amazon-web-services - AWS AppSync DDoS protection. What are the alternatives?
问题描述
I have not seen a definitive answer over the internet related to how AppSync can deflect DDoS attacks. I am a newbie with regards to this, so please have patience
Our context: We will be using AppSync with AWS Cognito for authentication, and it will only be used by us and a certain set of clients (so no public access). We will probably not need a custom domain, so no need to use CloudFront for the distribution, but if this is better for us from a protection point of view, we could also do that. And on another note, I am aware that the endpoint address of AppSync is autogenerated and probably hard to guess by an someone external, but I am still worried about it being accessible by the public, especially since maybe at some point we might want to be using the AppSync endpoint directly from our site and not from the backend.
I have seen two things mentioned:
There is no throttling like on API gateway (I am a bit unclear on how throttling works and how it protects you, I am assuming that there is a hard cap imposed to certain IPs that are requesting your endpoint excessively?)
Since AppSync is pay per request, I saw that API gateway charges no fee if it is protected by AWS Cognito and the requests have failed authentication ( https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-pricing.html ). I am wondering if the same case applied to AppSync, since we will be using AWS Cognito as well.
Since we are talking about AWS Cognito, we would like to restrict access to our endpoint to only a few select IP addresses. I've read that AWS Cognito can whitelist an IP range, but can it also whitelist specific IP addresses ? (I think by putting /32 at the end of the IP range?)
What is AppSync's interaction with AWS Shield and AWS WAF ?
Thank you, and sorry for any stupidly looking questions.
解决方案
I just answered your question on the forums: https://forums.aws.amazon.com/thread.jspa?messageID=907577󝤹
I'll copy/paste here, but any follow-up you might have would be most visible to the team there.
A quick note before I get into your questions - CloudFront is currently a mandatory piece of AppSync. It's there for everyone. It does provide you with some caching and DDOS protection, so as you guessed, it does have some security value for all.
AppSync doesn’t expose custom, customer-controlled throttling mechanisms, however it does have multiple layers of internal throttling that protect it against many forms of abusive traffic. That said, providing customers with throttling limits is a popular customer ask. Can you help us understand the business requirements you plan to address with throttling?
AppSync charges for requests that were successfully processed by AppSync. An authentication/authorization error is not considered to be a scenario where AppSync failed to process the request.
I believe that should be possible. With Cognito federated identities (via IAM): https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html With Cognito user pools: https://aws.amazon.com/blogs/security/how-to-use-new-advanced-security-features-for-amazon-cognito-user-pools/
We can’t comment on the integrations AppSync has with other AWS services. Can you help us understand the business requirements you plan to address with this question?
推荐阅读
- android - 问题无法解析 AutocompleteTextView 中的符号“DrawableRes”
- java - 我们如何检查 Android 手机中的多个 SIM 卡
- azure-blob-storage - Polybase 到 Azure Data Lake Gen 2 失败
- node.js - 如何将参数传递给中间件的构造函数?
- python - 如何用 Dask 写文件?
- java - 使用 FileReader 时出现奇怪的“权限被拒绝”
- angular - 离子存储不可分配数字到字符串
- python - 使用lxml在python中解析多个命名空间XML
- mysql - 数据库 ERD 设计 - 租车应用程序
- java - 由于 androidx 抽屉布局导致的错误