DEV Community

Cover image for AWS AppSync + WAF is here! Now let's CDK + CF it!

Posted on

AWS AppSync + WAF is here! Now let's CDK + CF it!

At this start of this month AWS announced support for AWS WAF with AppSync! If you're a fan of AppSync you might be keen on this as the WAF will give you an easy way to add an extra layer of security to your app.


As a high-level intro, AppSync is a GraphQL managed API service and is gaining popularity in the app dev space. There are some pretty good built-in security features out of the box like DDoS, SOC and ISO compliance plus others.

Demo stack

For this demo I've thrown in a bunch of services just to show the folks reading what a CDK stack or full app stack in AppSync might be like. I haven't seen any demos which show this type of setup so hopefully it's of interest.

You'll get the following:

  • AppSync API
  • Cognito authentication
  • DynamoDB as a datasource
  • WAF

On top of the above I've configured the services to integrate together and applied a few options like prohibit guess sign up for cognito.


I've generated the cloudformation stack and supplied a deploy stack button which is available in the open source github repo:

All that is needed to deploy the stack is to click the button and login to your amazon account. Everything happens in your account and you review the code if that helps.


The CDK repo is in the same place, simply cdk deploy and you're good to go.

Clean up

A note on clean up, when you delete the stack the DynamoDB table will be left behind, be sure to remove it when you're done.

More info

If you are deploying WAF to an existing AppSync deployment check out my detailed post below. If you apply the core ruleset to AppSync requests will be blocked but there is a workaround in the post:


I am keen to hear from others about their AppSync setup and how you're managing your deployment, other than CDK & CF there are some cool accelerators out there so I'm interested to see if others are using them.

Top comments (0)