If I understand correctly, aws + graphql for mobile app is quite similar to Firebase Realtime Database. As the firebase blog certificate pinning is supported behind the scenes. My question is: does graphql support certificate pinning?
Certificate Pining allows to bypass standard certificate authority chains to mitigate the risk of an valid certificate be issued to a criminal. It is now deprected. What Firebase has implemented and what you probably mean is Certificate Transparency (CT).
https://www.certificate-transparency.org/
Google's Certificate Transparency project fixes several structural flaws in the SSL certificate system, which is the main cryptographic system that underlies all HTTPS connections. These flaws weaken the reliability and effectiveness of encrypted Internet connections and can compromise critical TLS/SSL mechanisms, including domain validation, end-to-end encryption, and the chains of trust set up by certificate authorities.
Beginning April 24, 2018, AWS Certificate Manager (ACM) supports Certificate Transparency. See the following blog post for more details:
Preparing for AWS Certificate Manager (ACM) Support of Certificate Transparency