AWS Security ChangesHomeSearch

AWS quicksight medium security documentation change

Service: quicksight · 2025-04-11 · Security-related medium

File: quicksight/latest/user/restrict-access-to-a-data-set-using-row-level-security.md

Summary

Updated documentation on rules dataset flagging process, added strict SPICE ingestion requirements, and March 2025 deadline for existing permissions datasets

Security assessment

Introduces strict data validation for security-related rules datasets to prevent invalid row-level security configurations. The March 2025 deadline and ingestion failure requirements suggest addressing potential misconfigurations that could lead to unauthorized data access.

Diff

diff --git a/quicksight/latest/user/restrict-access-to-a-data-set-using-row-level-security.md b/quicksight/latest/user/restrict-access-to-a-data-set-using-row-level-security.md
index 420315f4e..f72109e3b 100644
--- a//quicksight/latest/user/restrict-access-to-a-data-set-using-row-level-security.md
+++ b//quicksight/latest/user/restrict-access-to-a-data-set-using-row-level-security.md
@@ -5 +5 @@
-Creating dataset rules for row-level securityCreating row-level securityRules Dataset tagging for row-level security
+Creating dataset rules for row-level securityRules Dataset flagging for row-level securityApplying row-level security
@@ -143 +143,19 @@ Following is a SQL example.
-## Creating row-level security
+## Rules Dataset flagging for row-level security
+
+Use the following procedure to appropriately flag a dataset as a rules dataset.
+
+Rules Dataset is a flag that distinguishes permission datasets used for row-level security from regular datasets. If a permissions dataset was applied to a regular dataset before March 31, 2025, it will have a Rules Dataset flag in the **Dataset** landing page. 
+
+![](/images/quicksight/latest/user/images/rules-dataset-flag-console.png)
+
+If a permissions dataset was not applied to a regular dataset by March 31, 2025, it will be categorized as a regular dataset. To use it as a rules dataset, duplicate the permissions dataset and flag it as a rules dataset on the console when creating the dataset. Select EDIT DATASET and under the options, choose DUPLICATE AS RULES DATASET, as shown below. 
+
+![](/images/quicksight/latest/user/images/new-rules-dataset.png)
+
+To successfully duplicate it as a rules dataset, ensure the original dataset has: 1. Required user metadata or group metadata column(s) and 2. Only string type columns.
+
+To create a new rules dataset on the console, select NEW RULES DATASET under the NEW DATASET dropdown. When creating a rules dataset programmatically, add the following parameter: [UseAs: RLS_RULES](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_CreateDataSet.html#API_CreateDataSet_RequestSyntax). This is an optional parameter that is only used to create a rules dataset. Once a dataset has been created, either through the console or programmatically, and flagged as either a rules dataset or a regular dataset, it cannot be changed.
+
+Once datasets are flagged as rules datasets, Amazon QuickSight will apply strict SPICE ingestion rules on them. To ensure data integrity, SPICE ingestions for rules datasets will fail if there are invalid rows or cells exceeding length limits. You must fix the ingestion issues in order to re-initiate a successful ingestion. Strict ingestion rules are only applicable to rules datasets. Regular datasets will not have dataset ingestion failures when there are skipped rows or string truncations. 
+
+## Applying row-level security
@@ -204,8 +221,0 @@ To fix this, specify new dataset rules. Creating a dataset with the same name is
-## Rules Dataset tagging for row-level security
-
-Rules Dataset is a flag that distinguishes permission datasets used for row-level security from regular datasets. If a permissions dataset has already been applied to a regular dataset, it will have a Rules Dataset flag in the **Dataset** landing page. If a permissions dataset has not yet been applied to any dataset, it will be categorized as a regular dataset. To use it as a rules dataset, duplicate the permissions dataset and flag it as a rules dataset in the console when creating the dataset. To successfully duplicate it as a rules dataset, ensure the original dataset has: 1. Required user metadata or group metadata column(s) and 2. Only string type columns.
-
-When creating a rules dataset programmatically, add the following parameter: **UseAs: RLS_RULES**. This is an optional parameter that is only used to create a rules dataset. Once a dataset has been created, either through the console or programmatically, and flagged as either a rules dataset or a regular dataset, it cannot be changed.
-
-Once datasets are flagged as rules datasets, Amazon QuickSight will apply strict SPICE ingestion rules on them. To ensure data integrity, SPICE ingestions for rules datasets will fail if there are invalid rows or cells exceeding length limits. You must fix the ingestion issues in order to re-initiate a successful ingestion. Strict ingestion rules are only applicable to rules datasets. Regular datasets will not have dataset ingestion failures when there are skipped rows or string truncations. 
-