Embedded Analytics: Adding BI Features to Your SaaS Product on AWS
Your SaaS product generates data with every transaction, user action, and workflow event. Your customers know this — and increasingly, they expect to see that data reflected back to them through dashboards, reports, and insights built directly into your product. Embedded analytics is no longer a differentiator; for many verticals, it is a table-stakes feature that affects renewal and expansion revenue.
The challenge for product teams is delivering embedded analytics without building a BI tool from scratch or stitching together a fragile mix of charting libraries and custom SQL endpoints. Amazon QuickSight Embedded offers a managed path: native AWS integration, scalable multi-tenant architecture, and a pay-per-session pricing model that aligns costs with customer usage rather than seat counts.
This post covers the architecture, implementation, and business considerations for embedding analytics into a SaaS product on AWS.
The Case for Amazon QuickSight Embedded
QuickSight Embedded allows you to surface QuickSight dashboards and Q&A interfaces inside your own application using a signed URL mechanism. From the end user’s perspective, the analytics experience is seamless — they never leave your product or log into a separate tool. From the engineering team’s perspective, the dashboard rendering, query engine, and data refresh are all managed by AWS.
The pricing model is particularly well-suited to SaaS: QuickSight Reader Session Capacity pricing charges per 30-minute session rather than per named user. For a SaaS product with 10,000 customers who each look at a dashboard once a week, the per-session model is dramatically cheaper than per-seat BI tools. As you consider your BI options, our comparison of QuickSight vs. Tableau vs. Power BI covers the pricing trade-offs in detail.
Architecture: Multi-Tenant Embedded Analytics
The fundamental challenge in embedded analytics for SaaS is tenancy isolation — ensuring that Customer A can never see Customer B’s data. QuickSight handles this through row-level security (RLS) and dynamic parameters, both of which integrate with your application’s authentication layer.
A reference architecture for a multi-tenant SaaS product looks like this:
[Customer Browser]
│ iframe / embedded URL
▼
[Your SaaS Frontend]
│ API call: "give me a dashboard URL for this user"
▼
[Your SaaS Backend (Node / Python / Go)]
│ AWS SDK: GenerateEmbedUrlForRegisteredUser
▼
[Amazon QuickSight]
│ Query with RLS filter: tenant_id = 'customer-abc'
▼
[Amazon Redshift / Athena / S3]
│ Returns only tenant-scoped rows
▼
[QuickSight renders dashboard in iframe]The key step is the backend call to GenerateEmbedUrlForRegisteredUser. Your backend authenticates the end user through your existing auth system, then calls the QuickSight API to obtain a time-limited signed URL that embeds identity and permissions:
import boto3
def get_dashboard_embed_url(tenant_id: str, user_email: str, dashboard_id: str) -> str:
quicksight = boto3.client('quicksight', region_name='ca-central-1')
# Ensure the QuickSight user exists (create if not)
try:
quicksight.register_user(
IdentityType='IAM',
Email=user_email,
UserRole='READER',
AwsAccountId=AWS_ACCOUNT_ID,
Namespace='default',
SessionName=user_email,
)
except quicksight.exceptions.ResourceExistsException:
pass
response = quicksight.generate_embed_url_for_registered_user(
AwsAccountId=AWS_ACCOUNT_ID,
SessionLifetimeInMinutes=60,
UserArn=f'arn:aws:quicksight:ca-central-1:{AWS_ACCOUNT_ID}:user/default/{user_email}',
ExperienceConfiguration={
'Dashboard': {
'InitialDashboardId': dashboard_id,
'FeatureConfigurations': {
'StatePersistence': {'Enabled': True},
'SharedView': {'Enabled': False},
}
}
}
)
return response['EmbedUrl']The signed URL is returned to your frontend and loaded in an iframe. The session lasts up to 60 minutes and can be refreshed transparently.
Row-Level Security: The Tenancy Enforcement Layer
The embed URL alone does not enforce data isolation — that is the job of QuickSight’s row-level security dataset rules. You configure an RLS dataset that maps QuickSight usernames or groups to filter values:
| UserName | tenant_id |
|-----------------------------|---------------|
| user@customerabc.com | customer-abc |
| admin@customerbcd.com | customer-bcd |When QuickSight generates the dashboard for a given user, it automatically appends WHERE tenant_id = 'customer-abc' to every dataset query. This happens inside QuickSight — the end user cannot manipulate it from the browser.
For large SaaS products with thousands of tenants, maintaining a static RLS table is impractical. The preferred approach is dynamic RLS using tag-based rules combined with session tags passed through IAM. This allows your backend to inject the tenant_id at URL generation time without maintaining a user-to-tenant mapping inside QuickSight.
Data Architecture for Embedded Analytics
The analytics data model for a multi-tenant SaaS product typically follows a pattern where every fact table includes a tenant_id column as the primary partition key. On Amazon S3 with Athena, data is physically partitioned by tenant_id in the S3 prefix structure, which both enforces isolation and dramatically improves query performance:
s3://analytics-bucket/
events/
tenant_id=customer-abc/
year=2024/month=03/
events_20240301.parquet
tenant_id=customer-bcd/
year=2024/month=03/
events_20240301.parquetAthena’s partition pruning combined with QuickSight RLS means that even if a misconfiguration allowed the wrong RLS rule to apply, the storage layer still limits data access. Defence in depth is important when customer data is involved.
For higher-performance dashboards, Amazon Redshift with separate schemas per tenant, or Redshift data sharing for larger enterprise customers, provides sub-second query response times that are difficult to achieve with S3/Athena at fine granularity.
SPICE: Caching for Performance and Cost Control
QuickSight SPICE (Super-fast Parallel In-memory Calculation Engine) is an in-memory data store that can dramatically improve dashboard load times and reduce the number of queries hitting your underlying data sources. For embedded analytics, SPICE is particularly valuable because end users have zero tolerance for slow dashboards in a product they are paying for.
The trade-off is that SPICE data must be refreshed on a schedule — it is not a live query engine. For SaaS products where customers need to see data from the last hour, you need to evaluate whether scheduled SPICE refreshes (minimum 15-minute intervals on Standard tier) are sufficient, or whether direct query mode is required.
A common pattern is to use SPICE for historical trend data (which changes infrequently) and direct query for current-day metrics, combining both in a single dashboard through carefully constructed datasets.
Pricing and Business Model Alignment
QuickSight’s embedded pricing works on two models:
- Session Capacity Pricing — Purchase capacity in blocks of sessions per month. Best for SaaS products with large user bases and predictable session volumes.
- Per-Session Pricing — Pay $0.30 per 30-minute session. Best for early-stage products where usage is unpredictable.
For a SaaS product monetising analytics as a premium feature (tiered pricing, analytics add-ons), the per-session cost can be passed through or bundled into higher-tier pricing. For products where analytics is a standard feature, session capacity pricing with volume commitments reduces per-session costs significantly.
Conclusion
Embedded analytics on AWS through QuickSight offers a compelling path for SaaS product teams who need to deliver BI capabilities to customers without building a BI tool. The multi-tenant architecture, row-level security, and per-session pricing model are all designed for SaaS use cases, and the integration with Redshift and Athena means you are building on the same data infrastructure you already operate.
The implementation details — tenant isolation, SPICE strategy, dynamic RLS, session management — have significant impact on both security and cost. Getting them right from the start is far easier than retrofitting them later.
Infra IT Consulting helps SaaS companies design and implement embedded analytics on AWS, from data architecture through to production deployment. Reach out to discuss your product’s analytics requirements.
Related reading:
Related posts
Book a free 30-minute consultation to discuss your data engineering and analytics needs.
Talk to our team →