Securing Amazon QuickSight: Private URL Access, SSO Enforcement, and Regional Considerations

Recently, a customer exploring Amazon QuickSight asked us:

“We have recently started exploring AWS QuickSight and noticed that the Amazon QuickSight URL is publicly accessible. We would like to understand if it is possible to restrict access and make the URL private. Additionally, we want to explore the options for enforcing corporate SSO login for Amazon QuickSight users.”

This real-world query prompted us to evaluate Amazon QuickSight’s access control mechanisms. In the process, we also encountered and addressed a critical consideration: the fact that AWS QuickSight’s home region cannot be changed once created.

Problem Statement

When adopting Amazon QuickSight for business intelligence, enterprises often realize that the AWS QuickSight URL is publicly accessible by default. While AWS QuickSight provides user-level permissions, many organizations require stricter controls to ensure that Amazon QuickSight is accessible only from corporate VPN or private networks.

In parallel, enterprises want to enforce SSO login so that users authenticate only through their existing identity providers.

During implementation, another challenge emerged: when attempting to configure a Virtual Private Connection in us-east-1, Amazon QuickSight prompted us to switch to us-west-2 (Oregon), indicating that the account’s home region is fixed and cannot be changed. This creates limitations when VPCs are deployed in regions different from the AWS QuickSight home region.

Challenges include:

• Restricting Amazon QuickSight URL access to VPN/corporate networks.
• Enforcing corporate SSO authentication with Amazon VPN for all users.
• Navigating the limitations of Amazon QuickSight’s fixed home region.

Solution Overview

To address these concerns, we evaluated three approaches:

1. IP Range Restrictions
   Configure Amazon QuickSight to allow access only from approved VPN or office IP addresses.
2. VPC Endpoint Restrictions (PrivateLink)
   Use AWS PrivateLink to enforce QuickSight access through an Interface VPC Endpoint.
   Any traffic outside of approved VPCs is blocked from reaching the QuickSight console.
3. SSO Enforcement
   Integrate Amazon QuickSight with AWS IAM Identity Center or SAML federation so that all logins flow through the enterprise IdP. This ensures MFA and corporate authentication policies are applied consistently.

After careful evaluation, we selected VPC endpoint–based restrictions as the preferred approach, since they provide the strongest network isolation and compliance guarantees.

Architecture Overview

Access Restriction

• IP Allow-listing
  In Security & Permissions → IP and VPC endpoint restrictions, add your corporate VPN or office egress CIDRs to ensure only traffic from those ranges can access AWS QuickSight.
• VPC Endpoint via PrivateLink

Create an Interface VPC Endpoint for:

 com.amazonaws.<region>.quicksight-website

• Update corporate DNS so that <region>.quicksight.aws.amazon.com resolves to the VPC endpoint.
• In AWS QuickSight, add the endpoint ID under restrictions and enforce it.
  This ensures QuickSight is accessible only through approved VPCs, eliminating public internet exposure.

Identity & Authentication

• IAM Identity Center (Recommended)

• Add AWS QuickSight as a customer-managed application.
• Integrate with your enterprise IdP (e.g., Okta, Azure AD).
• All logins are routed through SSO, ensuring MFA and conditional access policies are applied.

• SAML Federation

  If Identity Center is not available or supported in the Amazon QuickSight region, configure SAML federation directly from your IdP to IAM roles that provide AWS QuickSight access. This still enforces enterprise SSO and MFA policies.

Region Limitations & Migration Considerations

During testing, we attempted to create a VPC connection in us-east-1, but AWS QuickSight redirected us to us-west-2 (Oregon).

This behavior highlights an important limitation:

• Amazon QuickSight home region is fixed at account creation.
• Account-level operations (VPC connections, SPICE capacity, account settings) can only be performed in the home region.
• VPC connections are region-bound and must exist in the same region as AWS QuickSight’s home region.

Workarounds:

• If Amazon QuickSight is tied to us-west-2, either:

  a) Place data sources in that region, or

  b) Use cross-region networking (PrivateLink/peering) to connect east-coast resources.

• If the long-term strategy requires AWS QuickSight in us-east-1, unsubscribe from Amazon QuickSight in us-west-2 and re-subscribe in us-east-1.

  a) This migration requires re-creating datasets, analyses, dashboards, and permissions.

Performance & Cost Considerations

Performance (SPICE vs. Direct Query)

• Direct Query → Sends queries directly to the data source each time.
• SPICE → In-memory cache with scheduled refreshes; faster performance, reduced load on the database.

Best practices:

• Use SPICE where possible for a faster user experience.
• Keep refresh schedules aligned with business needs.
• Reserve Direct Query for real-time requirements.

SLA

• Amazon QuickSight provides 99.9% uptime SLA for the service.
• Data source availability depends on the underlying infrastructure.

Pricing

• User roles directly affect cost (Pro vs. Reader vs. Author/Admin).
• Plan license types carefully to optimize spend.
• Reference: Amazon QuickSight Pricing

Results

With this solution, we achieved:

• Private URL access – Amazon QuickSight is reachable only via VPN/corporate IP or approved VPC endpoint.
• SSO enforcement – All users authenticate via corporate IdP, ensuring governance and MFA.
• Secure data access – Data sources accessed via VPC connection, not exposed to the internet.
• Awareness of regional design limitations – Clear understanding of AWS QuickSight’s home region impact.
• Optimized performance and cost – Balanced use of SPICE, Direct Query, and user roles.

This approach delivers secure, governed, and enterprise-ready Amazon QuickSight deployments, ensuring both compliance and user productivity.

Conclusion

Enterprises adopting Amazon QuickSight must address both network isolation and identity enforcement to ensure secure deployments. By implementing VPC endpoint restrictions and federated SSO login, we created a design that meets enterprise security, compliance, and usability requirements.

If your organization is looking to secure Amazon QuickSight with private connectivity and SSO, CloudKeeper can help.