Architecting SaaS Applications on AWS

Tags: aws saas cognito multi-tenancy awssummit

These are our notes from the SaaS Factory Bootcamp at Hilton Anaheim on Wed. Aug 22, 2018.

Instructor: Tod Golding, Partner Solutions Architect, SaaS Factory Team at AWS, todg at

For more info, see SaaS Factory website.

Table of Contents:


  • Introduce SaaS architecture fundamentals
  • Build working SaaS environment
  • Strategies for multi-tenancy
  • Foundation for creation of your own SaaS solutions

SaaS Motive

  • Before: siloed per-customer environments where everyone has their own in-house stack
  • After: multi-tenant with shared infrastructure

Key Concepts

  • Onboarding: set up env, identity
  • Auth: associate user to specific tenant
  • App Services: how they interact with data, metering, logging, etc. and apply tenant context
  • Data Partitioning: how to separate tenants' data
  • Tenant Isolation: across everything, ensure one tenant can't access another tenant's data

Labs Covered Today

  • Lab 1: Tenant Onboarding
  • Lab 2: Multi-Tenant Services
  • Lab 3: Tenant Isolation

Lab 1: Onboarding

  • Configure an identity provider
  • Create a user mgmt service
  • Provision a new user
  • Review tenant mgmt service
  • Provision new tenants via REST API


  • Angular web app
  • API Gateway
    • Tenant Registration
    • Tenant Manager
    • Authentication Manager

Configuring Cognito

  • Set up user pool for for every tenant in system
    • Attributes, policies, validation
  • Identity pool binds to user pool for federated identity

Tenant Management

  • 1 tenant can have many users

Onboarding Flow

  • Register a tenant
  • Authenticate

Lab 2: Multi-Tenant

  • Single tenant
  • Multi-tenant:
    • pooled table in DynamoDB
    • TenantID as partition key
    • Tenant supplied via REST

Building App Services

  • Write service like any other service
  • Managed outside your service:
    • Identity & tenant context
    • Multi-tenant data partitioning
    • Tenant-aware logging, metering, analytics

Data Partitioning Model

  • Tenant as partition key

Injecting tenant context

  • Product Manager receives JWT Token
  • GetTenantId(Token) to retrieve TenantId from Token Manager

Lab 3: Tenant Isolation

  • Goal: prevent cross-tenant access
  • We'll cross boundary by manually injecting tenant ID
  • Then use policies and roles to prevent it
  • Then go from simple token to IAM scoped credentials

Cross tenant access

  • What happens when you inject TenantId, then access someone else's data?

Tenant-scoped policies

  • Use condition dynamodb:LeadingKeys

Mapping tenant roles to policies

  • Use Cognito Role Mapping to map identity attribute to
    • Role with set of policies
    • Token to access data

Temp credentials

  • App service gets idToken, returns role scoped credentials
  • SecretKey and AccessKeyId connected to IAM role policies retrieved via Cognito

Today's Lab (use "accelerated" branch)

Follow the instructions for Lab 1, 2, and 3:

Copyright © 2018 Daniel and Audrey Roy Greenfeld.
Site Map

Last Updated: 8/31/2018, 11:57:19 PM