Release Notes: Security Enhancement - Fine-Grained GraphQL Authorization

Security Vulnerability Fixed

• Patched security vulnerability in request approval workflow that allowed a requester or member of an approver group to self-approve their access request
• Implemented field-level authorization controls in GraphQL schema
• Prevented unauthorized manipulation of approver fields during request creation
• Fixed potential privilege escalation through approval parameter injection

Technical Implementation

GraphQL Schema Enhancements

• Added granular @auth directives at both type and field levels
• Implemented strict field-level permissions for sensitive fields:
  • approval status
  • approver information
  • request metadata
• Restricted owner permissions to appropriate operations
• Added separate authorization rules for approvers using ownerField

Authorization Rules

• Created distinct permission sets for:
  • Request owners (create, read own requests)
  • Approvers (read, update approval fields)
  • Auditors (read-only access)
  • IAM-authenticated services
• Enforced separation of duties through schema-level controls
• Prevented unauthorized modification of approval-related fields

Security Impact

• Ensures requesters cannot modify approval fields
• Enforces proper segregation between requesters and approvers
• Prevents authorization bypass through parameter manipulation
• Maintains audit trail integrity
• Protects against unauthorized privilege escalation

Required Actions

• Follow instructions in updating TEAM documentation for updating process
• No configuration changes needed

Technical Notes

• Implementation uses AWS AppSync @auth directives
• Leverages multiple authorization rules per field
• Combines owner-based and group-based access control
• Maintains IAM-based access for system operations