Hello, We have this architecture that connects 2 AWS accounts (client and server) and a web application. All the API calls from the web app are going through the client AppSync to separate lambdas related to different services and those lambdas connect to the server account to get ML models, to connect to server RDS (through a limited access user), etc. We implemented this architecture since the server is not authorized to access any of the client data therefore we are loading encrypted ml models to the client-side lambda memory to do the inferencing. About the RDS connection, we use that to connect to server RDS to get common data for all the clients. Now we want to restructure this so that all these API calls from client-side lambdas are going through a server-side AppSync without direct RDS and lambda connections so that we can implement a subscription mechanism to validate each client on the server-side App Sync. Can I get your suggestions on this?
Thank you for your answer. How do you suggest we do the authentication of each user in the server account? Each user should be authenticated to find out whether the user is a Pro user or not.
To answer your questions, Clients can be hundreds each having a separate AWS account. Rules are simple. We are going to implement pro and standard subscription levels where pro clients have no limitations but the standard clients are only allowed for some requests (They are not permitted to do inferencing for some data that becomes available for certain weeks of the month).