AWS quicksuite high security documentation change
Summary
Added security warnings about session tag modification and updated RLS tag implementation description.
Security assessment
Added critical warnings requiring API calls to set session tags only from secure environments to prevent unauthorized RLS bypass. Explicitly states risk of unauthorized tag modification compromising data filtering.
Diff
diff --git a/quicksuite/latest/userguide/quicksight-dev-rls-tags.md b/quicksuite/latest/userguide/quicksight-dev-rls-tags.md index 888548111..b6706fd13 100644 --- a//quicksuite/latest/userguide/quicksight-dev-rls-tags.md +++ b//quicksuite/latest/userguide/quicksight-dev-rls-tags.md @@ -15 +15 @@ Intended audience: Amazon Quick Suite Administrators and Amazon Quick Suite dev -When you embed Amazon Quick Suite dashboards in your application for users who are not provisioned (registered) in Quick Suite, you can use row-level security (RLS) with tags. In this case, you use tags to specify which data your users can see in the dashboard depending on who they are. +When you embed Amazon Quick Suite dashboards in your application for users who are not provisioned (registered) in Quick Suite, you can use row-level security (RLS) to filter/restrict data with tags. A tag is a user-specified string that identifies a session in your application. You can use tags to implement RLS controls for your datasets. By configuring RLS-based restrictions in datasets, Quick Suite filters the data based on the session tags tied to the user identity/session. @@ -124,0 +125,4 @@ Alternatively, you can configure and enable tag-based row-level security on your +###### Important + +Make this API call only from your secure, trusted environment. A secure, trusted environment has access controls that you implement. These controls ensure that only your server or authorized users can add or modify session tags. + @@ -272,0 +277,4 @@ You can use tags for RLS only for anonymous embedding. You can set values for ta +###### Important + +Make this API call only from your secure, trusted environment. A secure, trusted environment has access controls that you implement. These controls ensure that only your server or authorized users can add or modify session tags. +