AWS Security ChangesHomeSearch

AWS quicksuite high security documentation change

Service: quicksuite · 2026-02-13 · Security-related high

File: quicksuite/latest/userguide/quicksight-dev-rls-tags.md

Summary

Added security guidelines for session tag implementation

Security assessment

Added concrete security controls: treating tags as credentials, server-side enforcement, protection against enumeration. Directly addresses potential security vulnerabilities in session tag implementation.

Diff

diff --git a/quicksuite/latest/userguide/quicksight-dev-rls-tags.md b/quicksuite/latest/userguide/quicksight-dev-rls-tags.md
index b6706fd13..d471627fa 100644
--- a//quicksuite/latest/userguide/quicksight-dev-rls-tags.md
+++ b//quicksuite/latest/userguide/quicksight-dev-rls-tags.md
@@ -127 +127,12 @@ Alternatively, you can configure and enable tag-based row-level security on your
-Make this API call only from your secure, trusted environment. A secure, trusted environment has access controls that you implement. These controls ensure that only your server or authorized users can add or modify session tags.
+When configuring session tags in the API call,
+
+  * Treat session tags as security credentials. Do not expose session tags to end users or client-side code.
+
+  * Implement server-side controls. Ensure that session tags are set exclusively by your trusted backend services, not by parameters that end users can modify.
+
+  * Protect session tags from enumeration. Ensure that users in one tenant cannot discover or guess sessionTag values belonging to other tenants.
+
+  * Review your architecture. If downstream customers or partners are allowed to call the API directly, evaluate whether those parties could specify sessionTag values for tenants they should not access.
+
+
+
@@ -279 +290,12 @@ You can use tags for RLS only for anonymous embedding. You can set values for ta
-Make this API call only from your secure, trusted environment. A secure, trusted environment has access controls that you implement. These controls ensure that only your server or authorized users can add or modify session tags.
+When configuring session tags in the API call,
+
+  * Treat session tags as security credentials. Do not expose session tags to end users or client-side code.
+
+  * Implement server-side controls. Ensure that session tags are set exclusively by your trusted backend services, not by parameters that end users can modify.
+
+  * Protect session tags from enumeration. Ensure that users in one tenant cannot discover or guess sessionTag values belonging to other tenants.
+
+  * Review your architecture. If downstream customers or partners are allowed to call the API directly, evaluate whether those parties could specify sessionTag values for tenants they should not access.
+
+
+