissions to sign up for Amazon Quick Suite.