Findings

AppSync Graphql API is missing WAF

Updated: June 19, 2025

findings cloud based findings api finding

Description

Severity: Info

The AWS AppSync Graphql API is missing a WAF implementation.

This leaves the AppSync API vulnerable to various web-based attacks, such as SQL injection, cross-site scripting (XSS), and HTTP floods. Without AWS WAF in place to filter and monitor HTTP requests based on security rules, the API is more exposed to malicious traffic, which could lead to data breaches, service disruptions, and the compromise of sensitive data. The absence of WAF weakens the API's security posture, increasing the risk of unauthorized access, service downtime, and excessive usage costs from attacks, potentially affecting the availability and confidentiality of the services it provides.

Example Attack

Without AWS WAF in place, an attacker could exploit the AppSync GraphQL API by sending malicious queries, such as SQL injection or cross-site scripting (XSS) attacks. For instance, a SQL injection attack could involve embedding malicious SQL code within a query to bypass authentication or retrieve unauthorized data, potentially exposing sensitive information. Similarly, an XSS attack might involve injecting a script into the response, which, when rendered on the client side, could steal cookies or manipulate the user interface. These types of attacks could lead to data breaches, service disruptions, while also increasing the risk of unauthorized access and operational downtime.

Remediation

Attach an AWS WAF to the AppSync Graphql API. This will enable the API to benefit from the protections WAF provides, including the ability to block malicious requests and monitor incoming traffic. The WAF can be configured with specific rules to filter out harmful requests, mitigating common attack vectors like SQL injection and XSS.

Security Frameworks

NIST 800-53.r5

NIST-AC-4(21): Information Flow Enforcement | Physical or Logical Separation of Information Flows

Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information].

NIST-CA-9(1): Internal System Connections | Compliance Checks

Perform security and privacy compliance checks on constituent system components prior to the establishment of the internal connection.

NIST-CM-2: Baseline Configuration

  1. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and
  2. Review and update the baseline configuration of the system:
  1. [Assignment: organization-defined frequency];
  2. When required due to [Assignment: organization-defined circumstances]; and
  3. When system components are installed or upgraded.

Need help?

Contact FireTail support

Previous (Findings - Cloud based findings)
AppSync GraphQL API authentication using API keys
Next (Findings - Cloud based findings)
AppSync GraphQL API query depth limit high