AppSync GraphQL API Authentication using API keys

firetail:aws-appsync-api-key-auth-only

Type:

CSPM

Rule Severity:

High

The AWS AppSync Graphql API is using API keys for authentication.

While API keys can be a simple way to grant access to the API, they pose significant security risks, especially in production environments. API keys can be easily exposed in client-side code, log files, or other insecure storage, making them susceptible to unauthorized access and abuse. If an API key is compromised, malicious actors could gain unrestricted access to the API, leading to potential data breaches, resource exhaustion, and service disruptions.

Remediation

Use a more secure authentication method for the AppSync Graphql API like AWS_IAM, Cognito User Pools or an OAuth implementation.

Example Attack Scenario

A developer accidentally includes an API key in public-facing client-side code. An attacker extracts the key and uses it to:

  1. Query sensitive data from the API.
  2. Exceed usage limits, causing service disruptions and increased costs.
  3. Exploit vulnerabilities in API queries, leading to potential backend compromise.

How to Identify with Example Scenario

How to Resolve with Example Scenario

How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings
Google secrets found in logs
Missing content-type header
AppSync GraphQL API query depth limit not set
Plaintext bearer token
Fuzzing successful
Default login detected