SaaS offers developers a unique blend of architectural challenges. Supporting a multi-tenant model often means rethinking your approach to almost every layer of your architecture. Onboarding, security, data partitioning, tenant isolation, identity—these areas must be factored into how you design, build, and deploy a SaaS solution. The best way to understand these SaaS architectural principles is to dig into an example. In this workshop, we expose you to the core concepts of SaaS architecture then dive into a reference SaaS architecture, where we show you the moving parts of a SaaS solution.

1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Hands-on SaaS: Constructing multi-
tenant solutions with AWS
Tod Golding
Principal Partner Solutions Architect
AWS
S V C 3 0 7
Judah Bernstein
Partner Solutions Architect
AWS

2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Workshop goals
• Introduce SaaS architecture fundamentals
• Build the working elements of a SaaS environment
• Introduce real-world strategies for addressing common multi-
tenant practices
• Provide a foundation that can inform the creation of your own
SaaS solutions

3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
The SaaS motive
Web
App
Customer
Web
App
Customer
Web
App
Tenant Tenant Tenant

4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Key concepts
On-boarding
Data partitioningApplication
services
Authentication
Service
Tenant isolation

5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Not here, but key to SaaS
• Management and monitoring
• Analytics
• Operations
• Billing
• SaaS DevOps

6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
High-level flow
Lab 1: Tenant onboarding
Lab 2: Multi-tenant services
Lab 3: Tenant isolation

7. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Architecting SaaS applications on AWS

8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Lab 1: Onboarding
• Configure an identity provider
• Review user management service
• Provision a new user via REST API
• Review tenant management service
• Provision a new tenant via REST API
• Register a tenant via web app
• Authenticate as the new user
• Inspect the JWT token
Identity
management
Tenant
management
Tenant registration &
authentication

9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Onboarding architecture
User manager
Tenant
manager
Tenant registration
Authentication
manager
Web application
Amazon API Gateway

10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Configuring Amazon Cognito
User pool
User
management
POST / user
Validation
Attributes
Policies
Identity pool

11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Tenant management
Tenant
manager
Generated tenant identifier
492c83ba-d565-47a8-a987-634bd01189db
Status
Active / inactive
Tier
Basic, advanced
• UserID
• TenantID
• Name
• Status
• Role
1: Many

12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Onboarding flow
Amazon S3
Web
application
Authenticate
Register
Tenant
registration
Authentication
manager
APIGateway

13. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Architecting SaaS applications on AWS

14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Lab 2: A multi-tenant progression
Single tenant
product manager
Multi-tenant product
manager
Add tenant security
context
• Single tenant table in Amazon DynamoDB
• Use ProductId as partition key
• No awareness of tenant identity
• Multi-tenant, pooled table in DynamoDB
• Use TenantId as partition key
• Tenant supplied as REST parameter
• Add security token to HTTP headers
• Load products for two tenants
• Verify tenant partitioning in DynamoDB

15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Building application services
Application service
Identity & tenant context
Multi-tenant data partitioning
Tenantawarelogging,
metering,andanalytics

16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Data partitioning model
Partition Key Product ID Title
Tenant-1 ECHO-123 Echo Dot
Tenant-3 ECHO-456 Echo Show
Tenant-1 ECHO-456 Echo Show
Tenant-4 ECHO-910 Echo Spot
Pooled multi-tenant table
Product ID Title
ECHO-123 Echo Dot
ECHO-456 Echo Show
ECHO-456 Echo Show
ECHO-910 Echo Spot
Single tenant table
Product manager Product manager
/product/id=TenantId/product

17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Injecting tenant context
Product manager
JWT token
1
GetTenantId(Token)
Token manager
2
TenantId
3
4

18. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Architecting SaaS applications on AWS

19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Isolating tenant data
• Alter the product manager service
• Manually inject a tenant identifier
• Verify cross tenant access enable
• Leverage policies to restrict tenant access
• Edit existing policies
• Introduce leading key conditions
• Examine roles emitted by provisioning
• Examine Amazon Cognito’s role mapping
• View the tenant admin/user mapping
• Deploy the web application
• Register a tenant
• Authenticate the new user
Cross tenant
access
Configure
policies
Map role to
policies
Get scoped
credentials

20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Cross tenant access
Tenant 1
Tenant 2
Tenant-11943
Tenant-9492 Product table
Tenant identifier
Partition Key Sort Key
Tenant-9492 14019
Tenant-11943 49104
Tenant-11943 91044
Tenant-9492 85145
Tenant identifier

21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Tenant-scoped policies
{
"Sid": "TenantReadOnlyOrderTable",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:DescribeTable"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:000000000000:table/Order"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"3aecf790-7dfd-4aef-a95a-b63fc413bdc9"
]
}
}
}

22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Mapping tenant roles to policies
IAM policiesAmazon Cognito
role mapping
Tenant
admin role
Tenant user
role

23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Temporary credentials (the payoff)
getCredentialsForIdentity(idToken)
Application
service
Cognito
IAM role
polices
{
”custom:tenantId” : ”8391-9393-9933”
“custom:role” : “TenantAdmin”
}
Cognito ID Token (JWT)
Match role
Return role scoped credentials
Credentials": {
"SecretKey":"2gZ8QJQqkAHBzebQmghavFAfgmYpKWRqexample",
"AccessKeyId":"ASIAJIOA37R6EXAMPLE"
}

24. https://dashboard.eventengine.run
Launch your environment (with hash key):
https://github.com/aws-samples/aws-saas-factory-bootcamp
GitHub repository (start here):

25. Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.