4

We're building an application using AWS App Sync, we're still in a very early stage.

Our application has a restricted area, through user sign-in, which is being managed via aws cognito users pool. And this is fine.

We're having issues on the public area which doesn't require any authentication.

How can we protect these public endpoints?

We're having some doubts about hard coding the api key (that we know can be rotated), is it a good practice (documentation page says that it isn't ideal for production)?

Is there any way to authorise the origin? (aka, any request coming from www.foobar.baz is ok)

Hitmands
  • 13,491
  • 4
  • 34
  • 69

2 Answers2

2

I would suggest using Amazon Cognito Federated Identity to control authenticated and unauthenticated access to the api. In order to do use Amazon Cognito Federated Identity with AWS AppSync, you need to use AWS IAM based authorization.

For the authenticated access you can use Amazon Cognito User Pools and federated to Amazon Cognito Federated Identity and since the federated identity can also allow for unauthenticated users it will allow you to control some api's which can be made public via an IAM policy.

For more information please read the AWS IAM Section of our security guide here

Karthik
  • 934
  • 9
  • 21
  • I am looking for a way to authenticate a client without having to ask the user to be authenticated. I am not looking to block or allow any request... – Hitmands Aug 01 '18 at 06:08
  • You should be able to do that with Amazon Cognito Federated Identity and allowing unauthenticated access. – Karthik Aug 01 '18 at 18:35
  • could you please elaborate some more? How Federated Identity could help in a public website? Do you think our users should sign-in through third-party providers? – Hitmands Aug 02 '18 at 07:04
  • Amazon Cognito Federated Identity supports 2 modes of authentication authenticated and unauthenticated, Authenticated access means that you federate using google, facebook or Amazon Cognito user pools. while unauthenticated means that you dont federate. You can then use a separate IAM policy for Authenticated and Unauthenticated access to mark an API public vs Private. Refer to this answer https://stackoverflow.com/questions/48174927/public-queries-and-mutations-no-authentication/48332514#48332514 and the documentation linked for more information – Karthik Aug 03 '18 at 18:35
  • I went through the other answer and it looks very similar to what I need, by the way it is still not clear to me. That public endpoint should only be public for `www.foobar.com` and not for everyone. could you please elaborate some more? – Hitmands Aug 05 '18 at 06:43
0

Under your AppSync app's Settings menu, where you set the User Pool Configuration, there is an option to set a default action. You can change this to DENY and all unauthenticated requests will be rejected. The alternative approach is to ALLOW everything, and manually add @aws_auth directives to every query/mutation/subscription field that you care about restricting.

chrisco512
  • 629
  • 3
  • 10