AWS Security ChangesHomeSearch

AWS quicksuite high security documentation change

Service: quicksuite · 2025-11-22 · Security-related high

File: quicksuite/latest/userguide/s3-integration.md

Summary

Added VPC access configuration requirements and security policies for S3 integration

Security assessment

Introduces mandatory VPC endpoint access controls and policy modifications to prevent unauthorized S3 access. The Condition 'aws:SourceVpce': 'false' and policy reversal examples directly address potential misconfiguration vulnerabilities

Diff

diff --git a/quicksuite/latest/userguide/s3-integration.md b/quicksuite/latest/userguide/s3-integration.md
index db07bdb2a..f79551101 100644
--- a//quicksuite/latest/userguide/s3-integration.md
+++ b//quicksuite/latest/userguide/s3-integration.md
@@ -5 +5 @@
-What you can doBefore you beginEnable cross-account access (administrators only)Prepare IAM role and policy setupSet up Amazon S3 integrationManage knowledge basesAdding document metadata in Amazon S3Troubleshooting Amazon S3 integration issuesLimitations
+What you can doBefore you beginEnable cross-account access (administrators only)Prepare IAM role and policy setupConfigure VPC access for Amazon S3 Connector in Amazon Quick SuiteSet up Amazon S3 integrationManage knowledge basesAdding document metadata in Amazon S3Troubleshooting Amazon S3 integration issuesLimitations
@@ -148,0 +149,99 @@ During the integration setup, you will need to:
+## Configure VPC access for Amazon S3 Connector in Amazon Quick Suite
+
+VPC permissions ensure Amazon Quick Suite can only access your Amazon S3 bucket through secure VPC or VPC endpoint connections.
+
+### Required policy change
+
+Add this statement to your bucket access policy to allow Amazon Quick Suite to access your bucket through VPC endpoints:
+    
+    
+    {
+      "Sid": "Allow-Quick-access"		 	 	 ,
+      "Principal": "arn:aws:iam::Quick Account:role/service-role/aws-quicksight-service-role-v0",
+      "Action": "s3:*",
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:s3:::amzn-s3-demo-bucket",
+        "arn:aws:s3:::amzn-s3-demo-bucket/*"
+      ],
+      "Condition": {
+        "Null": {
+          "aws:SourceVpce": "false"
+        }
+      }
+    }
+
+  * Replace `amzn-s3-demo-bucket` with your bucket name.
+
+  * Replace `Quick Account` with your Amazon Quick Suite account.
+
+
+
+
+The `"aws:SourceVpce": "false"` condition ensures Amazon Quick Suite can only access your bucket through VPC endpoints, maintaining your security requirements.
+
+### Deny policies
+
+If your bucket has a policy that restricts traffic to a specific VPC or VPC endpoint via Deny Policy, this policy needs to be reversed because deny policies take precedence over allow policies.
+
+For example:
+    
+    
+    {
+       "Version":"2012-10-17"		 	 	 ,                   
+       "Id": "Policy1415115909152",
+       "Statement": [
+         {
+           "Sid": "Access-to-specific-VPCE-only",
+           "Principal": "*",
+           "Action": "s3:*",
+           "Effect": "Deny",
+           "Resource": ["arn:aws:s3:::amzn-s3-demo-bucket",
+                        "arn:aws:s3:::amzn-s3-demo-bucket/*"],
+           "Condition": {
+             "StringNotEquals": {
+               "aws:SourceVpce": "vpce-0abcdef1234567890"
+             }
+           }
+         }
+       ]
+    }
+
+Should be reversed into:
+    
+    
+    {
+       "Version":"2012-10-17"		 	 	 ,                   
+       "Id": "Policy1415115909152",
+       "Statement": [
+         {
+           "Sid": "Access-to-specific-VPCE-only",
+           "Principal": "*",
+           "Action": "s3:*",
+           "Effect": "Allow",
+           "Resource": ["arn:aws:s3:::amzn-s3-demo-bucket",
+                        "arn:aws:s3:::amzn-s3-demo-bucket/*"],
+           "Condition": {
+             "StringEquals": {
+               "aws:SourceVpce": "vpce-0abcdef1234567890"
+             }
+           }
+         }
+       ]
+    }
+
+### Best practices
+
+**Restrict access to your Amazon Quick Suite role**
+
+Access policies should enforce that the caller is your Amazon Quick Suite role ARN or, at minimum, your Amazon Quick Suite account. This ensures that despite allowing VPC traffic, calls come only from expected sources.
+
+### Security recommendations
+
+  * Restrict policies to your Amazon Quick Suite role for most secure traffic
+
+  * Review your bucket policies regularly to ensure they follow the principle of least privilege
+
+
+
+