AppSync GraphQL API resolver count limit high

firetail:aws-appsync-resolver-count-limit-high

Type:

CSPM

Rule Severity:

Medium

The AppSync GraphQL API has a high resolver count limit.

This allows a large number of resolvers to be executed in a single query. While resolvers are essential for fetching and returning data, a high resolver count can lead to performance degradation and increased resource consumption. When multiple resolvers are executed simultaneously, they can consume significant system resources, which can result in slower response times, increased latency, and potential denial-of-service (DoS) vulnerabilities, especially under heavy load or in the event of an attack.

Remediation

Set a resolver count limit on the AppSync GraphQL API to less than 10.
A high resolver count limit increases the risk of overloading the API with complex queries that trigger many resolvers. This can lead to performance bottlenecks, impacting the overall responsiveness and availability of the API. In scenarios where attackers send crafted queries designed to hit the maximum resolver count, the API could experience significant strain, potentially causing service outages and degrading user experience.

Example Attack Scenario

How to Identify with Example Scenario

How to Resolve with Example Scenario

How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings
Mailgun secrets found in logs
Unresolvable references
Legacy integer limit
Access logging not configured for API Gateway V2 stages
SQL Injection found in logs
Facebook secrets found in logs