AWS quick medium security documentation change
Summary
Added 'Network access and required domains' section detailing required domains for restricted networks, and a note about custom permissions profiles
Security assessment
The change explicitly documents network security requirements (domain allow lists) and permission controls to prevent service disruption. This addresses potential security misconfigurations in restricted environments that could block secure operations or allow unauthorized access.
Diff
diff --git a/quick/latest/userguide/desktop-security.md b/quick/latest/userguide/desktop-security.md index d2c427d00..7bd77678f 100644 --- a//quick/latest/userguide/desktop-security.md +++ b//quick/latest/userguide/desktop-security.md @@ -7 +7 @@ -How data is handledData storageFolder permissionsSystem tool permissionsConnection securityPrivacy controlsClearing all data +How data is handledData storageFolder permissionsSystem tool permissionsConnection securityNetwork access and required domainsPrivacy controlsClearing all data @@ -16,0 +17,4 @@ Your data is never used for AI model training. AWS does not use your conversatio +###### Note + +To control which Amazon Quick features your users can access after they sign in, configure custom permissions. For more information, see [Creating a custom permissions profile in Amazon Quick](./create-custom-permissions-profile.html). + @@ -60,0 +65,14 @@ Amazon Quick on desktop uses industry-standard security practices for third-part +## Network access and required domains + +The Amazon Quick desktop application makes outbound connections for discovery and data plane operations, remote configuration, application updates, and identity provider authentication. In restricted network environments, add the following domains to your allow list so that the application can operate. + +Category | Domains | Purpose +---|---|--- +Amazon Quick Service | `*.quicksight.aws.amazon.com`, `*.aws.dev` | Discovery, data plane (inference, search, Quick resources) +Remote configuration | `*.cloudfront.net` | Feature flags, admin controls +Auto-update | `*.cloudfront.net` | Application updates +Telemetry | `cognito-identity.*.amazonaws.com` | Usage and operational telemetry +Identity provider | Customer-specific (for example, `login.microsoftonline.com` or `*.okta.com`) | OIDC authentication + +If the application cannot sign in, load content, or update in a restricted environment, verify that these domains are reachable, and check your firewall and VPN settings, which might block the required connections. +