TL;DR
TL;DR
AWS Amplify provides solid security infrastructure but requires careful configuration. The most common issues are overly permissive GraphQL authorization rules, public S3 buckets, and missing @auth directives. Use the checklist in this guide to secure your Amplify app before launch.
AWS Amplify is a full-stack development platform that lets you build apps with authentication, APIs, storage, and hosting all integrated. While AWS handles infrastructure security, you're responsible for configuring access controls properly. This guide covers the security considerations specific to Amplify apps.
How Amplify Security Works
Amplify uses several AWS services under the hood:
- Amazon Cognito for authentication and user management
- AWS AppSync for GraphQL APIs with real-time subscriptions
- Amazon S3 for file storage
- AWS Lambda for serverless functions
- Amazon CloudFront for hosting and CDN
Each of these services has its own security model. Amplify provides a unified configuration through the CLI, but you need to understand what's happening underneath to configure it securely.
Common Security Issues in Amplify Apps
Based on security scans of Amplify applications, here are the most frequent problems:
Critical: Missing @auth Directives
If your GraphQL models don't have @auth directives, the API may be publicly accessible. Always specify who can read, create, update, and delete each model.
1. Overly Permissive Authorization Rules
Amplify's default authorization is often too open. This schema allows anyone to read all posts:
Here's the secure version:
2. Public S3 Buckets
When configuring storage, Amplify can create public buckets by default. This code makes all uploads publicly readable:
Use protected or private access instead:
3. Exposed AWS Credentials
Never put AWS credentials in your frontend code. This is always wrong:
Amplify handles authentication automatically through Cognito. Use Amplify's Auth module instead.
AWS Amplify Security Checklist
Authentication (Cognito)
Enable MFA
- Require multi-factor authentication for user accounts
Configure password policy
- Require strong passwords with minimum length and complexity
Verify email/phone
- Require verification before account access
Review sign-up settings
- Disable self-registration if not needed
API Security (AppSync)
Add @auth to all models
- Every type should have explicit authorization rules
Use owner authorization
- Users should only access their own data by default
Test authorization
- Try accessing data as different users and unauthenticated
Review field-level access
- Sensitive fields should have restricted access
Storage Security (S3)
Use private/protected levels
- Avoid public access unless truly needed
Validate file types
- Only accept expected file types on upload
Limit file sizes
- Prevent abuse by setting maximum upload sizes
Securing Your GraphQL Schema
Here are common authorization patterns for Amplify GraphQL:
Owner-Based Authorization
Users can only access their own data:
Group-Based Authorization
Only admins can access certain data:
Mixed Authorization
Public read, authenticated write:
Test Your Authorization
Use the AppSync console to test queries as different users. Try accessing data you shouldn't be able to see. If it works, your authorization is broken.
Cognito Security Configuration
Configure strong authentication in your amplify/backend/auth settings:
Lambda Function Security
If you use Lambda functions with Amplify:
- Validate all input - Never trust data passed to your function
- Use environment variables - Store secrets in Lambda environment, not in code
- Apply least privilege - Give functions only the IAM permissions they need
- Set timeouts - Prevent runaway functions with appropriate timeouts
Is AWS Amplify secure?
AWS Amplify provides a solid security foundation with Cognito for authentication and IAM for authorization. However, the default configurations may be too permissive for production use. You need to properly configure authorization rules, enable MFA, and review your GraphQL schema's @auth directives.
::
What are the biggest security risks with AWS Amplify apps?
The biggest risks are overly permissive authorization rules in GraphQL schemas, missing @auth directives on resolvers, exposed AWS credentials in frontend code, and S3 buckets with public access enabled. These issues often occur because Amplify's defaults prioritize development speed.
How do I secure my AWS Amplify API?
Add @auth directives to every model and field in your GraphQL schema. Use owner-based authorization for user data, group-based authorization for admin features, and never allow public access unless the data is truly meant to be public. Test your API by trying to access data you shouldn't be able to reach.
Should I use Amplify for apps handling sensitive data?
Yes, but with careful configuration. AWS services are compliant with many security standards (SOC, HIPAA, etc.), but you're responsible for configuring access controls correctly. Enable MFA, use private storage access levels, add comprehensive @auth rules, and conduct regular security reviews.
::
Scan Your Amplify App
Find authorization issues and security misconfigurations before they become problems.
Start Free Scan