AppSync APIs Should Have Authorization Configuration
More Info:
This rule evaluates the authorization configuration of AWS AppSync APIs to ensure that appropriate access controls are in place. It verifies whether authentication modes such as API key, IAM, or Cognito user pools are properly configured and whether authorization mechanisms such as fine-grained resolver permissions or GraphQL field-level security are implemented to restrict access to sensitive data.Risk Level
MediumAddress
SecurityCompliance Standards
CBPTriage and Remediation
Check Cause
Using Console
Using Console
- Sign in to the AWS Management Console.
- Navigate to the AWS AppSync service by typing ‘AppSync’ into the search bar and selecting it from the dropdown menu.
- Once in the AppSync dashboard, you will see a list of your APIs. Click on the name of the API you want to check.
- In the settings of the selected API, look for the ‘Authorization’ section. Here, you should see the authorization type and additional authorization providers if any have been configured. If there is no authorization configuration, it indicates a misconfiguration.
Using CLI
Using CLI
- First, you need to list all the available AppSync APIs. You can do this by using the AWS CLI command
list-graphql-apis. The command is as follows:
<region-name> with the name of the AWS region where the APIs are hosted.- The output of the above command will give you a list of all the AppSync APIs in the specified region. Each API will have an ‘arn’ and ‘name’. You can use the ‘arn’ to get more details about each API.
-
Now, for each API, you need to check the authorization configuration. You can do this by using the AWS CLI command
get-graphql-api. The command is as follows:
<api-id> with the ‘arn’ of the API you want to check and <region-name> with the name of the AWS region where the API is hosted.- The output of the above command will give you details about the specified API. Look for the ‘authorizationConfig’ field in the output. If this field is missing or not properly configured, then the API does not have proper authorization configuration.
Using Python
Using Python
-
Install and configure AWS SDK for Python (Boto3): Before you can start writing Python scripts to check AppSync APIs, you need to install and configure Boto3. You can install it using pip:
Then, configure your AWS credentials either by setting the following environment variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN (optional), or by using the AWS CLI command
aws configure. -
Import the necessary modules and create an AppSync client: In your Python script, you need to import Boto3 and create an AppSync client. Here’s how you can do it:
-
List all AppSync APIs and check their authorization configuration: You can use the
list_graphql_apismethod to get a list of all AppSync APIs. Then, for each API, you can use theget_graphql_apimethod to get its details and check its authorization configuration. Here’s a sample script: -
Handle pagination: The
list_graphql_apismethod returns a maximum of 25 APIs at a time. If you have more APIs, you need to handle pagination by using thenextTokenparameter. Here’s how you can modify the above script to handle pagination: