# Setting up and signing into Amazon Quick Setting up and signing in This section includes the essential setup tasks, such as signing up for an AWS account, creating an administrative user, and subscribing to the Amazon Quick service. **Note** For more information on setting up your Amazon Quick account, including configuring identity and access management, and controlling sign-up for users, see [Administering Amazon Quick](https://docs.aws.amazon.com/quicksuite/latest/userguide/admin-setting-up.html). **Topics** + [ ## Complete initial configuration tasks ](#setting-up-create-iam-user) + [ # Signing up for an Amazon Quick subscription ](signing-up.md) + [ # Signing in to Amazon Quick ](signing-in.md) ## Complete initial configuration tasks To use Amazon Quick you must first complete the following tasks: **Topics** + [ ### Sign up for an AWS account ](#sign-up-for-aws) + [ ### Create a user with administrative access ](#create-an-admin) ### Sign up for an AWS account If you do not have an AWS account, complete the following steps to create one. **To sign up for an AWS account** 1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup). 1. Follow the online instructions. Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad. When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks). AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [https://aws.amazon.com/](https://aws.amazon.com/) and choosing **My Account**. ### Create a user with administrative access After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks. **Secure your AWS account root user** 1. Sign in to the [AWS Management Console](https://console.aws.amazon.com/) as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password. For help signing in by using root user, see [Signing in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html#introduction-to-root-user-sign-in-tutorial) in the *AWS Sign-In User Guide*. 1. Turn on multi-factor authentication (MFA) for your root user. For instructions, see [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html) in the *IAM User Guide*. **Create a user with administrative access** 1. Enable IAM Identity Center. For instructions, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-set-up-for-idc.html) in the *AWS IAM Identity Center User Guide*. 1. In IAM Identity Center, grant administrative access to a user. For a tutorial about using the IAM Identity Center directory as your identity source, see [ Configure user access with the default IAM Identity Center directory](https://docs.aws.amazon.com//singlesignon/latest/userguide/quick-start-default-idc.html) in the *AWS IAM Identity Center User Guide*. **Sign in as the user with administrative access** + To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user. For help signing in using an IAM Identity Center user, see [Signing in to the AWS access portal](https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the *AWS Sign-In User Guide*. **Assign access to additional users** 1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions. For instructions, see [ Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-started-create-a-permission-set.html) in the *AWS IAM Identity Center User Guide*. 1. Assign users to a group, and then assign single sign-on access to the group. For instructions, see [ Add groups](https://docs.aws.amazon.com//singlesignon/latest/userguide/addgroups.html) in the *AWS IAM Identity Center User Guide*. # Signing up for an Amazon Quick subscription Signing up for a subscription When you first sign up for Amazon Quick, you get a free trial subscription for twenty-five users for 30 days. During the process of signing up, you may set options for your identity provider. Before you begin, make sure that you can connect to an existing AWS account. If you don't have an AWS account, see [Complete initial configuration tasks](https://docs.aws.amazon.com/quicksuite/latest/userguide/setting-up). The person who signs up for Quick needs to have the correct AWS Identity and Access Management (IAM) permissions. For more information, see [IAM policy examples for Quick](https://docs.aws.amazon.com/quicksight/latest/user/iam-policy-examples.html). To test your permissions, you can use the IAM policy simulator; for more information, see [Testing IAM policies with the IAM policy simulator](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html). Also, check whether your AWS account is part of an organization based on the AWS Organizations service. If so and you sign in as an IAM user, make sure that you didn't inherit any IAM permissions that deny access to the required permissions. For more information on Organizations, see [What is AWS Organizations?](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html) **Note** Your data is encrypted by default using AWS-managed keys. Admins can adjust settings for custom encryption in the admin portal after signing up. **To subscribe to Quick** 1. Sign in to your AWS account and open Quick from the AWS Management Console. You can find it under **Analytics** or by searching for *Quick*. Your AWS account number is displayed for verification purposes. 1. Enter a unique account name for Quick. + Enter a notification email address for the Quick account owner or group. This email address receives service and usage notifications. 1. Choose the AWS Region that you want to use for your initial data storage capacity, called SPICE. 1. Choose an authentication method that you want to connect to Quick with. Select from one of the following: + **(Recommended) Password-based or Single-Sign On** + **IAM Identity Center** + **Single-Sign On Only** + **Active Directory** 1. Review the choices that you made, then choose **Create account**. 1. Upon completion, your Quick account will be created. To open Quick, choose **Go to Quick**. # Non-admin sign-up process Non-admin sign-up If you are not an administrator, you can sign up for Quick using a link provided by your admin. This process allows you to create your account and configure your Quick environment. **To sign up as a non-admin user** 1. **Getting your sign-up link** Sign up for Amazon Quick with the link provided by your admin. 1. **Account creation and QuickSight access** After you've created your account, from within QuickSight, search for Amazon Quick. 1. **Account configuration** Enter your Account name, Email, region, and Authentication method. + For authentication, Amazon Q supports Pro license integration with start URL format: https://amzn.awsapps.com/start + Default region is us-east-1 1. **Plan selection** Select the plan and storage options you are using for your instance of Amazon Quick. # Signing in to Amazon Quick Signing in to Quick You can sign in to Amazon Quick multiple ways, depending on what your Quick administrator has set up. You can sign in to Quick using AWS root, AWS Identity and Access Management (IAM), corporate Active Directory, or your native Quick credentials. If your Quick account is integrated with an identity provider such as Okta, the following procedures don't apply to you. If you're a Quick administrator, make sure to allow-list the following domains within your organization's network. | User type | Domain or domains to allow-list | | --- | --- | | Users who sign in directly through Quick and Active Directory users | `signin.aws` and `awsapps.com` | | AWS root user | `signin.aws.amazon.com` and `amazon.com` | | IAM users | `signin.aws.amazon.com` | # Post-setup configuration Post-setup configuration After signing in to Quick, you can customize your environment by configuring agent settings and other preferences. **To complete post-setup configuration** 1. **Agent customization access** From the left navigation menu, under Customization, select Agent customization. 1. **Environment settings** Enter the settings you require for your environment. These settings will customize Amazon Q's behavior for your specific use case. **Important** We strongly recommend that you don't use the AWS root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks. For more information, see [AWS account root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html) in the *IAM User Guide*. ## How to sign in to Quick How to sign in to Quick Use the following procedure to sign in to Quick. **To sign in to Quick** 1. Go to [https://quicksight.aws.amazon.com/](https://quicksight.aws.amazon.com/). 1. For **Quick account name**, enter your account name. This is the name that was created when the Quick account was created in AWS. If you were invited to the Quick account by email, you can find the account name inside of that email. If you don't have the email that invited you to Quick, ask the Quick administrator in your organization for the information that you need. You can also find your Quick account name by selecting the profile icon at the upper-right of the Quick console menu. In some cases, you might not have access to your Quick account or have an administrator who can provide this information, or both. If so, contact AWS Support and open a ticket that includes your AWS customer ID. 1. For **Username**, enter your Quick user name. User names that contain a semicolon (;) aren't supported. Choose one of the following: + For organizational users – The user name is provided by your administrator. Your account can be based on IAM credentials or your email address if it's a root email address. Or it can be used as the user name to invite you into the Quick account. If you received an invitation email from another Quick user, it indicates what type of credentials to use. + For individual users – The user name that you created for yourself. This is usually the IAM credentials that you created. The remaining steps vary depending on the user type you sign in as (directly through Quick or as an Active Directory user, AWS root user, or IAM user). For more information, see the following sections. ### Finishing Quick sign-in as a Quick or Active Directory user If you're signing in directly through Quick or are using your corporate Active Directory credentials, you're redirected to `signin.aws` after you enter your account name and user name. Use the following procedure to finish signing in. **To finish signing in to Quick if you sign in directly through Quick or use Active Directory credentials** 1. For **Password**, enter your password. Passwords are case-sensitive and must be 8–64 characters in length. They must also contain each of the following: + Lowercase letters (a–z) + Uppercase letters (A–Z) + Numbers (0–9) + Nonalphanumeric characters (\$1\$1@\$1\$1%^&\$1\$1-\$1=`\$1\$1()\$1\$1[]:;"'<>,.?/) 1. If your account is multi-factor authentication enabled, enter the multi-factor authentication code that you receive for **MFA code**. 1. Choose **Sign in**. ### Finishing Quick sign-in as an AWS root user If you're signing in as an AWS root user, you're redirected to signin.aws.amazon.com (or amazon.com) to complete the sign-in process. Your user name is prefilled. Use the following procedure to finish signing in. **To finish signing in as an AWS root user** 1. Choose **Next**. 1. For **password**, enter your password. For more information about root user passwords, see [Changing the AWS account root user password](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_change-root.html) in the *IAM User Guide*. 1. Choose **Sign in**. ### Finishing Quick sign-in as an IAM user If you're signing in as an IAM user, you're redirected to signin.aws.amazon.com (or amazon.com) to complete the sign-in process. Your user name is prefilled. Use the following procedure to finish signing in. **To finish signing in as an IAM user** 1. For **Password**, enter your password. For more information about IAM user passwords, see [Default password policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html#default-policy-details) in the *IAM User Guide*. 1. Choose **Sign in**. # Signing in with multiple accounts Signing in with multiple accounts You can sign in to Amazon Quick with multiple accounts at the same time and switch between them as necessary. **To sign in to multiple accounts** 1. Follow the steps at [Signing in to Amazon Quick](signing-in.md) to sign in to Amazon Quick. 1. At the top-right corner, select your account name to reveal a dropdown menu. 1. Hover over **Switch accounts**. A list of accounts that you've signed in to before appears. Do one of the following: + To switch to an account, select that account and provide sign-in credentials. + To sign in to a new account, choose **Add another account**. You are prompted to provide sign-in credentials for the account. **To sign out of an account or all accounts** 1. Select your account name at the top-right corner to reveal a dropdown menu. 1. Hover over **Sign out**. You can choose to sign out of your current account or to **Sign out of all accounts**. ## URL structure When using multiple accounts, Amazon Quick URLs include the account name to identify which account you're accessing. ### Application URLs Application URLs follow this structure: ``` https://us-east-1.quicksight.aws.amazon.com/sn/account/ACCOUNT-NAME/... ``` Examples: ``` https://us-east-1.quicksight.aws.amazon.com/sn/account/my-account/start/home https://us-east-1.quicksight.aws.amazon.com/sn/account/my-account/dashboards/1234 ``` ### Console URLs Console URLs follow this structure. **Standard accounts (account alias is the account ID)** ``` https://us-east-1.quicksight.aws.amazon.com/sn/console/account/123456789012/... ``` Examples: ``` https://us-east-1.quicksight.aws.amazon.com/sn/console/account/123456789012/admin https://us-east-1.quicksight.aws.amazon.com/sn/console/account/123456789012/asset-management ``` **Accounts with IAM multi-account access (account alias is the session differentiator)** ``` https://us-east-1.quicksight.aws.amazon.com/sn/console/account/123456789012-abc123/... ``` Examples: ``` https://us-east-1.quicksight.aws.amazon.com/sn/console/account/123456789012-abc123/admin https://us-east-1.quicksight.aws.amazon.com/sn/console/account/123456789012-abc123/asset-management ``` ## Key considerations and limitations + The URL structures above enable bookmarking of resources within the Amazon Quick account. + You can simultaneously be signed in to different accounts in different tabs or windows in your browser. + The Amazon Quick URL contains your account name. If you change it to another account name, you are prompted to sign in if you aren't already. + You can sign in to up to five accounts. If you try to sign in to a sixth account, the system automatically signs out and forgets the least recently signed in account. + Multi-account sign-in is not supported for IAM users who access Amazon Quick through IAM-based multi-account federation. ## IAM SSO federation with multi-account For more information about setting up identity federation, see [Initiating sign-on from Quick](federated-identities-sp-to-idp.md). ### Service Provider (SP) initiated federation If your account has SSO configuration established in Quick, all login attempts or links that include the account alias provide seamless login. There is no change in behavior for these logins. ### Identity Provider (IdP) initiated federation **Scenarios with no change in behavior:** + If you have enabled IAM multi-account access, all federation links provide seamless login, regardless of whether they include the account alias. + If you have SSO configuration enabled in Quick, all IdP initiated federation or IdP deep links that include the account alias provide seamless login. + If you have never used Quick before or have only ever used one account with Quick and you use IdP federation to access that one account, there is no change in experience. **Scenarios with change in behavior:** When you have one or more saved Quick accounts and access any IdP federation link without an account alias, instead of being taken directly to your account, you land on the Quick saved account login page where you can select your session and be taken to your account. **Recommended configuration:** To ensure seamless IdP federation, include the account alias in all IdP federation links. If you are unable to ensure the account alias in your deep links or you do not have SSO configuration enabled in Quick, include the `sso_login=true` query parameter in your links. Recommended example start federation URL: ``` https://us-east-1.quicksight.aws.amazon.com/sn/account/ACCOUNT-NAME/start/home?sso_login=true ``` If your sign-in process happens automatically and you need to use a different account, use a private or incognito browser window. Doing this prevents the browser from reusing cached settings.