The multi-tenant nature of SaaS solutions requires a heightened focus on ensuring that every effort is made to isolate tenant resources. The multi-architecture model you choose, the AWS services that you're employing, the nature of your domain—they all can shape and influence your approach to isolation. Understanding which strategies to employ and which AWS services can help is essential to constructing secure SaaS solutions on AWS.
SaaS Tenant Isolation Architectures
This paper covers the different SaaS deployment models and the combination of AWS services and AWS Partner Network (APN) Partner solutions that can be used to achieve a scalable, available, secure, performant, and cost-effective SaaS offering. AWS now offers a structured AWS SaaS Partner Program to help you build, launch, and grow SaaS solutions on AWS. As your business evolves, AWS will be there to provide the business and technical enablement support you need.
Modeling SaaS Tenant Profiles on AWS
This blog post examines some of the considerations that go into capturing data on your tenants with an emphasis on identifying some of the key areas that could shape your system’s architecture. The landscape of possibilities here is broad, with the goal of providing a glimpse of some of the factors that you may include in a broader assessment of your tenant profile.
AWS SaaS Factory Architecture Track: Tenant Isolation
The goal of this course is to examine the competing forces that influence different isolation strategies, weighing the pros and cons of each approach. This highlights how each of these models are realized on AWS and outlines mechanisms that can be used to prevent cross-tenant access.
SaaS Multi-Tenant Isolation Architectures with Amazon Elastic Kubernetes Service
Kubernetes represents a very compelling model for SaaS providers. However, it also presents new challenges when it comes to isolating the compute resources of your SaaS environment. In this session, we review the general challenges associated with building a multi-tenant with the Amazon Elastic Kubernetes Service (Amazon EKS). We examine the fundamentals of SaaS Amazon EKS architecture, evaluating the design considerations, architectural patterns, and best practices that will shape this isolation model of an Amazon EKS SaaS environment.
Beyond the SQL WHERE Clause: Isolating SaaS Multi-Tenant Data in Shared Relational Databases
SaaS providers leverage shared resources to maximize agility and minimize costs. As you move toward a more shared model, you must consider how you will still ensure that tenant resources remain isolated. This can be especially challenging when working with a shared relational database where tenant data sits side-by-side in the same tables. In these environments, you must find more creative ways to enforce the isolation of tenant data. In this session, we explore the challenges and approaches to this problem, digging into specific mechanisms and strategies that can be used to realize your tenant isolation goals. This will allow you to move beyond the use of SQL WHERE clauses and focus on less invasive, more systemic models for enforcing isolation. More specifically, we’ll look at how you can leverage Row Level Security (RLS) policies in Amazon Aurora and Amazon RDS to implement a more robust isolation scheme.
SaaS Tenant Isolation Patterns
Tenant isolation is one of the most fundamental aspects of SaaS architecture. Every SaaS provider must consider how to ensure that their tenant resources are isolated and secure. The challenge is that each resource type (compute, storage, etc.) requires different isolation approaches. In this session, we build a clear roadmap for navigating the landscape of isolation options, highlighting the strategies for achieving isolation spanning the different multi-tenancy models and AWS services. Our goal is to create a comprehensive view of the considerations that impact your approach to introducing isolation into your SaaS solution.