in packages/constructs/L3/analytics/quicksight-namespace-l3-construct/lib/quicksight-namespace-l3-construct.ts [491:590]
private createReaderManagedPolicy(): ManagedPolicy {
const managedPolicy: ManagedPolicy = new ManagedPolicy(this, 'reader-policy', {
managedPolicyName: this.props.naming.resourceName('reader-policy'),
});
const accessQuickSightCreateReaderStatement: PolicyStatement = new PolicyStatement({
sid: 'CreateReader',
effect: Effect.ALLOW,
actions: ['quicksight:CreateReader'],
resources: [`arn:${this.partition}:quicksight::${this.account}:user/` + '${aws:userid}'],
});
managedPolicy.addStatements(accessQuickSightCreateReaderStatement);
MdaaNagSuppressions.addCodeResourceSuppressions(
managedPolicy,
[
{
id: 'AwsSolutions-IAM5',
reason: 'quicksight:CreateReader - Username not known at deployment time.',
},
],
true,
);
const accessQuickSightDescribeStatement = new PolicyStatement({
sid: 'Describe',
effect: Effect.ALLOW,
actions: [
'quicksight:DescribeAnalysis',
'quicksight:DescribeDashboard',
'quicksight:DescribeDataset',
'quicksight:DescribeDataSource',
'quicksight:DescribeFolder',
'quicksight:DescribeGroup',
'quicksight:DescribeIngestion',
'quicksight:DescribeTemplate',
'quicksight:DescribeTheme',
'quicksight:DescribeUser',
],
resources: ['*'],
});
managedPolicy.addStatements(accessQuickSightDescribeStatement);
const accessQuickSightListStatement: PolicyStatement = new PolicyStatement({
sid: 'List',
effect: Effect.ALLOW,
actions: [
'quicksight:ListAnalyses',
'quicksight:ListCustomPermissions',
'quicksight:ListDashboards',
'quicksight:ListDashboardVersions',
'quicksight:ListDataSets',
'quicksight:ListDataSources',
'quicksight:ListFolders',
'quicksight:ListFolderMembers',
'quicksight:ListGroups',
'quicksight:ListGroupMemberships',
'quicksight:ListIngestions',
'quicksight:ListTagsForResource',
'quicksight:ListTemplates',
'quicksight:ListTemplateAliases',
'quicksight:ListTemplateVersions',
'quicksight:ListThemes',
'quicksight:ListThemeAliases',
'quicksight:ListThemeVersions',
'quicksight:ListUsers',
'quicksight:ListUserGroups',
],
resources: ['*'],
});
managedPolicy.addStatements(accessQuickSightListStatement);
const accessQuickSightSearchStatement: PolicyStatement = new PolicyStatement({
sid: 'Search',
effect: Effect.ALLOW,
actions: ['quicksight:SearchAnalyses', 'quicksight:SearchDashboards', 'quicksight:SearchFolders'],
resources: ['*'],
});
managedPolicy.addStatements(accessQuickSightSearchStatement);
const accessLakeFormationStatement: PolicyStatement = new PolicyStatement({
sid: 'LakeFormationAccess',
effect: Effect.ALLOW,
actions: ['lakeformation:GetDataAccess'],
resources: ['*'],
});
managedPolicy.addStatements(accessLakeFormationStatement);
MdaaNagSuppressions.addCodeResourceSuppressions(
managedPolicy,
[
{
id: 'AwsSolutions-IAM5',
reason:
'lakeformation:GetDataAccess does not take resource. QuickSight resource permissions managed in QuickSight.',
appliesTo: [`Resource::*`],
},
],
true,
);
return managedPolicy;
}