Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to disable introspection queries with AWS appsync (GraphQL)?

Tags:

amazon-web-services

graphql

aws-appsync

With the compliance we need to remove introspection queries in production for AppSync endpoints. What is the best way to disable introspection queries with AppSync?

I don't see any settings with AppSync.

like image 733
Kannaiyan Avatar asked Dec 27 '19 17:12

Kannaiyan

People also ask

How do I disable introspection in GraphQL?

If you are using graphql-spring-boot, according to the graphql-java-tools README, you can disable the introspection query by setting the graphql. tools. introspection-enabled property to false in your application.

What is introspection query in GraphQL?

What is it? GraphQL introspection enables you to query a GraphQL server for information about the underlying schema. This includes data like types, fields, queries, mutations, and even the field-level descriptions.

Is GraphQL introspection a vulnerability?

Thing to understand here is that GraphQL like any other REST API is vulnerable to many attacks the same attacks the REST API might be prone to. I'll list some of them below but the most interesting thing and the reason of making this entire post is the infamous Introspection query bug.

Is AppSync a GraphQL?

AWS AppSync is a serverless GraphQL and Pub/Sub API service that simplifies building modern web and mobile applications. AWS AppSync GraphQL APIs simplify application development by providing a single endpoint to securely query or update data from multiple databases, microservices, and APIs.

1 Answers

I used AWS WAF with a rule that blocks any query containing the string __schema, that I then associated with my AppSync endpoint -- which uses OpenID for authentication (re this page: https://docs.aws.amazon.com/appsync/latest/devguide/WAF-Integration.html)

The rule if you want to just copy and paste into the console:

{
  "Name": "BodyRule",
  "Priority": 5,
  "Action": {
    "Block": {}
  },
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "BodyRule"
  },
  "Statement": {
    "ByteMatchStatement": {
      "FieldToMatch": {
        "Body": {}
      },
      "PositionalConstraint": "CONTAINS",
      "SearchString": "__schema",
      "TextTransformations": [
        {
          "Type": "LOWERCASE",
          "Priority": 0
        }
      ]
    }
  }
}

And the CloudFormation definitions:

  AppSyncIntrospectionWebACL:
    Type: AWS::WAFv2::WebACL
    Properties:
      Name: BlockIntrospectionWebACL
      DefaultAction:
        Allow: {}
      Description: Block GraphQL introspection queries
      Scope: REGIONAL
      VisibilityConfig:
        SampledRequestsEnabled: true
        CloudWatchMetricsEnabled: true
        MetricName: BlockIntrospectionMetric
      Rules:
        - Name: BlockIntrospectionQueries
          Priority: 0
          Action:
            Block: {}
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: BlockedIntrospection
          Statement:
            ByteMatchStatement:
              FieldToMatch:
                Body: {}
              PositionalConstraint: CONTAINS
              SearchString: __schema
              TextTransformations:
                - Type: LOWERCASE
                  Priority: 0

  AppSyncIntrospectionWebACLAssociation:
    Type: AWS::WAFv2::WebACLAssociation
    Properties:
      ResourceArn: !GetAtt AppSyncAPI.Arn
      WebACLArn: !GetAtt AppSyncIntrospectionWebACL.Arn
like image 170
smth Avatar answered Oct 20 '22 22:10

smth
Sign in to Comment

Related questions

AWS API Gateway supports CORS for OPTIONS only when using SAM (without Lambda proxy integration)
AWS Cognito user pool group precedence - working as expected and useless or broken?
Disable health-check logging in AWS ELB Django Application
Using CloudFront with a single EC2 instance without a load balancer
How to fix 503 error with resize image lambda edge functions on cloudfront?
Call AWS Lambda function from React-Native
AWS Kinesis .NET Consumer
AWS MySQL RDS fail over - replication lag handling?
AWS API GATEWAY - empty response body
How to get temporal credentials after auth with AWS ALB/Cognito/OIDC IdProvider?
caching go modules in codebuild without custom docker image
Should the infrastructure code be stored in the same repository as the application code?
Aurora Serverless password rotation setup using CloudFormation (and Lambda rotation templates)
AWS Route 53 with AWS API Gateway
How do I point ELB to domain defined by service discovery
AWS Cognito TOKEN Endpoint giving a 400 Bad Request error "unauthorized_client"
AWS RDS Certificate Authority update
How to upload a file from Postman using AWS S3 signed url?
AWS Amplify GraphQL Schema that is linked to Cognito User Pool
How can I validate an AWS cron expression in Java 8 without creating the AWS resource?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!