[{"data":1,"prerenderedAt":454},["ShallowReactive",2],{"blog-guides/aws-amplify":3},{"id":4,"title":5,"body":6,"category":430,"date":431,"dateModified":431,"description":432,"draft":433,"extension":434,"faq":435,"featured":433,"headerVariant":439,"image":440,"keywords":440,"meta":441,"navigation":442,"ogDescription":443,"ogTitle":440,"path":444,"readTime":445,"schemaOrg":446,"schemaType":447,"seo":448,"sitemap":449,"stem":450,"tags":451,"twitterCard":452,"__hash__":453},"blog/blog/guides/aws-amplify.md","AWS Amplify Security Guide: Securing Your Full-Stack App",{"type":7,"value":8,"toc":410},"minimark",[9,19,22,27,30,65,68,72,75,86,91,94,104,107,112,116,119,124,127,132,136,139,144,147,151,155,158,163,166,171,174,179,182,187,191,194,199,202,207,210,215,218,223,227,230,235,238,243,246,251,255,258,262,265,270,274,277,282,286,289,294,304,308,311,316,320,323,349,377,381,384,387],[10,11,12,16],"tldr",{},[13,14,15],"p",{},"TL;DR",[13,17,18],{},"AWS Amplify provides solid security infrastructure but requires careful configuration. The most common issues are overly permissive GraphQL authorization rules, public S3 buckets, and missing @auth directives. Use the checklist in this guide to secure your Amplify app before launch.",[13,20,21],{},"AWS Amplify is a full-stack development platform that lets you build apps with authentication, APIs, storage, and hosting all integrated. While AWS handles infrastructure security, you're responsible for configuring access controls properly. This guide covers the security considerations specific to Amplify apps.",[23,24,26],"h2",{"id":25},"how-amplify-security-works","How Amplify Security Works",[13,28,29],{},"Amplify uses several AWS services under the hood:",[31,32,33,41,47,53,59],"ul",{},[34,35,36,40],"li",{},[37,38,39],"strong",{},"Amazon Cognito"," for authentication and user management",[34,42,43,46],{},[37,44,45],{},"AWS AppSync"," for GraphQL APIs with real-time subscriptions",[34,48,49,52],{},[37,50,51],{},"Amazon S3"," for file storage",[34,54,55,58],{},[37,56,57],{},"AWS Lambda"," for serverless functions",[34,60,61,64],{},[37,62,63],{},"Amazon CloudFront"," for hosting and CDN",[13,66,67],{},"Each of these services has its own security model. Amplify provides a unified configuration through the CLI, but you need to understand what's happening underneath to configure it securely.",[23,69,71],{"id":70},"common-security-issues-in-amplify-apps","Common Security Issues in Amplify Apps",[13,73,74],{},"Based on security scans of Amplify applications, here are the most frequent problems:",[76,77,78,83],"warning-box",{},[79,80,82],"h4",{"id":81},"critical-missing-auth-directives","Critical: Missing @auth Directives",[13,84,85],{},"If your GraphQL models don't have @auth directives, the API may be publicly accessible. Always specify who can read, create, update, and delete each model.",[87,88,90],"h3",{"id":89},"_1-overly-permissive-authorization-rules","1. Overly Permissive Authorization Rules",[13,92,93],{},"Amplify's default authorization is often too open. This schema allows anyone to read all posts:",[95,96,101],"pre",{"className":97,"code":99,"language":100},[98],"language-text","","text",[102,103,99],"code",{"__ignoreMap":99},[13,105,106],{},"Here's the secure version:",[95,108,110],{"className":109,"code":99,"language":100},[98],[102,111,99],{"__ignoreMap":99},[87,113,115],{"id":114},"_2-public-s3-buckets","2. Public S3 Buckets",[13,117,118],{},"When configuring storage, Amplify can create public buckets by default. This code makes all uploads publicly readable:",[95,120,122],{"className":121,"code":99,"language":100},[98],[102,123,99],{"__ignoreMap":99},[13,125,126],{},"Use protected or private access instead:",[95,128,130],{"className":129,"code":99,"language":100},[98],[102,131,99],{"__ignoreMap":99},[87,133,135],{"id":134},"_3-exposed-aws-credentials","3. Exposed AWS Credentials",[13,137,138],{},"Never put AWS credentials in your frontend code. This is always wrong:",[95,140,142],{"className":141,"code":99,"language":100},[98],[102,143,99],{"__ignoreMap":99},[13,145,146],{},"Amplify handles authentication automatically through Cognito. Use Amplify's Auth module instead.",[23,148,150],{"id":149},"aws-amplify-security-checklist","AWS Amplify Security Checklist",[79,152,154],{"id":153},"authentication-cognito","Authentication (Cognito)",[13,156,157],{},"Enable MFA",[31,159,160],{},[34,161,162],{},"Require multi-factor authentication for user accounts",[13,164,165],{},"Configure password policy",[31,167,168],{},[34,169,170],{},"Require strong passwords with minimum length and complexity",[13,172,173],{},"Verify email/phone",[31,175,176],{},[34,177,178],{},"Require verification before account access",[13,180,181],{},"Review sign-up settings",[31,183,184],{},[34,185,186],{},"Disable self-registration if not needed",[79,188,190],{"id":189},"api-security-appsync","API Security (AppSync)",[13,192,193],{},"Add @auth to all models",[31,195,196],{},[34,197,198],{},"Every type should have explicit authorization rules",[13,200,201],{},"Use owner authorization",[31,203,204],{},[34,205,206],{},"Users should only access their own data by default",[13,208,209],{},"Test authorization",[31,211,212],{},[34,213,214],{},"Try accessing data as different users and unauthenticated",[13,216,217],{},"Review field-level access",[31,219,220],{},[34,221,222],{},"Sensitive fields should have restricted access",[79,224,226],{"id":225},"storage-security-s3","Storage Security (S3)",[13,228,229],{},"Use private/protected levels",[31,231,232],{},[34,233,234],{},"Avoid public access unless truly needed",[13,236,237],{},"Validate file types",[31,239,240],{},[34,241,242],{},"Only accept expected file types on upload",[13,244,245],{},"Limit file sizes",[31,247,248],{},[34,249,250],{},"Prevent abuse by setting maximum upload sizes",[23,252,254],{"id":253},"securing-your-graphql-schema","Securing Your GraphQL Schema",[13,256,257],{},"Here are common authorization patterns for Amplify GraphQL:",[87,259,261],{"id":260},"owner-based-authorization","Owner-Based Authorization",[13,263,264],{},"Users can only access their own data:",[95,266,268],{"className":267,"code":99,"language":100},[98],[102,269,99],{"__ignoreMap":99},[87,271,273],{"id":272},"group-based-authorization","Group-Based Authorization",[13,275,276],{},"Only admins can access certain data:",[95,278,280],{"className":279,"code":99,"language":100},[98],[102,281,99],{"__ignoreMap":99},[87,283,285],{"id":284},"mixed-authorization","Mixed Authorization",[13,287,288],{},"Public read, authenticated write:",[95,290,292],{"className":291,"code":99,"language":100},[98],[102,293,99],{"__ignoreMap":99},[295,296,297,301],"tip-box",{},[79,298,300],{"id":299},"test-your-authorization","Test Your Authorization",[13,302,303],{},"Use the AppSync console to test queries as different users. Try accessing data you shouldn't be able to see. If it works, your authorization is broken.",[23,305,307],{"id":306},"cognito-security-configuration","Cognito Security Configuration",[13,309,310],{},"Configure strong authentication in your amplify/backend/auth settings:",[95,312,314],{"className":313,"code":99,"language":100},[98],[102,315,99],{"__ignoreMap":99},[23,317,319],{"id":318},"lambda-function-security","Lambda Function Security",[13,321,322],{},"If you use Lambda functions with Amplify:",[31,324,325,331,337,343],{},[34,326,327,330],{},[37,328,329],{},"Validate all input"," - Never trust data passed to your function",[34,332,333,336],{},[37,334,335],{},"Use environment variables"," - Store secrets in Lambda environment, not in code",[34,338,339,342],{},[37,340,341],{},"Apply least privilege"," - Give functions only the IAM permissions they need",[34,344,345,348],{},[37,346,347],{},"Set timeouts"," - Prevent runaway functions with appropriate timeouts",[350,351,352,359,365,371],"faq-section",{},[353,354,356],"faq-item",{"question":355},"Is AWS Amplify secure?",[13,357,358],{},"AWS Amplify provides a solid security foundation with Cognito for authentication and IAM for authorization. However, the default configurations may be too permissive for production use. You need to properly configure authorization rules, enable MFA, and review your GraphQL schema's @auth directives.",[353,360,362],{"question":361},"What are the biggest security risks with AWS Amplify apps?",[13,363,364],{},"The biggest risks are overly permissive authorization rules in GraphQL schemas, missing @auth directives on resolvers, exposed AWS credentials in frontend code, and S3 buckets with public access enabled. These issues often occur because Amplify's defaults prioritize development speed.",[353,366,368],{"question":367},"How do I secure my AWS Amplify API?",[13,369,370],{},"Add @auth directives to every model and field in your GraphQL schema. Use owner-based authorization for user data, group-based authorization for admin features, and never allow public access unless the data is truly meant to be public. Test your API by trying to access data you shouldn't be able to reach.",[353,372,374],{"question":373},"Should I use Amplify for apps handling sensitive data?",[13,375,376],{},"Yes, but with careful configuration. AWS services are compliant with many security standards (SOC, HIPAA, etc.), but you're responsible for configuring access controls correctly. Enable MFA, use private storage access levels, add comprehensive @auth rules, and conduct regular security reviews.",[87,378,380],{"id":379},"scan-your-amplify-app","Scan Your Amplify App",[13,382,383],{},"Find authorization issues and security misconfigurations before they become problems.",[13,385,386],{},"Start Free Scan",[388,389,390,396,401,406,408],"related-articles",{},[391,392],"related-card",{"description":393,"href":394,"title":395},"Security guide for Aider CLI users. Learn about API key protection, code review practices, and secure development with t","/blog/guides/aider","Aider Security Guide: Terminal AI Pair Programming",[391,397],{"description":398,"href":399,"title":400},"Secure your Auth0 authentication when vibe coding. Learn token validation, RBAC configuration, secure callback handling,","/blog/guides/auth0","Auth0 Security Guide for Vibe Coders",[391,402],{"description":403,"href":404,"title":405},"Security guide for Bolt.new apps. Learn how to secure your Bolt-generated app, especially Supabase database connections,","/blog/guides/bolt-new-security-guide","Bolt.new Security Best Practices",[391,407],{"description":398,"href":399,"title":400},[391,409],{"description":403,"href":404,"title":405},{"title":99,"searchDepth":411,"depth":411,"links":412},2,[413,414,420,421,426,427],{"id":25,"depth":411,"text":26},{"id":70,"depth":411,"text":71,"children":415},[416,418,419],{"id":89,"depth":417,"text":90},3,{"id":114,"depth":417,"text":115},{"id":134,"depth":417,"text":135},{"id":149,"depth":411,"text":150},{"id":253,"depth":411,"text":254,"children":422},[423,424,425],{"id":260,"depth":417,"text":261},{"id":272,"depth":417,"text":273},{"id":284,"depth":417,"text":285},{"id":306,"depth":411,"text":307},{"id":318,"depth":411,"text":319,"children":428},[429],{"id":379,"depth":417,"text":380},"guides","2026-01-14","Complete security guide for AWS Amplify apps. Learn to secure authentication, APIs, storage, and hosting for your vibe-coded application.",false,"md",[436,437,438],{"question":355,"answer":358},{"question":361,"answer":364},{"question":367,"answer":370},"blue",null,{},true,"How to secure AWS Amplify apps with proper authentication, API protection, and storage security.","/blog/guides/aws-amplify","14 min read","[object Object]","Article",{"title":5,"description":432},{"loc":444},"blog/guides/aws-amplify",[],"summary_large_image","6VnrnVGCTkj7jYdlGUieiwc3aLkMOnTItl1uDcGMWmw",1775843930338]