AWS Appsync - IAM permission

Question

I'm trying to protect my AWS Appsync API with IAM. All is fine on query level, but is it possible to restrict a client also on type level (fields of return type)?

This is a schema:

type Query {
    getUserById(id: String): User
}

type User {
    id: String!
    email: String
    firstName: String
    lastName: String
}

And desired IAM permission:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "appsync:GraphQL",
            "Resource": [
                "arn:aws:appsync:REG:ACCNO:apis/APIID/types/Query/fields/getUserById",
                "arn:aws:appsync:REG:ACCNO:apis/APIID/types/User/fields/id",
                "arn:aws:appsync:REG:ACCNO:apis/APIID/types/User/fields/email"
            ],
            "Effect": "Allow"
        }
    ]
}

I want a client to be able to get only user ID and email. Not firstName, nor lastName. How to do it?

• I cannot find any info in doc whether it is possible or not.
• Based on this blog: https://aws.amazon.com/blogs/mobile/graphql-security-appsync-amplify/ it seems it's possible, but it's not explicit.

Answer 1

Only top level fields so everything that is defined inside Query, Mutation, Subscription types can be restricted using AWS IAM policies.

So id and email are not possible to be restricted using AWS IAM policies.