AWS AppSync (IAM)

aws compute

Provides a managed GraphQL service that enables applications to securely access, manipulate, and combine data from multiple sources.

Common permissions

appsync:GetApiappsync:ListApisappsync:GetGraphqlApiappsync:ListGraphqlApisappsync:GetDataSourceappsync:ListDataSourcesappsync:GetFunctionappsync:ListFunctions

Least-privilege example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "appsync:GetApi",
        "appsync:ListApis",
        "appsync:GetGraphqlApi",
        "appsync:ListGraphqlApis",
        "appsync:GetDataSource",
        "appsync:ListDataSources",
        "appsync:GetFunction",
        "appsync:ListFunctions"
      ],
      "Resource": "*"
    }
  ]
}

Warnings

Avoid appsync:* — grants full control including creating, updating, and deleting APIs and their resources.
Avoid appsync:DeleteApi — allows deletion of APIs, causing service disruption.

Resources

AWS referenceservicereference.us-east-1.amazonaws.com/v1/appsync/appsync.json ↗

API

full doc /v1/iam/appsync