in packages/constructs/L3/analytics/quicksight-namespace-l3-construct/lib/quicksight-namespace-l3-construct.ts [592:712]
private createAuthorManagedPolicy(): ManagedPolicy {
const managedPolicy: ManagedPolicy = new ManagedPolicy(this, 'author-policy', {
managedPolicyName: this.props.naming.resourceName('author-policy'),
});
const accessRedShiftDescribeStatement: PolicyStatement = new PolicyStatement({
sid: 'RedShiftDescribe',
effect: Effect.ALLOW,
actions: ['redshift:DescribeClusters'],
resources: ['*'],
});
managedPolicy.addStatements(accessRedShiftDescribeStatement);
const accessQuickSightCancelIngestionStatement: PolicyStatement = new PolicyStatement({
sid: 'CancelIngestion',
effect: Effect.ALLOW,
actions: ['quicksight:CancelIngestion'],
resources: ['*'],
});
managedPolicy.addStatements(accessQuickSightCancelIngestionStatement);
const accessQuickSightCreateStatement: PolicyStatement = new PolicyStatement({
sid: 'Create',
effect: Effect.ALLOW,
actions: [
'quicksight:CreateDashboard',
'quicksight:CreateFolder',
'quicksight:CreateFolderMembership',
'quicksight:CreateIngestion',
],
resources: ['*'],
});
managedPolicy.addStatements(accessQuickSightCreateStatement);
const accessQuickSightDeleteStatement: PolicyStatement = new PolicyStatement({
sid: 'Delete',
effect: Effect.ALLOW,
actions: [
'quicksight:DeleteAnalysis',
'quicksight:DeleteDashboard',
'quicksight:DeleteFolder',
'quicksight:DeleteFolderMembership',
],
resources: ['*'],
});
managedPolicy.addStatements(accessQuickSightDeleteStatement);
const accessQuickSightEmbedUrlStatement: PolicyStatement = new PolicyStatement({
sid: 'GenerateEmbedUrl',
effect: Effect.ALLOW,
actions: ['quicksight:GenerateEmbedUrlForRegisteredUser', 'quicksight:GetDashboardEmbedUrl'],
resources: ['*'],
});
managedPolicy.addStatements(accessQuickSightEmbedUrlStatement);
const accessQuickSightPassDataStatement: PolicyStatement = new PolicyStatement({
sid: 'PassData',
effect: Effect.ALLOW,
actions: ['quicksight:PassDataSet', 'quicksight:PassDataSource'],
resources: ['*'],
});
managedPolicy.addStatements(accessQuickSightPassDataStatement);
const accessQuickSightRestoreAnalysisStatement: PolicyStatement = new PolicyStatement({
sid: 'RestoreAnalysis',
effect: Effect.ALLOW,
actions: ['quicksight:RestoreAnalysis'],
resources: ['*'],
});
managedPolicy.addStatements(accessQuickSightRestoreAnalysisStatement);
const accessQuickSightTagsStatement: PolicyStatement = new PolicyStatement({
sid: 'Tags',
effect: Effect.ALLOW,
actions: ['quicksight:TagResource', 'quicksight:UnTagResource'],
resources: ['*'],
});
managedPolicy.addStatements(accessQuickSightTagsStatement);
const accessQuickSightUpdateStatement: PolicyStatement = new PolicyStatement({
sid: 'Update',
effect: Effect.ALLOW,
actions: [
'quicksight:UpdateAnalysis',
'quicksight:UpdateAnalysisPermissions',
'quicksight:UpdateDashboard',
'quicksight:UpdateDashboardPermissions',
'quicksight:UpdateDashboardPublishedVersion',
'quicksight:UpdateFolder',
'quicksight:UpdateFolderPermissions',
],
resources: ['*'],
});
managedPolicy.addStatements(accessQuickSightUpdateStatement);
const accessQuickSightCreateUserStatement: PolicyStatement = new PolicyStatement({
sid: 'CreateUser',
effect: Effect.ALLOW,
actions: ['quicksight:CreateUser'],
resources: [`arn:${this.partition}:quicksight::${this.account}:user/` + '${aws:userid}'],
});
managedPolicy.addStatements(accessQuickSightCreateUserStatement);
MdaaNagSuppressions.addCodeResourceSuppressions(
managedPolicy,
[
{
id: 'AwsSolutions-IAM5',
reason: 'Quicksight usernames not known at deployment time.',
},
{
id: 'AwsSolutions-IAM5',
reason:
'redshift:DescribeClusters does not take resource. QuickSight resource permissions managed in QuickSight.',
appliesTo: [`Resource::*`],
},
],
true,
);
return managedPolicy;
}