App Sync - Protecting Api for non authenticated users

Question

We're building an application using AWS App Sync, we're still in a very early stage.

Our application has a restricted area, through user sign-in, which is being managed via aws cognito users pool. And this is fine.

We're having issues on the public area which doesn't require any authentication.

How can we protect these public endpoints?

We're having some doubts about hard coding the api key (that we know can be rotated), is it a good practice (documentation page says that it isn't ideal for production)?

Is there any way to authorise the origin? (aka, any request coming from www.foobar.baz is ok)

Answer 1

Under your AppSync app's Settings menu, where you set the User Pool Configuration, there is an option to set a default action. You can change this to DENY and all unauthenticated requests will be rejected. The alternative approach is to ALLOW everything, and manually add @aws_auth directives to every query/mutation/subscription field that you care about restricting.

Answer 2

I would suggest using Amazon Cognito Federated Identity to control authenticated and unauthenticated access to the api. In order to do use Amazon Cognito Federated Identity with AWS AppSync, you need to use AWS IAM based authorization.

For the authenticated access you can use Amazon Cognito User Pools and federated to Amazon Cognito Federated Identity and since the federated identity can also allow for unauthenticated users it will allow you to control some api's which can be made public via an IAM policy.

For more information please read the AWS IAM Section of our security guide here