NOTE: This is a sample, non-production-ready template.
This repository a combinatination of CDK tools and scripts which can be used to create the required AWS objects and deploy basic datasources, datasets, analysies, dashboards, and user groups to Quicksight with respect to Amazon Security Lake.
We welcome contributions to this repo in the form of fixes to existing examples or addition of new examples. For more information on contributing, please see the CONTRIBUTING guide.
-
Enable Amazon Security Lake. For multiple AWS accounts, it is recommended to manage Security Lake for AWS Organizations To help automate and streamline the management of multiple accounts, we strongly recommend that you integrate Security Lake with AWS Organizations.
-
As part of this solution, you will need to enable Amazon QuickSight and configure users and groups. Here is the link (https://docs.aws.amazon.com/quicksight/latest/user/creating-quicksight-groups.html) for creating and managing groups in Amazon QuickSight.
-
Install the latest release of the AWS CLI version 2: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
Edit cdk-lakeformation-permissions/source/cdk.json using the values for your specific Amazon Security Lake and Amazon Quicksight Instance:
-
rollup_region - The aggregate region used for rollup in Amazon Security Lake. This field require the use of an underscore rather than dash (example: us_east_1 rather than us-east-1).
-
region - The current region where this solution is being deployed to.
-
slregion - The region where the referenced Security Lake tables reside.
-
LakeFormationAdminRoleArn - The Admin Role ARN used in AWS Lake Formation.
-
SecurityLakeAccountID - The AWS Account ID which has provided the resource share to its security lake assets.
-
AWSAccountID - The AWS Account ID from the account you are deploying the solution in with QuickSight..
-
QuicksightUserARN - The AWS Quicksight ARN of the Quicksight account in which this solution is being deployed to.
{ "app": "python3 app.py", "context": { "rollup_region": "<region>", "region": "<region>", "slregion": "<region>", "LakeFormationAdminRoleARN": "arn:aws:iam::123456789012:role/<Rolename>", "SecurityLakeAccountID": 123456789012, "AWSAccountID": 555555555555, "QuickSightUserARN": "arn:aws:quicksight:<Region>:123456789012:user/default/<PrincipalId>" } }
To manually create a virtualenv on MacOS and Linux:
$ python3 -m venv .env
After the init process completes and the virtualenv is created, you can use the following step to activate your virtualenv.
$ source .env/bin/activate
If you are a Windows platform, you would activate the virtualenv like this:
% .env\Scripts\activate.bat
Once the virtualenv is activated, you can install the required dependencies.
$ pip install -r requirements.txt
Set environment variables or Specifies the name of the AWS CLI profile with the credentials and options to use.
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_DEFAULT_REGION=us-east-1
export AWS_REGION=us-east-1
At this point you can run script to synthesize the CloudFormation template and deploy AWS Lake Formation permissions and QuickSight dashboards.
$ ./qsdeploy.sh
{
"app": "python3 app.py",
"context": {
"rollup_region": "<region>",
"region": "<region>",
"slregion": "<region>",
"LakeFormationAdminRoleARN": "arn:aws:iam::123456789012:role/<Rolename>",
"SecurityLakeAccountID": 123456789012,
"AWSAccountID": 555555555555,
"QuickSightUserARN": "arn:aws:quicksight:<Region>:123456789012:user/default/<PrincipalId>"
}
}
Add QuickSight Users to the appropriate Dashboard groups
- Within QuickSight, select your user profile (top-right icon)
- Select Manage QuickSight, and then Manage Groups
- Select the appropriate group (security-lake-executive-group, security-lake-operator-group, security-lake-custodian-group)
- Select Add user, and add a user to the group.
- You will have to do this for each Dashboard as needed.
Once users are added into the appropriate group(s), the user will have access to the Dashboard(s)
Please refer to the following on Amazon Quicksight cost: https://aws.amazon.com/quicksight/pricing/.
This solution has been designed as a generally available solution for users who wish to visualize their Amazon Security Lake data. For users with specific visualization needs, the quicksight analysis has been provided in addition to the dashboards. In Amazon QuickSight, an analysis is the same thing as a dashboard, except that it can only be accessed by the authors you choose. You can keep it private, and When and if you decide to publish it, the it can be edited to add or remove visuals before being shared as a new dashboard.For more information on how to customize the analysis provided by this solution, please refer to the following: https://docs.aws.amazon.com/quicksight/latest/user/working-with-an-analysis.html.
This library is licensed under the MIT-0 License.