Findings

AppSync GraphQL API authentication using API keys

Updated: June 19, 2025

findings cloud based findings api finding

Description

The AWS AppSync GraphQL API is using API keys for authentication.

Remediation

Use a more secure authentication method for the AppSync GraphQL API like AWS_IAM, Cognito User Pools or an OAuth implementation.

Security Frameworks

NIST 800-53.r5

NIST-AC-2(1): Account Management | Automated System Account Management

Support the management of system accounts using [Assignment: organization-defined automated mechanisms].

NIST-AC-3: Access Enforcement

Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

NIST-AC-3(7): Access Enforcement | Role-based Access Control

Enforce a role-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined roles and users authorized to assume such roles].

NIST-AC-3(15): Access Enforcement | Discretionary and Mandatory Access Control

(a) Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy; and
(b) Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy.

NIST-AC-6: Least Privilege

Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.

Need help?

Contact FireTail support

Previous (Findings - Cloud based findings)
AppSync field-level logging is not enabled
Next (Findings - Cloud based findings)
AppSync Graphql API is missing WAF