Findings

AppSync GraphQL API resolver count limit high

Updated: July 4, 2025

Findings Cloud Based Findings API Finding

Description

Severity: Medium

The AppSync GraphQL API has a high resolver count limit.

This allows a large number of resolvers to be executed in a single query. While resolvers are essential for fetching and returning data, a high resolver count can lead to performance degradation and increased resource consumption. When multiple resolvers are executed simultaneously, they can consume significant system resources, which can result in slower response times, increased latency, and potential denial-of-service (DoS) vulnerabilities, especially under heavy load or in the event of an attack.

Remediation

Set a resolver count limit on the AppSync GraphQL API to less than 10.

A high resolver count limit increases the risk of overloading the API with complex queries that trigger many resolvers. This can lead to performance bottlenecks, impacting the overall responsiveness and availability of the API. In scenarios where attackers send crafted queries designed to hit the maximum resolver count, the API could experience significant strain, potentially causing service outages and degrading user experience.

Need help?

Contact FireTail support

Previous (Findings - Cloud based findings)
AppSync GraphQL API query depth limit not set
Next (Findings - Cloud based findings)
AppSync GraphQL API resolver count limit not set