Findings
AppSync GraphQL API authentication using API keys
Updated: June 19, 2025
Description
The AWS AppSync Graphql API is using API keys for authentication.
While API keys can be a simple way to grant access to the API, they pose significant security risks, especially in production environments. API keys can be easily exposed in client-side code, log files, or other insecure storage, making them susceptible to unauthorized access and abuse. If an API key is compromised, malicious actors could gain unrestricted access to the API, leading to potential data breaches, resource exhaustion, and service disruptions.
Example Attack
A developer accidentally includes an API key in public-facing client-side code. An attacker extracts the key and uses it to:
- Query sensitive data from the API.
- Exceed usage limits, causing service disruptions and increased costs.
- Exploit vulnerabilities in API queries, leading to potential backend compromise.
Remediation
Use a more secure authentication method for the AppSync Graphql API like AWS_IAM, Cognito User Pools or an OAuth implementation.
Security Frameworks
Support the management of system accounts using [Assignment: organization-defined automated mechanisms].
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Enforce a role-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined roles and users authorized to assume such roles].
(a) Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy; and
(b) Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy.
Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.