Back to All Checks
High AppSync Regional

AWS AppSync GraphQL APIs should not be authenticated with API keys

NIST 800-53

Description

This control checks whether your application uses an API key to interact with an AWS AppSync GraphQL API. The control fails if an AWS AppSync GraphQL API is authenticated with an API key. An API key is a hard-coded value in your application that is generated by the AWS AppSync service when you create an unauthenticated GraphQL endpoint. If this API key is compromised, your endpoint is vulnerable to unauthorized access.

Remediation

Replace API key authentication with more secure authentication methods such as AWS IAM, Amazon Cognito User Pools, OpenID Connect, or AWS Lambda authorizers.

Steps

  1. Identify AppSync GraphQL APIs using API key authentication
  2. Choose an appropriate alternative authentication method (AWS IAM, Cognito, OpenID Connect, or Lambda)
  3. Update the API authentication configuration
  4. Update your application code to use the new authentication method
  5. Test the updated authentication flow
  6. Remove or disable the API key authentication

Compliance

NIST 800-53
Start Your Free Security Check