That would cover about half of the whole. Here is the scenario. I have to open port 8080 to expose the graphql endpoint. There needs to be some built in security service besides enterprise ACL to block ANYONE from just firing up ratel and pointing it at my :8080/ endpoint and having full access bypassing the GraphQL endpoint entirely. This needs to be built in and not require setting up another layer or service.
What I have to do in the meantime before I can import any more data and actually get back to work is to figure out AWS API Gateway and put it in front of my EC2 port 8080 to only allow access to the :8080/graphql endpoint.
I understand that I am responsible for securing the graphql endpoint with auth rules, but there is no way to ONLY expose the graphql endpoint without also exposing the :8080/ endpoint natively.