AWS cloud-storage solutions and services are quite popular among developers and according to Amazon, security is one of their highest priorities. Before we start talking about best practices for security in Amazon QuickSight, we must mention the term – shared responsibility model. At AWS, we often use this term when discussing security protocols and practices in Amazon’s cloud-based services.
In simple terms, the shared responsibility model refers to the splitting of the responsibility of maintaining the model’s security between AWS and its customers. In the following article, we will explore the concept of shared responsibility in AWS before proceeding to discuss the security best practices followed in Amazon QuickSight. So, jump right into this article and get started with learning more about security in Amazon’s AWS QuickSight and its best practices.
What is AWS’s Shared Responsibility Model About?
In the shared responsibility model, both AWS and customers take responsibility for the security and maintenance of the cloud. To be specific, AWS takes responsibility for maintaining the security of the cloud services including the security of the data centers and securing global networking used by AWS services like QuickSight. On the other hand, customers/users are responsible for maintaining the security of their cloud based resources which is related to items like ensuring your AWS users have the correct permissions and access controls.
What Are the Best Practices for Security in Amazon Quicksight?
Since one security aspect is taken care of by Amazon, you are only responsible for maintaining the other side, which makes the implementation of security protocols quite quick and easy. This section will guide you on QuickSight best practices to help you hold up to your side of the deal and ensure that your cloud-based applications are protected.
Data Encryption
Out of all the best practices for security in Amazon QuickSight, data encryption is the prime and the most important one. In simple terms, data encryption is a process that converts important data into a format that can only be decrypted by users or devices with a secret key. To better understand data encryption, we generally break it down into encryption and transit or encryption at rest.
- Data Encryption in Transit: Also known as encrypting data in motion, refers to the process of encrypting data when it is moving from one location to another. In the case of QuickSight, this can be data transferred from data sources like spark cluster and Aurora database. In some cases, it can also refer to the transfer of data from SPICE to user dashboards.
- Encryption at Rest: When data that is not actively moving and stored on a device/network is encrypted, the process is known as encryption at rest. When talking about QuickSight, this refers to the data that is stored by users within SPICE or data that is related to our cache and email reports.
When talking about data encryption and transit, users must note that QuickSight supports encryption for all data transfers but is not mandatory. While the majority of our data sources like Athena and Grid shift have SSL encryption enabled, in some database connections it is optional. So, when you are making data connections where the SSL encryption is optional, it is best practice to enable it.
This is because SSL encryption can help secure your data that is in transit and protect it from attacks. Note that AWS supports a few SSL encryptions, which is why it is important to check for compliance validation for Amazon QuickSight in the documentation.
The data at rest can be broken into SPICE data and non-SPICE data, which is why we will first discuss the best practices for security in Amazon QuickSight from the point-of-view of the SPICE data.
SPICE Data – Encryption at Rest
In the QuickSight standard edition, all data is securely stored but is not encrypted. We can compare it to the QuickSight Enterprise edition to understand the difference. In the Enterprise edition, users add data where the SPICE part is encrypted using block-level encryption along with AWS-managed keys. Hence, this is a built-in encryption layer that offers additional QuickSight data security, making it quite difficult and virtually impossible for anyone to access the stored data.
If you want more control over your encryption keys, integrating QuickSight with another AWS service, the AWS key management service, might be a wise decision. When you do so, you can ensure that in the case of security breaches or incidents (quite unlikely), users can revoke access and lock down all datasets in a simple click. Since both of these are great ways to increase the security within our account and satisfy regulatory requirements, they are some of the best practices for security in Amazon QuickSight.
AWS Secrets Manager
In this section, we will continue discussing data security in Amazon QuickSight, but with the help of another AWS service called the AWS Secrets Manager. This AWS service allows users to manage, retrieve, and even rotate their database credentials, API keys, and other types of secrets. The service also allows users to refer to these secrets from other applications and AWS services like QuickSight. In the case of QuickSight Enterprise, admin users can go into the system and grant read-only access to all secrets created within the Secrets Manager.
The benefit is that all author users who are trying to connect to a data source, can now simply refer to the secrets. This means that authors are not required to input their credentials. However, an important point to note is that this service will work only with the data source types that support credential based authentication, but not Jira and ServiceNow.
Using the Secrets Manager is considered as one of the best practices for security in Amazon QuickSight because it means that businesses are not required to share database credentials with other teams. Since the service comes with secret rotation, users can be assured that their credentials are safe and protected. This is one of the major benefits of Amazon QuickSight, which is contributing to its high popularity.
Leveraging VPC Connections
One of the best practices for security in Amazon QuickSight is leveraging VPC connections, which refers to the fact that those with QuickSight Enterprise licenses can securely connect to data available in VPC (i.e. registered cluster or RDS database). It also allows users to securely connect with databases that might have been hosted on-premises by leveraging VPC connections with Direct Connect, virtual private networks, or even proxies.
Note that making connections via the VPC connection ensures that the data sources of users are not exposed to the public network and helps reduce security risks. Another great benefit is that when users use VPC connections, they can enjoy other benefits offered by these such as specifying which ports and IP addresses can access our resources. If you want to implement VPC connections and leverage their benefits, we recommend getting in touch with a QuickSight consulting agency.
Multi-Factor Authentication
Multi-factor authentication is undoubtedly one of the best practices for security in Amazon QuickSight and helps users keep their data safe. We recommend using secure passwords and changing them frequently to ensure that your data is safe from data breaches. Another tip is to avoid using duplicate passwords for multiple devices and applications, which will help you keep your data protected from breaches occurring even on the client side.
Set up multi-factor authentication (MFA) to add a security layer and ensure that your accounts cannot be accessed by unauthorized users. Although this might seem quite simple, it can boost and add to the overall AWS security in Amazon QuickSight. We recommend this security practice in Amazon QuickSight for all users, especially those with multiple team members and clients accessing AWS.
Access Management for Multiple AWS Accounts
A major benefit of AWS is the ability to create account groups and apply policies to each of them. This allows users to oversee the responsibilities and access offered to each group, making the organization, management, and tracking of data quite easy. Since it is highly unlikely that all team members or teams require the same level of access, this is highly feasible and is one of the best practices for security in Amazon QuickSight. In the Enterprise edition, users can also use QuickSight row-level security or RLS to implement this access management security layer.
Security Audit
Based on the shared responsibility model, the security of your database and services also lies with you. This is why regular security audits that allow users to monitor and test all applications on AWS are recommended. If you or your team are not aware of security audits of AWS services, we recommend you hire AWS QuickSight developers for the same.
Conclusion
AWS QuickSight offers a lot of built-in features to ensure that user databases and data are secure. You can also check out their multiple resources and follow the best practices for security in Amazon QuickSight mentioned above. In case you are unaware of Amazon QuickSight and are looking for help, we recommend connecting with a company offering AWS QuickSight development services and AWS Amplify Development Services.
Frequently Asked Questions
1. What Is Amazon Quicksight, and Why Is Security Important for It?
Amazon QuickSight is one of the most popular AWS cloud-based services available and provides users with business analytics features. Since organizations use the tool to build data visualizations to make better decisions, security in Amazon QuickSight is highly important.
2. What Are Some Best Practices for Securing Data in Amazon Quicksight?
There are numerous best practices for Amazon QuickSight that you can follow to ensure better data security. Check out the above article to learn some of these tips and implement them to keep your data protected.
3. Are There Any Compliance Standards That Amazon Quicksight Adheres To?
Generally, third-party auditors and compliance with standards like FedRamp, HIPAA, ISO, and SOC, assess Amazon QuickSight’s security and compliance standards. We recommend you check out details about AWS compliance programs from the official site.
4. What Is Quicksight's Integration With AWS Key Management Service (KMS)?
QuickSight allows integration with AWS Key Management Service, which helps users control all cryptographic keys used across different applications. We have also explained the benefits of this integration and AWS service in the above article.