This chapter covers AWS AppSync, a managed GraphQL service that enables real-time data synchronization and offline capabilities for applications. For the SAA-C03 exam, AppSync is a key service for building modern, data-driven applications, appearing in about 5-7% of questions related to application integration and high-performance architectures. You will learn how AppSync works, its core components, and how it integrates with other AWS services to build scalable, real-time APIs.
Jump to a section
Imagine a luxury hotel with a concierge desk (AppSync) that handles guest requests (client queries) and communicates with various hotel departments (data sources like DynamoDB, Lambda, or HTTP endpoints). When a guest asks for restaurant recommendations, the concierge fills out a request form (GraphQL query) specifying exactly what they want: cuisine type, price range, and hours. The concierge then goes to the restaurant database (DynamoDB), retrieves the matching records, and returns only the requested fields to the guest—no extra info. For real-time updates, the concierge gives the guest a pager (subscription) that buzzes whenever a new restaurant opens or a reservation becomes available. The concierge also has a master list of all available services (schema) and can batch requests from multiple guests efficiently. If a guest wants to make a reservation, the concierge writes the booking into the hotel's reservation system via a mutation, which automatically triggers a page to all other guests who are waiting for that restaurant (subscription). The concierge handles authentication by checking each guest's keycard (API key or Cognito) before processing requests. This setup ensures guests get exactly the data they need, in real time, without overwhelming the hotel's departments or the guests with unnecessary information.
What is AWS AppSync?
AWS AppSync is a fully managed service that simplifies application development by letting you create a flexible GraphQL API to securely access, manipulate, and combine data from one or more data sources. GraphQL is a query language for APIs that allows clients to request exactly the data they need, making it more efficient than REST APIs, which often over- or under-fetch data. AppSync handles the heavy lifting of securely connecting to data sources like AWS DynamoDB, Lambda, RDS, HTTP APIs, and more, and it provides real-time data synchronization via subscriptions, offline data access for mobile and web apps, and fine-grained access control.
Why AppSync Exists
Traditional REST APIs often require multiple endpoints to fetch related data, leading to chatty communication and larger payloads. GraphQL solves this by allowing a single endpoint that returns exactly the requested data. AppSync extends GraphQL with real-time capabilities (subscriptions) and offline support, making it ideal for collaborative apps (e.g., chat, live dashboards), mobile apps with intermittent connectivity, and applications that need to synchronize data across devices. The exam tests your ability to choose AppSync for scenarios requiring real-time updates, offline sync, or a flexible API that aggregates multiple data sources.
How AppSync Works Internally
AppSync operates as a managed GraphQL server. When a client sends a GraphQL request (query, mutation, or subscription), AppSync processes it through the following steps:
Request Validation: AppSync validates the request against the defined GraphQL schema. The schema defines types, queries, mutations, and subscriptions. If the request doesn't match the schema, it's rejected.
Authorization: AppSync checks the request's authorization context. It supports multiple authorization modes: API keys, AWS IAM, Amazon Cognito User Pools, OpenID Connect (OIDC), and AWS Lambda authorizers. The authorization mode is set per API or per field.
Request Mapping: For each field in the request, AppSync uses a request mapping template (written in Apache Velocity Template Language - VTL) to translate the GraphQL request into a request to the underlying data source. For example, a GraphQL query for a user might be mapped to a DynamoDB GetItem call.
4. Data Source Execution: AppSync sends the mapped request to the configured data source. Supported data sources include: - AWS Lambda: Invoke a Lambda function for custom business logic. - Amazon DynamoDB: Directly read/write to DynamoDB tables. - Amazon Elasticsearch Service: Execute search queries. - AWS RDS: Interact with relational databases via Lambda or HTTP. - HTTP endpoints: Call any REST API. - None: For static data or custom resolvers.
Response Mapping: The response from the data source is processed by a response mapping template, which transforms it into the GraphQL response format. This can include filtering fields, renaming, or aggregating data from multiple sources.
Subscriptions: For subscription requests, AppSync maintains a persistent WebSocket connection with the client. When a mutation occurs that matches a subscription, AppSync pushes the updated data to all subscribed clients in real time. Subscriptions are triggered by mutations and use the same mapping templates to determine what data to push.
Key Components and Defaults
GraphQL Schema: Defined in SDL (Schema Definition Language). Must include types, queries, mutations, and subscriptions. The schema is the contract between client and server.
Resolvers: Attached to fields in the schema. Each resolver has a request and response mapping template. Resolvers can be unit resolvers (single data source) or pipeline resolvers (chain of functions).
Data Sources: Configured with a name, type, and connection details. For DynamoDB, you specify the table name and optional region; for Lambda, the function ARN.
API Key: Default authorization mode when creating an API. Keys have a default expiration of 7 days (can be up to 365 days). IAM roles and Cognito are more secure for production.
Real-time Endpoints: AppSync uses a WebSocket endpoint for subscriptions. The endpoint is wss://<api-id>.appsync-realtime-api.<region>.amazonaws.com/graphql.
Offline Sync: The AppSync SDK (for iOS, Android, JavaScript) provides a local store (SQLite) that caches data and syncs with the cloud when connectivity is restored. Conflicts are resolved using last writer wins or custom conflict resolution.
Caching: AppSync supports per-resolver caching with TTL from 1 second to 3600 seconds (default 60 seconds). Caching can reduce latency and cost for read-heavy workloads.
Logging: Integration with Amazon CloudWatch Logs. You can enable logging at the API level with a log level (NONE, ERROR, ALL).
Configuration and Verification
To create an AppSync API via AWS CLI:
aws appsync create-graphql-api --name MyAPI --authentication-type API_KEYTo create a data source:
aws appsync create-data-source --api-id <api-id> --name MyDataSource --type AMAZON_DYNAMODB --dynamodb-config tableName=MyTable,awsRegion=us-east-1To create a resolver:
aws appsync create-resolver --api-id <api-id> --type-name Query --field-name getUser --data-source-name MyDataSource --request-mapping-template file://request.vtl --response-mapping-template file://response.vtlTo test a query:
aws appsync evaluate-code --api-id <api-id> --code '{"query":"query { getUser(id: \"123\") { name email } }"}' --context '{}'Interaction with Related AWS Services
Amazon Cognito: Provides user authentication. AppSync can use Cognito User Pools as an authorizer. This is the recommended approach for user-facing apps.
AWS Lambda: Used for custom business logic, data transformation, or connecting to unsupported data sources. Lambda resolvers are flexible but add latency.
Amazon DynamoDB: The most common data source. AppSync supports single-table designs and can perform complex queries using DynamoDB's query and scan operations.
AWS WAF: Can be associated with AppSync API to protect against common web exploits.
Amazon CloudFront: Can be placed in front of AppSync to provide CDN caching for static assets or to reduce latency.
AWS X-Ray: Can trace requests through AppSync to debug performance issues.
Security Considerations
Always use least-privilege IAM roles for data sources. For example, a DynamoDB data source should only have the necessary actions (GetItem, Query, PutItem, etc.).
Enable logging and monitor for suspicious activity.
Use API keys only for development or public data. For production, use IAM or Cognito.
Implement field-level authorization using resolver templates to restrict access based on user attributes.
Performance and Limits
Default quota: 10 queries per second per API (can be increased to 1000s).
Maximum query depth: 10 levels by default (configurable).
Maximum payload size: 1 MB for requests and responses.
Subscription connection: Up to 1000 concurrent connections per API (soft limit).
Resolver timeout: 10 seconds for unit resolvers, 30 seconds for pipeline resolvers.
Use Cases on the Exam
The SAA-C03 exam expects you to identify when to use AppSync versus other services like API Gateway or AWS IoT Core. Common scenarios:
Real-time collaboration (e.g., chat, live editing).
Mobile apps needing offline sync.
Aggregating data from multiple sources (e.g., DynamoDB, Lambda, HTTP).
Replacing REST APIs to reduce over-fetching.
Step-by-Step: Real-time Chat Application
Define Schema: Create a GraphQL schema with types for Message, User, and ChatRoom. Include queries, mutations (sendMessage), and subscriptions (onNewMessage).
Configure Data Sources: Set up DynamoDB tables for messages and users. Create Lambda functions for custom logic (e.g., message formatting).
Create Resolvers: Attach resolvers to fields. For sendMessage mutation, use a pipeline resolver that first validates the message, then writes to DynamoDB, and finally triggers a subscription.
Set Up Authentication: Use Cognito User Pools for user sign-in. Configure AppSync to use Cognito as the authorizer.
Client Integration: Use the AppSync SDK to connect. The SDK handles WebSocket connections for subscriptions and offline caching.
Test and Monitor: Use the AppSync console to run queries and mutations. Enable CloudWatch logs to monitor errors.
Common Pitfalls
Overly complex resolvers: Keep mapping templates simple. Use Lambda for complex logic.
Ignoring pagination: For list queries, implement pagination using DynamoDB's query with nextToken.
Not handling conflicts: For offline apps, configure conflict resolution (e.g., last writer wins).
Exceeding limits: Monitor subscription connections and query depth.
Define GraphQL Schema
Create a schema file using SDL that defines the types, queries, mutations, and subscriptions your API will support. For example, a chat app might have a Message type with fields id, content, author, and timestamp. Queries include getMessage and listMessages; mutations include createMessage; subscriptions include onMessageCreated. This schema is uploaded to AppSync and acts as the contract between client and server.
Configure Data Sources
In the AppSync console or via API, define data sources that point to your backend resources. For each data source, specify its type (e.g., AMAZON_DYNAMODB) and connection details (table name, region). You can also attach IAM roles that AppSync will assume to access these resources. For Lambda data sources, provide the function ARN. Multiple data sources can be combined in a single API.
Create Resolvers
Attach resolvers to each field in your schema that requires data fetching or mutation. A resolver consists of a request mapping template (transforms the GraphQL request into a data source request) and a response mapping template (transforms the data source response back into GraphQL format). For subscriptions, the resolver is attached to the mutation that triggers the subscription.
Set Up Authentication
Choose an authorization mode for your API. For production, use Amazon Cognito User Pools or IAM. Configure the authorizer in the AppSync API settings. For Cognito, you specify the user pool ID and optional app client ID. For IAM, you attach a policy to the API that allows specific actions. API keys are simpler but less secure; use them only for development.
Deploy and Test API
After configuring the schema, data sources, resolvers, and auth, deploy the API. AppSync provides a GraphQL endpoint (HTTPS for queries/mutations, WebSocket for subscriptions). Use the AppSync console's query editor or tools like Postman to test queries, mutations, and subscriptions. Monitor CloudWatch logs for any errors in resolver templates.
Integrate Client SDK
For client applications (web, iOS, Android), use the AWS AppSync SDK. The SDK handles WebSocket connections for real-time subscriptions, offline data caching using a local SQLite store, and automatic synchronization when connectivity is restored. Configure conflict resolution strategies (e.g., last writer wins, version-based) to handle concurrent edits.
Enterprise Scenario 1: Real-Time Collaboration Platform
A large enterprise deploys a project management tool used by thousands of employees worldwide. They need real-time updates when tasks are assigned, comments are added, or statuses change. Using AppSync, they define a GraphQL schema with types for Project, Task, Comment, and User. Data sources include DynamoDB for task storage and Lambda for notification logic. Subscriptions allow team members to see updates instantly without polling. The system handles 10,000+ concurrent WebSocket connections, with AppSync automatically scaling. Misconfiguration often occurs when resolver templates are too complex, leading to timeouts. They mitigate this by using pipeline resolvers to break down logic into smaller steps and by enabling caching for read-heavy queries.
Enterprise Scenario 2: Mobile App with Offline Sync
A retail company builds a mobile app for field sales representatives to manage inventory and orders. The app must work offline in areas with poor connectivity. AppSync's offline capabilities store data locally using the SDK's local store. When the device reconnects, changes are synced to the cloud via mutations. Conflicts are resolved using a custom conflict resolution handler that merges changes based on timestamps. The company uses Cognito for authentication, ensuring each sales rep only sees their assigned data. Common issues include not properly handling conflict resolution, leading to data loss. They implement version-based conflict detection and alert users when conflicts occur.
Enterprise Scenario 3: Aggregated Data API
A media company aggregates content from multiple sources: a DynamoDB database for articles, an Elasticsearch cluster for search, and a legacy REST API for user profiles. They use AppSync to create a single GraphQL endpoint that queries all these sources in one request. Pipeline resolvers allow them to chain calls: first fetch the article from DynamoDB, then fetch the author's profile from the REST API via an HTTP data source, and finally enrich with search results. This reduces client-side complexity and network calls. Performance considerations include resolver timeout limits (10 seconds per unit), so they optimize Lambda functions and use caching. Misconfiguration often involves not setting appropriate IAM permissions for data sources, causing 500 errors.
SAA-C03 Exam Focus on AWS AppSync
The SAA-C03 exam tests your ability to select AppSync for scenarios requiring real-time data synchronization, offline access, or flexible GraphQL APIs. The relevant objective is Domain 3: High-Performance Architecture, Objective 3.7: "Select appropriate application services." Key areas include:
Real-time vs. Polling: The exam will present scenarios where clients need immediate updates (e.g., live chat, dashboards). AppSync subscriptions are the correct choice over API Gateway with polling or WebSocket API.
Offline Sync: Questions about mobile apps that must work offline and sync later. AppSync's offline support is unique compared to API Gateway.
Data Aggregation: When a single API needs to fetch data from multiple sources (DynamoDB, Lambda, HTTP), AppSync's GraphQL resolvers are the solution.
Security: Know the authentication modes: API Key (dev only), IAM (server-to-server), Cognito (user pools), OIDC, Lambda authorizer. The exam often asks which to use for a user-facing app (Cognito).
Common Wrong Answers and Traps
API Gateway with Lambda: Candidates often choose this for real-time apps, but API Gateway does not natively support subscriptions or offline sync. API Gateway WebSocket API can do real-time but requires more custom code for subscriptions and lacks offline support.
AWS IoT Core: For IoT device communication, IoT Core is better. But for user-facing mobile/web apps, AppSync is more appropriate. The exam may try to confuse by mentioning MQTT.
DynamoDB Streams + Lambda: This can push updates but requires building a custom WebSocket or polling mechanism. AppSync provides a managed solution.
Choosing REST over GraphQL: Scenarios where the client needs exactly specific fields without over-fetching point to GraphQL/AppSync.
Numbers and Values to Memorize
Default API key expiration: 7 days (max 365).
Resolver timeout: 10 seconds (unit), 30 seconds (pipeline).
Maximum query depth: 10 (configurable).
Maximum payload size: 1 MB.
Default caching TTL: 60 seconds.
Edge Cases
Multiple authorization modes: AppSync supports per-field authorization. The exam may ask about using different auth for different operations (e.g., public queries with API key, mutations with Cognito).
Conflict resolution: For offline apps, you must choose a strategy. The exam might ask about last writer wins vs. custom.
Pipeline resolvers: Used when you need to call multiple data sources in sequence. The exam may test understanding of when to use pipeline vs. unit resolvers.
Elimination Strategy
When you see a question about real-time updates or offline sync, eliminate options that don't provide these features natively (e.g., API Gateway REST, Lambda alone). If the question mentions a single endpoint that returns exactly the requested fields, lean toward AppSync. If it's about IoT devices, choose IoT Core. If it's about serverless REST API with minimal latency, API Gateway + Lambda is fine.
AppSync is a managed GraphQL service with real-time subscriptions and offline sync.
Use AppSync for mobile apps that need offline capabilities.
Subscriptions are triggered by mutations and use WebSocket connections.
Supported data sources: DynamoDB, Lambda, Elasticsearch, HTTP, RDS (via Lambda).
Authentication modes: API Key, IAM, Cognito User Pools, OIDC, Lambda authorizer.
Default resolver timeout: 10 seconds (unit), 30 seconds (pipeline).
Caching reduces latency with configurable TTL (default 60 seconds).
Conflict resolution strategies are required for offline sync apps.
Pipeline resolvers allow chaining multiple data sources in sequence.
AppSync integrates with CloudWatch, X-Ray, and WAF for monitoring and security.
These come up on the exam all the time. Here's how to tell them apart.
AWS AppSync
Supports GraphQL queries, mutations, subscriptions.
Built-in real-time data push via WebSocket.
Offline data sync with local store.
Resolvers can combine multiple data sources in one request.
Fine-grained field-level authorization.
Amazon API Gateway
Supports RESTful APIs and WebSocket APIs.
WebSocket requires custom code for real-time push.
No built-in offline sync (requires client-side logic).
Typically one endpoint per resource; aggregation requires multiple calls or Lambda.
Authorization at API level or via Lambda authorizer.
Mistake
AppSync is just a managed GraphQL server like Apollo.
Correct
AppSync is a fully managed GraphQL service that also provides real-time subscriptions, offline data synchronization, and fine-grained access control, which are not built into basic GraphQL servers like Apollo.
Mistake
AppSync can only connect to DynamoDB.
Correct
AppSync supports multiple data sources: DynamoDB, Lambda, Elasticsearch, RDS (via Lambda), HTTP endpoints, and none. You can combine them in a single API.
Mistake
AppSync subscriptions use long-polling.
Correct
AppSync subscriptions use persistent WebSocket connections, not polling. This enables real-time push of data with low latency.
Mistake
Offline sync is automatically handled without any configuration.
Correct
Offline sync requires client-side integration using the AppSync SDK, which caches data locally. You must also configure conflict resolution strategies to handle concurrent updates.
Mistake
API keys are secure for production use.
Correct
API keys are intended for development and public data. For production, use IAM roles or Amazon Cognito for authentication and fine-grained access control.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
AppSync is designed for GraphQL APIs with real-time subscriptions and offline sync, while API Gateway is for REST/WebSocket APIs. AppSync provides a single endpoint that can query multiple data sources, whereas API Gateway typically requires multiple endpoints. For real-time updates, AppSync subscriptions are easier to set up than API Gateway WebSocket.
Yes, AppSync supports a 'None' data source type, which is useful for static data or for resolvers that don't need to call an external service. For example, you can return a hardcoded value from the mapping template.
You can use API keys (dev only), IAM roles, Amazon Cognito User Pools, OpenID Connect, or a Lambda authorizer. For user-facing apps, Cognito is recommended. For server-to-server, IAM is best. You can also implement field-level authorization in resolver templates.
A unit resolver connects to a single data source and executes one request. A pipeline resolver chains multiple functions (each can call a data source or perform logic) in sequence. Pipeline resolvers are useful for complex workflows like validation, enrichment, and storage.
AppSync supports three conflict resolution strategies: Optimistic Concurrency (last writer wins), Pessimistic Concurrency (version-based), and Custom (Lambda function). You configure this when setting up the data source. The client SDK handles conflict detection and resolution.
Yes, you can create an HTTP data source in AppSync that points to any REST API. The resolver templates transform GraphQL requests into HTTP requests and responses. This allows you to aggregate data from legacy systems.
By default, an AppSync API supports up to 1000 concurrent WebSocket connections. You can request a limit increase. Each subscription can have a filter to control which mutations trigger updates.
You've just covered AWS AppSync for GraphQL APIs — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?