# Architecting SaaS Applications on AWS

These are our notes from the SaaS Factory Bootcamp at Hilton Anaheim on Wed. Aug 22, 2018.

Instructor: Tod Golding, Partner Solutions Architect, SaaS Factory Team at AWS, todg at amazon.com.

For more info, see SaaS Factory website.

Table of Contents:

# Goals

• Introduce SaaS architecture fundamentals
• Build working SaaS environment
• Strategies for multi-tenancy
• Foundation for creation of your own SaaS solutions

# SaaS Motive

• Before: siloed per-customer environments where everyone has their own in-house stack
• After: multi-tenant with shared infrastructure

# Key Concepts

• Onboarding: set up env, identity
• Auth: associate user to specific tenant
• App Services: how they interact with data, metering, logging, etc. and apply tenant context
• Data Partitioning: how to separate tenants' data
• Tenant Isolation: across everything, ensure one tenant can't access another tenant's data

# Labs Covered Today

• Lab 1: Tenant Onboarding
• Lab 2: Multi-Tenant Services
• Lab 3: Tenant Isolation

# Lab 1: Onboarding

• Configure an identity provider
• Create a user mgmt service
• Provision a new user
• Review tenant mgmt service
• Provision new tenants via REST API

# Arch

• Angular web app
• API Gateway
  • Tenant Registration
  • Tenant Manager
  • Authentication Manager

# Configuring Cognito

• Set up user pool for for every tenant in system
  • Attributes, policies, validation
• Identity pool binds to user pool for federated identity

# Tenant Management

• 1 tenant can have many users

# Onboarding Flow

• Register a tenant
• Authenticate

# Lab 2: Multi-Tenant

• Single tenant
• Multi-tenant:
  • pooled table in DynamoDB
  • TenantID as partition key
  • Tenant supplied via REST

# Building App Services

• Write service like any other service
• Managed outside your service:
  • Identity & tenant context
  • Multi-tenant data partitioning
  • Tenant-aware logging, metering, analytics

# Data Partitioning Model

• Tenant as partition key

# Injecting tenant context

• Product Manager receives JWT Token
• GetTenantId(Token) to retrieve TenantId from Token Manager

# Lab 3: Tenant Isolation

• Goal: prevent cross-tenant access
• We'll cross boundary by manually injecting tenant ID
• Then use policies and roles to prevent it
• Then go from simple token to IAM scoped credentials

# Cross tenant access

• What happens when you inject TenantId, then access someone else's data?

# Tenant-scoped policies

• Use condition dynamodb:LeadingKeys

# Mapping tenant roles to policies

• Use Cognito Role Mapping to map identity attribute to
  • Role with set of policies
  • Token to access data

# Temp credentials

• App service gets idToken, returns role scoped credentials
• SecretKey and AccessKeyId connected to IAM role policies retrieved via Cognito

# Today's Lab

github.com/aws-samples/aws-saas-factory-bootcamp (use "accelerated" branch)

Follow the instructions for Lab 1, 2, and 3:

• github.com/aws-samples/aws-saas-factory-bootcamp/blob/accelerated/Lab1.md
• github.com/aws-samples/aws-saas-factory-bootcamp/blob/accelerated/Lab2.md
• github.com/aws-samples/aws-saas-factory-bootcamp/blob/accelerated/Lab3.md