3

I have not seen a definitive answer over the internet related to how AppSync can deflect DDoS attacks. I am a newbie with regards to this, so please have patience

Our context: We will be using AppSync with AWS Cognito for authentication, and it will only be used by us and a certain set of clients (so no public access). We will probably not need a custom domain, so no need to use CloudFront for the distribution, but if this is better for us from a protection point of view, we could also do that. And on another note, I am aware that the endpoint address of AppSync is autogenerated and probably hard to guess by an someone external, but I am still worried about it being accessible by the public, especially since maybe at some point we might want to be using the AppSync endpoint directly from our site and not from the backend.

I have seen two things mentioned:

  1. There is no throttling like on API gateway (I am a bit unclear on how throttling works and how it protects you, I am assuming that there is a hard cap imposed to certain IPs that are requesting your endpoint excessively?)

  2. Since AppSync is pay per request, I saw that API gateway charges no fee if it is protected by AWS Cognito and the requests have failed authentication ( https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-pricing.html ). I am wondering if the same case applied to AppSync, since we will be using AWS Cognito as well.

  3. Since we are talking about AWS Cognito, we would like to restrict access to our endpoint to only a few select IP addresses. I've read that AWS Cognito can whitelist an IP range, but can it also whitelist specific IP addresses ? (I think by putting /32 at the end of the IP range?)

  4. What is AppSync's interaction with AWS Shield and AWS WAF ?

Thank you, and sorry for any stupidly looking questions.

ImmoralWombat
  • 395
  • 2
  • 11

1 Answers1

3

I just answered your question on the forums: https://forums.aws.amazon.com/thread.jspa?messageID=907577&#907577

I'll copy/paste here, but any follow-up you might have would be most visible to the team there.

A quick note before I get into your questions - CloudFront is currently a mandatory piece of AppSync. It's there for everyone. It does provide you with some caching and DDOS protection, so as you guessed, it does have some security value for all.

  1. AppSync doesn’t expose custom, customer-controlled throttling mechanisms, however it does have multiple layers of internal throttling that protect it against many forms of abusive traffic. That said, providing customers with throttling limits is a popular customer ask. Can you help us understand the business requirements you plan to address with throttling?

  2. AppSync charges for requests that were successfully processed by AppSync. An authentication/authorization error is not considered to be a scenario where AppSync failed to process the request.

  3. I believe that should be possible. With Cognito federated identities (via IAM): https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html With Cognito user pools: https://aws.amazon.com/blogs/security/how-to-use-new-advanced-security-features-for-amazon-cognito-user-pools/

  4. We can’t comment on the integrations AppSync has with other AWS services. Can you help us understand the business requirements you plan to address with this question?

Jeff Bailey
  • 5,655
  • 1
  • 22
  • 30
  • CloudFront can be a configurable option for appsync, appsync endpoint can de defined as an origin to cloudfront, lambda@edge can be used to add paths such as graphql https://aws.amazon.com/blogs/mobile/use-a-custom-domain-with-aws-appsync-amazon-cloudfront-and-amazon-route-53/ – James Dean Jul 10 '19 at 03:31
  • Poor wording on my part - I meant on/off, not changed. – Jeff Bailey Jul 10 '19 at 14:11