How do I build an app in AppSync with zero knowledge encryption / proof in mind.


I am not sure if this is possible but I am building an app with AppSync and the biggest question is how do I let my users control their own data while I control the app and its infrastructure. I would like to store data in DynamoDB, Aroura, S3 and Elasticsearch/OpenSearch for them. I also want to process data via lambda and potentially through EC2 but I just don't see how the app could process data without it entering my environment and knowing what that data is. Without obviously giving them an AWS account with all of our software and infrastructure what sort of options do I have for this?

I was thinking about automating AWS organizations to separate things but that is not really what organizations was meant for. In AppSync and React (as the frontend) is it possible for the customer to be prompted to point to their data via an AWS login / connection?

Honestly, I am not really sure how to go about doing this. I am not looking for someone to do any sort of work for me I just need to know what is involved in doing something like this and what all my options are.

Thanks for all your help!

1 Answer

If I understand your question correctly, the question you're asking is around the topic of Authorization within App Sync.

Below is an overview snippet from the link on how AppSync performs Authorization:

AWS AppSync uses resources in your own account and threads identity (user/role) information into the GraphQL request and response as a context object, which you can use in the resolver. This means that permissions can be granted appropriately either on write or read operations based on the resolver logic. If this logic is at the resource level, for example only certain named users or groups can read/write to a specific database row, then that “authorization metadata” must be stored. AWS AppSync does not store any data so therefore you must store this authorization metadata with the resources so that permissions can be calculated. Authorization metadata is usually an attribute (column) in a DynamoDB table, such as an owner or list of users/groups. For example there could be Readers and Writers attributes.
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions