1 Answer
- Newest
- Most votes
- Most comments
0
If I understand your question correctly, the question you're asking is around the topic of Authorization within App Sync.
- Firstly, you do not have to give your users access to your entire AWS infrastructure/console access. You can provision privilege users (i.e using Cognito User Pools ,IAM , etc) and restrict their access to specific actions with AppSync only. The following link provide a list of options - https://docs.aws.amazon.com/appsync/latest/devguide/security-authz.html
- Secondly for your data control use cases, you can control what's written/returned via AppSync resolvers, this would require your data table schema to contain metadata information about it's owner . The following AWS link provide a good developer guide on this - https://docs.aws.amazon.com/appsync/latest/devguide/security-authorization-use-cases.html
Below is an overview snippet from the link on how AppSync performs Authorization:
AWS AppSync uses resources in your own account and threads identity (user/role) information into the GraphQL request and response as a context object, which you can use in the resolver. This means that permissions can be granted appropriately either on write or read operations based on the resolver logic. If this logic is at the resource level, for example only certain named users or groups can read/write to a specific database row, then that “authorization metadata” must be stored. AWS AppSync does not store any data so therefore you must store this authorization metadata with the resources so that permissions can be calculated. Authorization metadata is usually an attribute (column) in a DynamoDB table, such as an owner or list of users/groups. For example there could be Readers and Writers attributes.
answered 2 years ago
Relevant content
- asked 3 months ago
- asked 8 months ago
- asked a year ago
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
After some more research on this topic I believe that I put too much emphasis on the specific applications and use case I had. What I am looking for is someway to isolate my users data. I have been looking into how to automate creating AWS accounts for my users so that their data and other users data is not mixed in any way. This would mean that each user would own their own data and they would not run the risk of data contamination. I am basing my research on the moment with this article: https://aws.amazon.com/blogs/mt/automate-account-creation-and-resource-provisioning-using-aws-service-catalog-aws-organizations-and-aws-lambda/