1

We have one AWS account and QuickSight Enterprise Edition instance on it that serves internal users. Its main data source is a Redshift cluster in the same account. But now we want deliver QuickSight dashboards to external clients of the company.

We do not have SaaS or application server or web app to handle the user authentication for now so we will provision users for the external clients users in QuickSight itself and not bet on embedded analytics. We do not want to use any AD authentication so I guess that leaves only with inviting users over email or IAM especially if we want to enforce MFA? What exactly is the difference between inviting someone over mail to join QS and inviting IAM users over mail? Firt option is easier and cheaper but then the security is handled by the mail provider?

And what is the better approach from a security standpoint? To use the same QS for internal and external users or to have a new AWS account and QS instance for the externals and have it connected to the Redshift from the former acccount? Is it to difficult to connect from one account to Redshift from another?

Does anyone know how other companies handled such case involving internal and external users?

Aleks Andonov
  • 11
  • 3
  • You can use namespaces for user separation, but it’s only available via CLI. If you have many external users you can consider using tag based permissions. – moltar Dec 08 '21 at 12:43
  • Also connecting redshift is pretty easy. Just need to know the connection details and you can connect it from the new instance too. – moltar Dec 08 '21 at 12:44
  • So what is the better approach according to you? Use the same account for external and internal users or a creating a separate QS instance for the externals? – Aleks Andonov Dec 08 '21 at 16:19
  • I don't think there is a better or worse way. It's up to your requirements. You can achieve equal security from both approaches. – moltar Dec 09 '21 at 05:23

0 Answers0