AppSync.5: An AppSync GraphQL API is authenticated with API keys

What does AWS Security Hub AppSync.5 check?

AppSync.5 fails when an AppSync GraphQL API uses API_KEY as an authentication mode. The control flags any API still relying on API keys rather than an identity-backed mode.

Why does AppSync.5 matter?

An AppSync API key is a shared static secret, not real authentication — it identifies no one and is valid for up to 365 days by default. Keys leak from places people forget are public: hard-coded into a published mobile binary, they're trivially pulled with strings, handing an attacker a full year of backend access that can only be revoked by an emergency app-store update. Identity-backed auth ties every call to a real principal.

How do I fix AppSync.5?

1. Inventory which GraphQL APIs still list API_KEY among their auth modes.
2. Pick an identity-backed mode: Cognito user pools, IAM, OIDC, or a Lambda authorizer, per client type.
3. Use AppSync's additional-auth (multi-auth) support to add the new mode alongside the key and migrate clients gracefully.
4. Remove API_KEY once every client has cut over.

# Attach a JWT authorizer to an open API route, then redeploy the stage to enforce it.
aws apigatewayv2 update-route --api-id a1b2c3d4e5 \
  --route-id r7h8j9 --authorization-type JWT --authorizer-id auth9z8y
aws apigatewayv2 create-deployment --api-id a1b2c3d4e5 --stage-name '$default'

# Disable the unauthenticated listener on an MSK cluster while keeping IAM auth.
ARN=arn:aws:kafka:us-east-1:111122223333:cluster/orders-stream-prod/abc123
VERSION=$(aws kafka describe-cluster-v2 --cluster-arn $ARN \
  --query 'ClusterInfo.CurrentVersion' --output text)
aws kafka update-security --cluster-arn $ARN --current-version $VERSION \
  --client-authentication '{"Sasl":{"Iam":{"Enabled":true}},"Unauthenticated":{"Enabled":false}}'

# Once clients send the new credential, remove the AppSync API key to clear the finding.
aws appsync delete-api-key --api-id abcd1234efgh5678ijkl --id da2-examplekeyid12345