Every company wants an app these days, and creating one is getting easier every day. Amazon has specific solutions for this, advertising that you can “Build full-stack web and mobile apps in hours.” And it’s “Easy to start, easy to scale.”

I spent a few weeks toying with Amplify. I wanted to learn how easy it was to build a mobile app. I’m not a front-end developer; I’ve spent the last ten years doing systems and infrastructure engineering. My programming experience is limited to scripting or side projects with no audience beyond myself.

In this write-up, I present my thoughts on Amplify as a platform for building mobile apps.

The Project

I chose to create a water consumption tracking app, for no real reason besides that it was something I could require authentication for, I needed data persistence, and I could get away with a minimal GUI.

I chose React Native somewhat on a whim. Some of my friends in the industry feel that it’s a good solution, and I didn’t have experience; plus, it is cross-platform, so I could theoretically build an iOS or Android app if I was going to release this to the public.


In my opinion, the Amplify docs are a cut above the rest of the AWS documentation. They have a modern feel and are easy to consume, with panels for important callouts, code blocks with highlighting, and up-to-date UI screenshots.

The Development Process

When creating an Amplify project, I was impressed with the CLI that the Amplify team maintains. You can add storage, APIs, databases, and more using amplify add. After creating your project, you start a new Amplify project with amplify init, which walks you through several options for your app. The CLI does its best to figure out some values. For example, it knew I was building a React Native app and selected the appropriate framework.

First, I added authentication to the app. Using amplify add auth, I am given a short questionnaire to follow. An excellent quality of life feature in the Amplify CLI has an option for many of the wizard questions: "I want to learn more." This gives the user a brief explanation of the question and the possibilities.

Speaking of authentication, the Amplify library makes connecting Cognito super easy. Include the library and wrap App in my App.tsxexport default withAuthenticator(App);

After adding various components using the add command, you deploy them with amplify push. This pushes your configuration to AWS, which deploys via CloudFormation. It's generally a smooth process and simplifies the Cloud infrastructure components so an app developer can focus on building their app using their language of choice.

I am not generally impressed with the AWS Console experience. It’s inconsistent, dated, and buggy. My go-to solution is usually infrastructure as code or the AWS CLI. However! The Amplify Studio is an outstanding example of what the console could be. It raises the bar in how an AWS service team can construct and manage the console. In a lot of ways, it feels like a completely different experience. This makes sense, given the target audience that Amplify has.

The Infrastructure

So what about the infrastructure that’s created? Does it follow best practices and well-architected pillars? Using the Amplify CLI, I made a Cognito user pool, S3 buckets, a DynamoDB table, and a GraphQL API with AppSync.

The S3 bucket is created to hold user-uploaded content, public or private. It manages this separation using an IAM policy that allows access to a specific set of app users using the cognito-identity.amazonaws.com:sub IAM condition key. The bucket doesn't have versioning or logging enabled and still uses the default S3 KMS key. This is fine but should be a consideration depending on what the app's intention is.

When creating the DynamoDB table, the Amplify CLI allows you to select your columns and partition key, but also any sort keys, global secondary indexes, and Lambda triggers which is a nice touch when creating it in the first place. It’s made using the AWS-owned KMS key for DynamoDB, which like S3, may not be an issue. A nice thing about the table that’s created is that it is created with the “On-Demand” capacity mode, which is excellent for unknown loads.

AppSync is deployed with a simple configuration. No logging, WAF, or XRay enabled. However, when creating the API, you can have Amplify create all of the operations for the API. This was great for speeding up development time.


Looking at the infrastructure created with a more security-minded lens, I used one of my favorite tools: Prowler and SecurityHub, for a second opinion. They both generally found the same problems.

Regarding S3, a lot of what you’d expect alerted: Missing MFA delete, versioning was disabled, SSE-KMS was not used, and access logging, to name a few. None of these are deal breakers, and they are easy enough to enable and understand what you are doing with little to no experience. I’d argue that KMS is the most complicated to get right, and as stated above, the use case would need to be right for it to be a required facet to enable.

Beyond this, Prowler and SecurityHub caught some misconfigurations with Cloudwatch logging and IAM. This last one has no relation to Amplify, but if I created an account for an app, I’d still have some security work here to do.

What I’d Like To See More Of


Security is paramount in today’s Internet. Some intelligent defaults are in place, but there’s no easy CLI way to enable features such as the WAF or better IAM and account-level practices with a single click. Amazon knows what these practices are since they alert in SecurityHub. Allowing an easy adoption of these via Amplify makes a lot of sense in protecting the app and the developers from potential compromises.

That’s not to say Amazon should be more responsible, but it’s clear that Amplify is aimed at audiences that may not have a robust Cloud or Security background.

More Service Tie-Ins

Amplify has a rich tie-in with multiple standard services, including AppSync, DynamoDB, and Cognito. It can also hook up to some of Amazon’s ML offerings, including Rekognition, Textract, Translate, and Pinpoint. I would love to see Amplify expand to connect to more services. What if I need to connect to my legacy API using the API Gateway or to an Elasticache cluster? Sure, nothing stops me from doing that, but Amplify loses some of its charm this way.


Amplify is an excellent platform for single or small teams of app developers. It’s a novel app development approach that breaks down many barriers and allows you to get started very fast. I’d be curious to find some case studies of large, million-user apps that leverage Amplify just to see how they approach development, security, and operations.

If you are a developer with an idea or even someone who has never touched a line of code in their lives, you could get started reasonably quickly, which is impressive.