AWS Security ChangesHomeSearch

AWS quick medium security documentation change

Service: quick · 2026-07-10 · Security-related medium

File: quick/latest/userguide/desktop-security.md

Summary

Added 'Network access and required domains' section detailing required domains for restricted networks, and a note about custom permissions profiles

Security assessment

The change explicitly documents network security requirements (domain allow lists) and permission controls to prevent service disruption. This addresses potential security misconfigurations in restricted environments that could block secure operations or allow unauthorized access.

Diff

diff --git a/quick/latest/userguide/desktop-security.md b/quick/latest/userguide/desktop-security.md
index d2c427d00..7bd77678f 100644
--- a//quick/latest/userguide/desktop-security.md
+++ b//quick/latest/userguide/desktop-security.md
@@ -7 +7 @@
-How data is handledData storageFolder permissionsSystem tool permissionsConnection securityPrivacy controlsClearing all data
+How data is handledData storageFolder permissionsSystem tool permissionsConnection securityNetwork access and required domainsPrivacy controlsClearing all data
@@ -16,0 +17,4 @@ Your data is never used for AI model training. AWS does not use your conversatio
+###### Note
+
+To control which Amazon Quick features your users can access after they sign in, configure custom permissions. For more information, see [Creating a custom permissions profile in Amazon Quick](./create-custom-permissions-profile.html).
+
@@ -60,0 +65,14 @@ Amazon Quick on desktop uses industry-standard security practices for third-part
+## Network access and required domains
+
+The Amazon Quick desktop application makes outbound connections for discovery and data plane operations, remote configuration, application updates, and identity provider authentication. In restricted network environments, add the following domains to your allow list so that the application can operate.
+
+Category | Domains | Purpose  
+---|---|---  
+Amazon Quick Service | `*.quicksight.aws.amazon.com`, `*.aws.dev` | Discovery, data plane (inference, search, Quick resources)  
+Remote configuration | `*.cloudfront.net` | Feature flags, admin controls  
+Auto-update | `*.cloudfront.net` | Application updates  
+Telemetry | `cognito-identity.*.amazonaws.com` | Usage and operational telemetry  
+Identity provider | Customer-specific (for example, `login.microsoftonline.com` or `*.okta.com`) | OIDC authentication  
+  
+If the application cannot sign in, load content, or update in a restricted environment, verify that these domains are reachable, and check your firewall and VPN settings, which might block the required connections.
+