AWS quicksuite high security documentation change
Summary
Added detailed IAM role configuration steps with trust policy example and updated workflow instructions for AWS service integration
Security assessment
The addition of IAM role creation steps explicitly addresses secure access configuration by requiring specific trust relationships (quicksight.amazonaws.com) and managed policies. This prevents overprivileged access and ensures least privilege principles. The trust policy configuration directly impacts security by controlling which services can assume the role, reducing risk of unauthorized access.
Diff
diff --git a/quicksuite/latest/userguide/builtin-services-integration.md b/quicksuite/latest/userguide/builtin-services-integration.md index 93300ad17..b820dc8c7 100644 --- a//quicksuite/latest/userguide/builtin-services-integration.md +++ b//quicksuite/latest/userguide/builtin-services-integration.md @@ -62,0 +63,40 @@ Configure your IAM role with the appropriate permissions based on the AWS servic +### IAM Role for Resource Access + +First, you will need to create an IAM role that will be used by Amazon Quick Suite to call the AWS service needed in your Amazon Quick Automate workflow. + + 1. Login to the AWS Console of the AWS account where the Amazon Quick Suite subscription resides. + + 2. Open IAM and create a new IAM role. + + 3. Give it all the permissions for the AWS service you want to invoke via action connectors. For example, you can assign a managed policy like `AmazonS3FullAccess` if you need to invoke Amazon S3. + + 4. In the trust relationship, give the assume role permission to `quicksight.amazonaws.com`. This allows Amazon Quick Suite to assume this role and call Amazon S3/Amazon Textract/etc on your behalf. + + 5. Once the Customer Role is created, take a note of the IAM role ARN. + + + + +Example trust policy: + +###### Note + +For pre-prod stages, you will also have to include `"quicksight-test.amazonaws.com"` in the `"Service"` array. + + + { + "Version": "2012-10-17" , + "Statement": [ + { + "Sid": "Statement1", + "Effect": "Allow", + "Principal": { + "Service": [ + "quicksight.amazonaws.com" + ] + }, + "Action": "sts:AssumeRole" + } + ] + } + @@ -114 +154 @@ After preparing your IAM role and permissions, follow these steps to create your -After creating the action connector, it becomes available for use in Amazon Quick Automate workflows. +After creating the action connector, it becomes available for use in Amazon Quick Automate workflows. The connector will be found in Actions tab under integration. @@ -124 +164,9 @@ To use your AWS action connector in Amazon Quick Automate: - 1. Open Amazon Quick Automate and create or edit a workflow. + 1. Open Amazon Quick Automate and go to Projects. + + 2. Click Manage groups and select your group. + + 3. In the Assets sections, click **Add** → **Actions**. + + 4. Select the Action you created earlier and Add to the automation group. + + 5. Go to the automation in the group and your action will be available for use. @@ -126 +174 @@ To use your AWS action connector in Amazon Quick Automate: - 2. In the Actions panel, look for your AWS service action connector. + 6. In the Actions panel, look for your AWS service action connector. @@ -128 +176 @@ To use your AWS action connector in Amazon Quick Automate: - 3. Drag the desired action into your workflow. + 7. Drag the desired action into your workflow. @@ -130 +178 @@ To use your AWS action connector in Amazon Quick Automate: - 4. Configure the action parameters as needed for your use case. + 8. Configure the action parameters as needed for your use case. @@ -132 +180 @@ To use your AWS action connector in Amazon Quick Automate: - 5. Test and save your workflow. + 9. Test and save your workflow.