How to disable introspection queries with AWS appsync (GraphQL)?

Question

With the compliance we need to remove introspection queries in production for AppSync endpoints. What is the best way to disable introspection queries with AppSync?

I don't see any settings with AppSync.

Answer 1

I used AWS WAF with a rule that blocks any query containing the string __schema, that I then associated with my AppSync endpoint -- which uses OpenID for authentication (re this page: https://docs.aws.amazon.com/appsync/latest/devguide/WAF-Integration.html)

The rule if you want to just copy and paste into the console:

{
  "Name": "BodyRule",
  "Priority": 5,
  "Action": {
    "Block": {}
  },
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "BodyRule"
  },
  "Statement": {
    "ByteMatchStatement": {
      "FieldToMatch": {
        "Body": {}
      },
      "PositionalConstraint": "CONTAINS",
      "SearchString": "__schema",
      "TextTransformations": [
        {
          "Type": "LOWERCASE",
          "Priority": 0
        }
      ]
    }
  }
}

And the CloudFormation definitions:

  AppSyncIntrospectionWebACL:
    Type: AWS::WAFv2::WebACL
    Properties:
      Name: BlockIntrospectionWebACL
      DefaultAction:
        Allow: {}
      Description: Block GraphQL introspection queries
      Scope: REGIONAL
      VisibilityConfig:
        SampledRequestsEnabled: true
        CloudWatchMetricsEnabled: true
        MetricName: BlockIntrospectionMetric
      Rules:
        - Name: BlockIntrospectionQueries
          Priority: 0
          Action:
            Block: {}
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: BlockedIntrospection
          Statement:
            ByteMatchStatement:
              FieldToMatch:
                Body: {}
              PositionalConstraint: CONTAINS
              SearchString: __schema
              TextTransformations:
                - Type: LOWERCASE
                  Priority: 0

  AppSyncIntrospectionWebACLAssociation:
    Type: AWS::WAFv2::WebACLAssociation
    Properties:
      ResourceArn: !GetAtt AppSyncAPI.Arn
      WebACLArn: !GetAtt AppSyncIntrospectionWebACL.Arn

Answer 2

There is no way to disable introspection queries directly from AppSync at this time. You could place an API Gateway api in front of it, and intercept introspection query calls. GraphQL endpoints are inherently self-documenting though, so disabling the introspection query would make the API not a GraphQL-compliant endpoint.

Could you share the use case / compliance standard that requires disabling the introspection query? Trying to improve the security [of the API endpoint] by obscurity [of the types and fields] seems like a code smell and recipe for an intrusion. Having strong fine-grained (ie. per-field) authorization is the only safe way to prevent anyone from accessing data they shouldn't be privy to.