Row Level Security

Last Updated

November 2022

Authors

  • Stephanie Gooch, Sr. Commercial Architect, AWS OPTICS
  • Veaceslav Mindru, Sr. Technical Account Manager, AWS

Introduction

Cloud Intelligence Dashboards (CID) helps you to visualize and understand AWS cost and usage data in your organization by exploring interactive dashboards. However, in order to maintain least privilege principle, customers who use CID at scale of organization often would like to provide their users access only to the data for linked accounts which they own. Using Row Level Security (RLS) enables you to restrict the data a user can see to just what they are allowed to. This also applicable for customers with Multiple Management (Payer) Accounts .

Prerequisite

For this solution you must have the following:

  • Access to your AWS Organizations and ability to tag resources
  • An AWS Cost and Usage Reports (CUR) or if from the multiple payers these must be replicated into a bucket, more info here
  • A CID deployed over this CUR data, checkout the new single deployment method here .
  • A list of users and what level of access they require. This can be member accounts, organizational units (OU) or payers.

Solution

This solution will use tags from your AWS Organization resources to create a dataset that will be used for the Row Level Security.

Images/customizations_rls_architecture.png

Step by Step Guide

Part1: Roles

If you are deploying this in a linked account you will need a Role in you Management account to let you access your AWS Organizations Data. There are two options for this:

Option1 If you already have the Optimization Data Collector Lab deployed you can use the Management role in that.

Option2 Else, you can deploy using the below:

Deployed Management Role

Part2: Tag your AWS Organization Resources

You must tag the AWS Organization Resources with the emails of the Quicksight Users that you wish to allow access to see the resources cost data. The below will show you how to tag a resource and this can be repeated. We will be using AWS Quicksight User Emails, see more here . If you have a large list of accounts and want to use a script, please see the section below Use script to tag accounts

  1. Log into your Management account then click on the top right hand corner on your account and select Organization Images/rls_organization.png
  2. Ensure you are on the AWS accounts tab

Images/rls_organization_accounts.png You can select different levels of access. Tag one of the following and the use will have access to all data of that resource and any child accounts below it.

  • Tag an Account
  • Tag an Organization Unit
  • Tag the Root
  1. To tag the resource click its name an scroll down to the tag section and click Manage tags

Images/rls_organization_accounts_tags.png

  1. Add the Key cudos_users and the Value of any emails you wish to allow access. These are colon delimited. Once added click Save changes

Images/rls_organization_accounts_cudostags.png

  1. Repeat on all resources with relevant emails.

Part3: Deploy Lambda Function

Using AWS CloudFormation we will deploy the lambda function to collect these tags.

  1. Log into your account with your QuickSight Cloud Inteligence Dashboards also known as CID. Click Launch CloudFormation template

Images/rls_cfn.png

  1. Click Next.

  2. Fill in the Parameters as seen below.

  • CodeBucket - aws-well-architected-labs-{REGION-NAME} e.g. aws-well-architected-labs-ireland
AllowedValues S3
  • CodeKey - LEAVE AS DEFAULT
  • DestinationBucket - Amazon S3 Bucket in your account in the same region (this can be one from your Optimization data collector where where your CUR is stored). This bucket must have access to Amazon Quicksight
  • ManagementAccountID - List of Payer IDs you wish to collect data for. Can just be one Accounts(Ex: 111222333,444555666,777888999)
  • ManagementAccountRole - The name of the IAM role that will be deployed in the management account which can retrieve AWS Organization data. KEEP THE SAME AS WHAT IS DEPLOYED INTO MANAGEMENT ACCOUNT
  • RolePrefix - This prefix will be placed in front of all roles created. Note you may wish to add a dash at the end to make more readable
  • Schedule - Cron job to trigger the lambda using cloudwatch event. Default is once a day

Images/rls_cfn_parameters.png

  1. Tick the boxes and click Create stack. Images/Tick_Box.png

  2. Wait until your CloudFormation has a status of CREATE_COMPLETE. Images/rls_cfn_complete.png

Part4: Test Lambda Function

Your lambda functions will run automatically on the schedule you chose at deployment and will be ready within an hour. However, if you would like to test your functions please see the steps below. Once you have deployed your modules you will be able to test your Lambda function to get your first set of data in Amazon S3.

  1. From CloudFormation Click Resources and find the Lambda Function and click the Physical ID

Images/rls_cfn_resources.png 2. To test your Lambda function open respective Lambda in AWS Console and click Test

  1. Enter an Event name of Test, click Create:

Images/Configure_Test.png

  1. Click Test

  2. The function will run, it will take a minute or two given the size of the Organizations files and processing required, then return success. Click Details and view the output.

  3. You can go to your bucket in S3 and there should be a file in the folder CUDOS_RLS. Images/rls_s3_object.png

  4. Download this qs_s3_manifest.json file and replace with the bucket you can see your data in.

Part5: Create RLS

We will now create the RLS Dataset in Amazon QuickSight and attach it to your datasets for CID. Please ensure the bucket you have placed the RLS file into has access to Amazon QuickSight, see here

  1. Go to Amazon QuickSight and login

  2. Go to Datasets and click New dataset Images/rls_qs_datasets.png

  3. Create new Dataset by clicking S3 Images/rls_qs_datasets_s3.png

  4. Set Data source name as CID RLS and the qs_s3_manifest.json file you edited earlier into the Upload box Images/rls_qs_dataset_manifest.png

  5. Find your new dataset by searching CID RLS then click on it Images/rls_qs_rls_dataset.png

  6. Click on your new dataset and select the Refresh tab and click ADD NEW SCHEDULE Images/rls_qs_rls_dataset_refresh.png

  7. Choose Hourly and click SAVE Images/rls_qs_rls_dataset_refreshhourly.png

  8. Go back to Datasets and select your CID data summary_view. On the Summary tab find Row-level security and click Edit Images/rls_qs_summary.png

  9. Click the toggle User-based ON then expand the User-based rules section and select the CID RLS dataset we made earlier Images/rls_qs_summary_addrls.png

  10. Scroll down and click Apply dataset Images/rls_qs_summary_addrls_apply.png

  11. Refresh the summary_view datasets

  12. Repeat for all other CID Datasets

Use script to tag accounts

If you have a large number of accounts that need to be tagged then please use the guide below to do a scripted method to save time.

Click here to expand guide

If you would like to turn off RLS you can just toggle the User-based ON to OFF

See the impact

Now when you go to your Dashboard the users who had been tagged on the accounts will only see their data