Opportunity Name:
Quicksight Remove Idle Users
AWS Resource Type:
Quicksight users
Opportunity Description:
Each Quicksight user can be a reader, an author, or an admin. Idle readers are free. Idle authors and admins incur a per-user charge each month. If a user is idle, they likely don’t need access to Quicksight anymore. The user can be removed.
Criteria for identifying the opportunity:
The opportunity is identified if:
- A user in that account is an author or admin
- The user hasn’t interacted with Quicksight (in any region) during the last 30 days
Excluding Users
CloudFix’s user exclusion setting lets you prevent specific QuickSight users from being deleted by the “Delete Idle Users” Finder. It uses regular expression patterns to match usernames you want to protect, without blocking cleanup for truly idle accounts.
This is useful for keeping key accounts untouched—like service accounts, exec users, or project-related roles—even if they appear inactive.
The feature can be accessed under the Settings tab, and clicking the cog wheel beside the QuickSight finder.
How It Works
The setting matches usernames against a regex pattern. If there's a match, the user is excluded from deletion. You can use it to protect:
-
Service accounts (e.g.
.*-service-account$) -
Admin users (
admin.*|.*-admin$) -
Executives (
exec-.*|c-level-.*) -
Project-specific accounts (
project-.*-team) -
Specific domains (
.*@company\.com$)
Real-World Examples: Protecting bill.gleeson@cloudfix.com
Here are example patterns that would match and protect this user:
-
Protect all CloudFix emails:
.*@cloudfix\.com$ -
Specific users:
bill\.gleeson@cloudfix\.com|sarah\.chen@cloudfix\.com -
Name contains
gleeson:.*gleeson.* -
All CloudFix admins:
bill\.gleeson@cloudfix\.com|admin.*@cloudfix\.com|.*-admin@cloudfix\.com -
Match user prefix before
@:bill\.gleeson@|.*gleeson@
Pattern Testing Table
| Pattern | Matches? | Explanation |
|---|---|---|
.*@cloudfix\.com$ |
✅ | Matches any email at cloudfix.com |
bill\.gleeson@cloudfix\.com |
✅ | Exact match for Bill’s email |
.*gleeson.* |
✅ | Matches any name with “gleeson” |
bill\..*@cloudfix\.com |
✅ | Matches all bill.* users at CloudFix |
admin.*@cloudfix\.com |
❌ | Doesn't match “bill.gleeson” (no "admin") |
Potential savings (range in % on annual basis):
100% of the per-seat cost for each idle user.
What happens when the Fixer is executed?
The user’s resources are shared with another admin user in the same account (preserving access to those resources). The user is then deleted.
Is it possible to rollback once CloudFix implements the fixer?
CloudFix cannot roll back this fixer. If the same user wants to access Quicksight again, they should sign up through the process they originally used to gain access. They should consider doing so as a reader rather than an author or admin.
Can CloudFix implement the fix automatically once I accept the recommendation?
Yes
Does this fix require downtime?
No
Priyanka Bhotika
Comments