How do I build an app in AppSync with zero knowledge encryption / proof in mind.

Question

I am not sure if this is possible but I am building an app with AppSync and the biggest question is how do I let my users control their own data while I control the app and its infrastructure. I would like to store data in DynamoDB, Aroura, S3 and Elasticsearch/OpenSearch for them. I also want to process data via lambda and potentially through EC2 but I just don't see how the app could process data without it entering my environment and knowing what that data is. Without obviously giving them an AWS account with all of our software and infrastructure what sort of options do I have for this?

I was thinking about automating AWS organizations to separate things but that is not really what organizations was meant for. In AppSync and React (as the frontend) is it possible for the customer to be prompted to point to their data via an AWS login / connection?

Honestly, I am not really sure how to go about doing this. I am not looking for someone to do any sort of work for me I just need to know what is involved in doing something like this and what all my options are.

Thanks for all your help!

Answer

If I understand your question correctly, the question you're asking is around the topic of **Authorization** within App Sync.
* Firstly, you do not have to give your users access to your entire AWS infrastructure/console access. You can provision privilege users (i.e using Cognito User Pools ,IAM , etc) and restrict their access to specific actions with AppSync only. The following link provide a list of options - https://docs.aws.amazon.com/appsync/latest/devguide/security-authz.html
* Secondly for your data control use cases, you can control what's written/returned via AppSync resolvers, this would require your data table schema to contain metadata information about it's owner  . The following AWS link provide a good developer guide on this - https://docs.aws.amazon.com/appsync/latest/devguide/security-authorization-use-cases.html

Below is an overview snippet from the link on how AppSync performs Authorization:
```
AWS AppSync uses resources in your own account and threads identity (user/role) information into the GraphQL request and response as a context object, which you can use in the resolver. This means that permissions can be granted appropriately either on write or read operations based on the resolver logic. If this logic is at the resource level, for example only certain named users or groups can read/write to a specific database row, then that “authorization metadata” must be stored. AWS AppSync does not store any data so therefore you must store this authorization metadata with the resources so that permissions can be calculated. Authorization metadata is usually an attribute (column) in a DynamoDB table, such as an owner or list of users/groups. For example there could be Readers and Writers attributes.
```

How do I build an app in AppSync with zero knowledge encryption / proof in mind.

Relevant content