By using AWS re:Post, you agree to the Terms of Use
/Protect AWS Appsync APIs end point from public internet, restrict it to be accessible from Service deployed inside vpc/

Protect AWS Appsync APIs end point from public internet, restrict it to be accessible from Service deployed inside vpc

0

I have AWS Appsync graph QL end point, which is intended to be a backend service only. It is not meant to be exposed to the public internet. How to protect the end point to be used by another back end service deployed in vpc and external facing AWs Appsync instance ? Any reference articles or leads will be super helpful. Thanks in advance.

2 Answers
1
Accepted Answer

For your particular use case, the most straightforward option would be to use AWS_IAM authorization:

  • create a role, allowing appsync:GraphQL action on the GraphQL API resource (or subset of operations)
  • associate backend service with that role, so that it can sign all GraphQL requests with SigV4
  • configure GraphQL API to use AWS_IAM security

This will require all clients to attach a valid SigV4 signature to all client requests.

If you want to lockdown API endpoint access even further and reject connection requests from unauthorized ip ranges, you might want to consider adding WAF integration and building WAF rules to allow connections from a predefined ip address range only.

answered 5 months ago
1

Great question!

Check out https://docs.aws.amazon.com/appsync/latest/devguide/security-authz.html on how to secure AWS AppSync.

Specifically, you can configure 5 different types of authorization (API Key, AWS Lambda, AWS IAM, OpenID Connect, or Amazon Cognito User Pools).

You could also use WAF to protect your AppSync API: https://docs.aws.amazon.com/appsync/latest/devguide/WAF-Integration.html

More information about AppSync Security here: https://docs.aws.amazon.com/appsync/latest/devguide/security.html

answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions