Security Best Pratices with GraphQL and AWS AppSync

© 2021, Amazon Web Services, Inc. or its Affiliates. Derek
Bingham AWS Developer Advocate Implementing GraphQL API security best practices with AWS AppSync

© 2021, Amazon Web Services, Inc. or its Affiliates. Today’s
agenda • Quick refresher on GraphQL • AuthN & AuthZ • Network security • Observability best practices • Other recommendations

© 2021, Amazon Web Services, Inc. or its Affiliates. AWS
AppSync Managed serverless GraphQL service Connect to data sources in your account Add data sync, real-time, and offline capabilities for any data source or API GraphQL facade for any AWS service Conflict detection and resolution in the cloud Enterprise security features: AWS WAF, AuthZ modes, access controls, monitoring

© 2021, Amazon Web Services, Inc. or its Affiliates. •
Protect access • Only authorised access • Support multiple access patterns • Protect availability • Maintain service uptime • Limit availability to trusted sources • Block bad actors • Protect performance • Monitor constantly • Analyse in real time • Improve over time • Deploy reliably • Infrastructure as code • Repeatable Production-ready GraphQL requirements

AppSync: Secure and protected endpoints AWS AppSync AWS Cloud Data sources

AppSync: Authorisation modes

AppSync: Authorisation modes API key Use HTTP header x-api-key Hardcoded in application When to use Getting started With public APIs No specific AuthZ requirements B2B, machine to machine

© 2021, Amazon Web Services, Inc. or its Affiliates. Granular
access control with AppSync directives Sign in with Amazon Cognito User Pools Use JSON web tokens (JWTs) When to use Authenticating users in app Connecting social identities Interacting with other AWS services AWS AppSync: Authorisation modes A M A Z O N C O G N I T O U S E R P O O L S type Query { posts:[Post!]! @aws_auth(cognito_groups: ["Bloggers", "Readers"]) }

© 2021, Amazon Web Services, Inc. or its Affiliates. Granular
access control based on claims Sign in with OIDC idP Use JWTs When to use Existing user directory Authenticating users in app Not interacting with other AWS services AWS AppSync: Authorisation modes O P E N I D C O N N E C T #set( $userGroups = ctx.identity.claims.get("oidc:groups”)) #set( $allowedGroups = ["Bloggers", "Readers"] ) #foreach( $userGroup in $userGroups ) #if( $allowedGroups.contains($userGroup) ) #set( $isStaticGroupAuthorized = true ) #break #end #end #if( !($isStaticGroupAuthorized == true ) ) $util.unauthorized() #end

© 2021, Amazon Web Services, Inc. or its Affiliates. Backend
systems AWS credentials IoT systems When to use Amazon EC2 instances AWS Lambda functions AWS AppSync: Authorisation modes A W S I D E N T I T Y A N D A C C E S S M A N A G E M E N T ( I A M ) { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["appsync:GraphQL"], "Resource": [ "arn:*:apis/GraphQLApiId/types/Query/fields/<field>", "arn:*:apis/GraphQLApiId/types/Mutation/fields/<field>", "arn:*:apis/GraphQLApiId/types/Post/fields/<field>" ] }] } Granular access control with IAM policy

Do authorisation on • Type • Operation • Field • Select default auth mode • Specify additional providers Multi-auth AWS AppSync AWS Cloud Data sources

AppSync: Secure and protected endpoints AWS AppSync AWS Cloud Data sources AWS WAF

WAF: Web Application Firewall AWS WAF Amazon CloudFront AWS ALB API Gateway Frictionless setup – deploy without changing your existing architecture, and no need to configure TLS / SSL or DNS Low operation overhead – managed rules from AWS and AWS Marketplace, ready to use AWS CloudFormation templates, and built-in SQLi / XSS detection Customisable security – highly flexible rule engine that can inspect any part of incoming request under single- millisecond latency Simply pull in third-party rules – within the WAF console, you can pivot to AWS Marketplace to select industry- leading security vendor rules to pull into AWS WAF AWS AppSync

Protect against flooding • Turn off introspection • Support B2B APIs using API key • Limit access to Amazon VPC resources only AWS WAF: Use cases with AWS AppSync

© 2021, Amazon Web Services, Inc. or its Affiliates. Protect
against flooding AWS Cloud Rule: throttle each IP if rate > x

© 2021, Amazon Web Services, Inc. or its Affiliates. Turn
off introspection: Schema not discoverable AWS Cloud Rule: block if body contains ”__schema” { __schema { types { name } } }

© 2021, Amazon Web Services, Inc. or its Affiliates. Support
B2B APIs using API key AWS Cloud Rule: throttle if rate > x and x-api-key is y Rule: throttle if rate > a and x-api-key is b

© 2021, Amazon Web Services, Inc. or its Affiliates. VPC-only
access: Greenlist NAT gateway IP VPC AWS Cloud Internet gateway Availability Zone Private subnet Public subnet AWS Cloud AWS Cloud ❌ NAT gateway ✓ Rule: allow if IP is on green list ACL Default: Block

AWS X-RAY • E2E tracing • Near real time • Request visibility • Identify performance bottlenecks Trace AWS x-ray

Managed server-side caching • Full API caching • Per resolver caching • Encryption Optimise A W S A P P S Y N C C A C H E

© 2021, Amazon Web Services, Inc. or its Affiliates. Production-ready
GraphQL with AWS AppSync Deployed with AWS CDK AWS AppSync AWS Cloud AWS WAF Amazon DynamoDB AWS Lambda Amazon CloudWatch Amazon Cognito • No introspection • Rate limited API key JWT • Flood protection AWS X-Ray AppSync Cache Logs Latency alarm

© 2021, Amazon Web Services, Inc. or its Affiliates. AppSync
resources Website aws.amazon.com/appsync Docs docs.aws.amazon.com/appsync Github github.com/aws/aws-appsync-community Blog aws.amazon.com/appsync/blog/ More resources aws.amazon.com/appsync/resources/

© 2021, Amazon Web Services, Inc. or its Affiliates. Join
our next webinar in the developer series: Learn more here: Improve your existing applications with serverless principles Inject new functionality into your existing application and reduce code complexity with serverless. In this webinar, we augment an existing, traditional, serverful application with serverless events, orchestration and integrations. We demonstrate how to ingest objects and data to trigger events, remove orchestration complexity with code, and integrate natively with AWS and third party services. Following the webinar, we get hands on with two workshops, allowing you to dive deep into event driven architectures and AWS StepFunctions. https://aws.amazon.com/ webinars/anz-webinar-series/

Take your applications to the next level. Manage less. Build
fast. Innovate more. Keynote Learn the tools, frameworks, and processes that can help you rapidly and securely deliver new features to customers. Advance your technical skills Get hands-on and step-by-step architectural best practices to design, build, and deploy resilient and highly-available applications. Experiential showcase Dive deep into technical stacks, try out demos with step by step guides and walk away with the ability to implement these projects in your organization. Live Q&A Get your questions answered by AWS experts on the live day and participate in the panel discussion on Twitch AWS Innovate - Modern Applications Dev Edition Save the date: October 28, 2021 Register now: https://amz.run/4s4U

2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. Please complete the survey to let us know what you thought of today’s webinar. [email protected] twitter.com/awsdevelopers facebook.com/AmazonWebServices youtube.com/user/AmazonWebServices twitch.tv/aws

Security Best Pratices with GraphQL and AWS AppSync

Security Best Pratices with GraphQL and AWS AppSync

More Decks by Derek Bingham

Other Decks in Technology

Featured

Transcript