Security Best Pratices with GraphQL and AWS AppSync
AWS Appsync is a managed GraphQL service. In this talk find out what are the security best practices you can implement to increase the security posture of any GraphQL endpoint using AWS AppSync
AppSync Managed serverless GraphQL service Connect to data sources in your account Add data sync, real-time, and offline capabilities for any data source or API GraphQL facade for any AWS service Conflict detection and resolution in the cloud Enterprise security features: AWS WAF, AuthZ modes, access controls, monitoring
Protect access • Only authorised access • Support multiple access patterns • Protect availability • Maintain service uptime • Limit availability to trusted sources • Block bad actors • Protect performance • Monitor constantly • Analyse in real time • Improve over time • Deploy reliably • Infrastructure as code • Repeatable Production-ready GraphQL requirements
AppSync: Authorisation modes API key Use HTTP header x-api-key Hardcoded in application When to use Getting started With public APIs No specific AuthZ requirements B2B, machine to machine
access control with AppSync directives Sign in with Amazon Cognito User Pools Use JSON web tokens (JWTs) When to use Authenticating users in app Connecting social identities Interacting with other AWS services AWS AppSync: Authorisation modes A M A Z O N C O G N I T O U S E R P O O L S type Query { posts:[Post!]! @aws_auth(cognito_groups: ["Bloggers", "Readers"]) }
access control based on claims Sign in with OIDC idP Use JWTs When to use Existing user directory Authenticating users in app Not interacting with other AWS services AWS AppSync: Authorisation modes O P E N I D C O N N E C T #set( $userGroups = ctx.identity.claims.get("oidc:groups”)) #set( $allowedGroups = ["Bloggers", "Readers"] ) #foreach( $userGroup in $userGroups ) #if( $allowedGroups.contains($userGroup) ) #set( $isStaticGroupAuthorized = true ) #break #end #end #if( !($isStaticGroupAuthorized == true ) ) $util.unauthorized() #end
systems AWS credentials IoT systems When to use Amazon EC2 instances AWS Lambda functions AWS AppSync: Authorisation modes A W S I D E N T I T Y A N D A C C E S S M A N A G E M E N T ( I A M ) { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["appsync:GraphQL"], "Resource": [ "arn:*:apis/GraphQLApiId/types/Query/fields/<field>", "arn:*:apis/GraphQLApiId/types/Mutation/fields/<field>", "arn:*:apis/GraphQLApiId/types/Post/fields/<field>" ] }] } Granular access control with IAM policy
WAF: Web Application Firewall AWS WAF Amazon CloudFront AWS ALB API Gateway Frictionless setup – deploy without changing your existing architecture, and no need to configure TLS / SSL or DNS Low operation overhead – managed rules from AWS and AWS Marketplace, ready to use AWS CloudFormation templates, and built-in SQLi / XSS detection Customisable security – highly flexible rule engine that can inspect any part of incoming request under single- millisecond latency Simply pull in third-party rules – within the WAF console, you can pivot to AWS Marketplace to select industry- leading security vendor rules to pull into AWS WAF AWS AppSync
Protect against flooding • Turn off introspection • Support B2B APIs using API key • Limit access to Amazon VPC resources only AWS WAF: Use cases with AWS AppSync
access: Greenlist NAT gateway IP VPC AWS Cloud Internet gateway Availability Zone Private subnet Public subnet AWS Cloud AWS Cloud ❌ NAT gateway ✓ Rule: allow if IP is on green list ACL Default: Block
our next webinar in the developer series: Learn more here: Improve your existing applications with serverless principles Inject new functionality into your existing application and reduce code complexity with serverless. In this webinar, we augment an existing, traditional, serverful application with serverless events, orchestration and integrations. We demonstrate how to ingest objects and data to trigger events, remove orchestration complexity with code, and integrate natively with AWS and third party services. Following the webinar, we get hands on with two workshops, allowing you to dive deep into event driven architectures and AWS StepFunctions. https://aws.amazon.com/ webinars/anz-webinar-series/
fast. Innovate more. Keynote Learn the tools, frameworks, and processes that can help you rapidly and securely deliver new features to customers. Advance your technical skills Get hands-on and step-by-step architectural best practices to design, build, and deploy resilient and highly-available applications. Experiential showcase Dive deep into technical stacks, try out demos with step by step guides and walk away with the ability to implement these projects in your organization. Live Q&A Get your questions answered by AWS experts on the live day and participate in the panel discussion on Twitch AWS Innovate - Modern Applications Dev Edition Save the date: October 28, 2021 Register now: https://amz.run/4s4U
2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. Please complete the survey to let us know what you thought of today’s webinar. [email protected] twitter.com/awsdevelopers facebook.com/AmazonWebServices youtube.com/user/AmazonWebServices twitch.tv/aws
deekob
asei
lycorp_recruit_jp
oracle4engineer
ohnoeight
ishikawa_satoru
nikinusu
cyberagentdevelopers
chou500
eventhub
miu_crescent
tammyeverts
chriscoyier
shlominoach
lemiorhan
nonsquared
palkan
wjessup
keavy
jmmastey
bryan
sferik
bermonpainter
