Login/Register
How to disable introspection queries with AWS appsync (GraphQL)?
Asked Answered
amazon-web-servicesgraphqlaws-appsync
W

3

11

With the compliance we need to remove introspection queries in production for AppSync endpoints. What is the best way to disable introspection queries with AppSync?

I don't see any settings with AppSync.

Wraparound answered 27/12, 2019 at 17:16 Comment(2)
were you able to get this working with IAM and can you provide that answer hereProvocative
any updates on this? We use only an API Key, no IAM/Cognito and we want to disable introspection for our production graph.Amity
H
9

I used AWS WAF with a rule that blocks any query containing the string __schema, that I then associated with my AppSync endpoint -- which uses OpenID for authentication (re this page: https://docs.aws.amazon.com/appsync/latest/devguide/WAF-Integration.html)

The rule if you want to just copy and paste into the console:

{
  "Name": "BodyRule",
  "Priority": 5,
  "Action": {
    "Block": {}
  },
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "BodyRule"
  },
  "Statement": {
    "ByteMatchStatement": {
      "FieldToMatch": {
        "Body": {}
      },
      "PositionalConstraint": "CONTAINS",
      "SearchString": "__schema",
      "TextTransformations": [
        {
          "Type": "LOWERCASE",
          "Priority": 0
        }
      ]
    }
  }
}

And the CloudFormation definitions:

  AppSyncIntrospectionWebACL:
    Type: AWS::WAFv2::WebACL
    Properties:
      Name: BlockIntrospectionWebACL
      DefaultAction:
        Allow: {}
      Description: Block GraphQL introspection queries
      Scope: REGIONAL
      VisibilityConfig:
        SampledRequestsEnabled: true
        CloudWatchMetricsEnabled: true
        MetricName: BlockIntrospectionMetric
      Rules:
        - Name: BlockIntrospectionQueries
          Priority: 0
          Action:
            Block: {}
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: BlockedIntrospection
          Statement:
            ByteMatchStatement:
              FieldToMatch:
                Body: {}
              PositionalConstraint: CONTAINS
              SearchString: __schema
              TextTransformations:
                - Type: LOWERCASE
                  Priority: 0

  AppSyncIntrospectionWebACLAssociation:
    Type: AWS::WAFv2::WebACLAssociation
    Properties:
      ResourceArn: !GetAtt AppSyncAPI.Arn
      WebACLArn: !GetAtt AppSyncIntrospectionWebACL.Arn
Hydric answered 3/8, 2021 at 22:37 Comment(0)
L
3

AppSync added support for disabling introspection queries in December 2023.

Docs: Configuring GraphQL run complexity, query depth, and introspection with AWS AppSync: API configurations > Introspection queries > Enable introspection queries

In CloudFormation, set IntrospectionConfig: DISABLED on the AWS::AppSync::GraphQLApi resource.

Introspection queries are enabled by default.

Leidaleiden answered 3/1 at 11:30 Comment(0)
M
0

There is no way to disable introspection queries directly from AppSync at this time. You could place an API Gateway api in front of it, and intercept introspection query calls. GraphQL endpoints are inherently self-documenting though, so disabling the introspection query would make the API not a GraphQL-compliant endpoint.

Could you share the use case / compliance standard that requires disabling the introspection query? Trying to improve the security [of the API endpoint] by obscurity [of the types and fields] seems like a code smell and recipe for an intrusion. Having strong fine-grained (ie. per-field) authorization is the only safe way to prevent anyone from accessing data they shouldn't be privy to.

Mildew answered 29/12, 2019 at 7:7 Comment(3)
Reading more on it. There is a possibility with IAM policies.Wraparound
@Wraparound was it possible to be integrated with Cognito User pool?Lechner
Yes you can configure for cognito.Wraparound

© 2022 - 2024 — McMap. All rights reserved.