AWS appsync medium security documentation change
Summary
Added details about Lambda authorizer response size impacting caching behavior and clarified JWT issuer validation differences between multi-auth and OPENID_CONNECT-only configurations.
Security assessment
The OPENID_CONNECT issuer validation clarification reveals a security behavior where validation is skipped in single-auth scenarios, which could impact security posture if misunderstood. The caching details are operational but not security-critical.
Diff
diff --git a/appsync/latest/devguide/security-authz.md b/appsync/latest/devguide/security-authz.md index 8ebf0269f..625397829 100644 --- a//appsync/latest/devguide/security-authz.md +++ b//appsync/latest/devguide/security-authz.md @@ -160 +160 @@ For example, if your authorization token is `'ABC123'`, you can send a GraphQL q -Lambda functions are called before each query or mutation. The return value can be cached based on the API ID and the authentication token. By default, caching is not turned on, but this can be enabled at the API level or by setting the `ttlOverride` value in a function's return value. +Lambda functions are called before each query or mutation. The return value can be cached based on the API ID and the authentication token. When a Lambda authorizer response is less than 1,048,576 bytes, AWS AppSync caches the response for subsequent requests. If the Lambda authorizer response is equal to or greater than 1,048,576 bytes, AWS AppSync doesn't cache the response and invokes the Lambda authorizer for each incoming request. To optimize performance and minimize Lambda invocation costs, we recommend that you limit your Lambda authorizer responses to 1,048,576 bytes. By default, caching is not turned on, but this can be enabled at the API level or by setting the `ttlOverride` value in a function's return value. @@ -452,0 +453,2 @@ To validate multiple client IDs use the pipeline operator (“|”) which is an +If an API is configured with multiple authorization types, AWS AppSync validates the issuer (iss claim) present in the JWT token from request headers by comparing it against the issuer URL specified in the API configuration. However, when an API is configured with only OPENID_CONNECT authorization, AWS AppSync skips this issuer URL validation step. +