- Newest
- Most votes
- Most comments
For your particular use case, the most straightforward option would be to use AWS_IAM authorization:
- create a role, allowing
appsync:GraphQLaction on the GraphQL API resource (or subset of operations) - associate backend service with that role, so that it can sign all GraphQL requests with SigV4
- configure GraphQL API to use AWS_IAM security
This will require all clients to attach a valid SigV4 signature to all client requests.
If you want to lockdown API endpoint access even further and reject connection requests from unauthorized ip ranges, you might want to consider adding WAF integration and building WAF rules to allow connections from a predefined ip address range only.
Great question!
Check out https://docs.aws.amazon.com/appsync/latest/devguide/security-authz.html on how to secure AWS AppSync.
Specifically, you can configure 5 different types of authorization (API Key, AWS Lambda, AWS IAM, OpenID Connect, or Amazon Cognito User Pools).
You could also use WAF to protect your AppSync API: https://docs.aws.amazon.com/appsync/latest/devguide/WAF-Integration.html
More information about AppSync Security here: https://docs.aws.amazon.com/appsync/latest/devguide/security.html
You can use Private APIs for AppSync https://aws.amazon.com/blogs/mobile/introducing-private-apis-on-aws-appsync/
Relevant content
- Accepted Answerasked 10 months ago
AWS OFFICIALUpdated 9 months ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
