You can use a combination of multiple auth schemes for coarse grained authorization. But, you can also implement your own fine-grained checks at the resolver level. See the AppSync Security documentation at https://docs.aws.amazon.com/appsync/latest/devguide/security...

(I led the team that built AWS AppSync).