EventBridge target -> AppSync mutation -> subscription multi-tenant application event authorization

Hi,

You can use Enhanced subscription filtering to define what events have to be sent to each connected user.

Real-time data security documentation demonstrates how to use a subscription's toUser parameter for event filtering.

If you would like to avoid using subscription parameters for the filtering configuration, you can review AppSync enhanced subscription filter Pull Request for a demonstration of using username from the connected user's IAM identity context. Note that IAM identity information was used for the demo code simplicity - you can certainly refactor the code to support other AppSync authorization schemas if needed.

All in all, your implementation can look like this:

• EventBridge event should have some user specific information that you can filter on, e.g. userId
• Mutation will accept that field as one of its parameters and forward it to the mutation's response object
• Subscription resolver will configure enhanced filtering for the subscription to match that user information field from the mutation response object with a field that is available on the current security context

Kind regards,