Building a Multi-tenant SaaS solution on AWS

00:00

foreign

00:03

[Music]

00:08

first of all for inviting me here and um

00:12

you know I'm really excited to to

00:13

present this topic it's something very

00:16

near and dear to me

00:18

um in general just you know having you

00:20

know building software for about 20

00:21

years now

00:23

um so today I'll be talking about how to

00:25

build a SAS Solution on AWS using

00:28

serverless

00:29

so the idea here is to you know give you

00:32

some best practices and how to use

00:35

various AWS Services inside a reference

00:37

solution

00:39

um so if you are trying to build a SAS

00:41

if you're trying to build a multi-tenant

00:43

solution using AWS server services

00:45

this is something you really want to you

00:48

know maybe leverage as a starting point

00:50

so before I begin just maybe a quick

00:53

introduction about myself I am one of

00:55

the solution Architects here at AWS I

00:58

work for a team called SAS Factory and

01:00

by the name maybe you can imagine that

01:03

we help customers who are building SAS

01:05

based Solutions on AWS right I have been

01:08

writing code like for about 20 years now

01:10

I started my career as a Visual Basic

01:13

developer back then

01:15

um and then I three years ago I joined

01:17

AWS and and since then I've been working

01:19

as part of this stream uh I'm outside

01:22

work I have a family I have a wife and

01:25

two boys 15 and 10

01:27

um we live in Massachusetts and and

01:29

recently we also got a dog and she keeps

01:32

me busy sometimes all right so let me

01:35

begin

01:36

so I thought maybe it probably makes

01:38

sense you know before I jump into the

01:40

technical details to Define what

01:43

software as a service really means

01:45

um so if if you just you know look at

01:47

this definition which we have here is

01:50

it's more of a business delivery model

01:52

right so SAS is a way of doing business

01:55

where you centrally host your

01:59

application and your customers come and

02:02

they subscribe to that application right

02:04

some examples if I have to give think of

02:07

Dropbox slack Salesforce these are some

02:11

of the examples pretty popular SAS

02:13

platforms which you just go and

02:15

subscribe so as an example for Dropbox

02:17

you just you know buy some sort of

02:19

storage and you just pay on monthly

02:21

basis for the storage you don't have to

02:24

like buy a hard disk or install anything

02:26

on your machine right it's just some

02:28

sort of consumption based model you're

02:30

following right so today's discussion

02:34

is relevant for both d2c or business to

02:37

consumer or B2B or business to business

02:39

uh SAS models although I would say that

02:42

it's um it will be more beneficial it

02:45

will be more beneficial if you are

02:47

working on a B2B kind of SAS but you can

02:49

apply the principles and best practices

02:51

in both the cases

02:54

so I thought it is relevant

02:57

um to show this code from Jeff bizas

03:00

which he wrote in his 2016 letter to

03:03

shareholders and if you just pay

03:05

attention to this one line which he says

03:08

right that customers are always

03:10

beautifully wonderfully dissatisfied I

03:13

thought this was very relevant in this

03:14

context because if you're a SAS provider

03:17

you'll have hundreds and maybe millions

03:19

of customers and tenants in your system

03:21

and and it becomes really important for

03:24

you to raise the bar in terms of agility

03:27

and operational excellence uh just

03:29

imagine like even like a small down time

03:32

of 10 to 15 minutes can have a severe

03:34

impact on your on your business right

03:38

um so it's very important to to work

03:40

backwards and be customer obsessed and I

03:43

thought this quote is very much relevant

03:44

for today's discussion

03:46

all right so now what it means to be SAS

03:49

right so

03:51

you know before I jump into the

03:53

serverless and how to use serverless

03:54

services

03:55

I'll probably have a couple of slides

03:58

which talks about the high level

03:59

architecture patterns or design

04:01

principles that I need to understand

04:03

while building a SAS application

04:05

and the first thing you need to

04:06

understand is

04:08

broadly you can Define your SAS

04:10

application or design your SAS

04:11

application into high level components

04:13

an application plane and a control plane

04:16

so application plan is basically it's

04:20

actually your IP it's the service that

04:22

you're providing to your customers so in

04:25

this case in the examples I gave storage

04:28

as a service or a CRM platform or a

04:31

messaging service it's basically your IP

04:34

and that's pretty much your offering to

04:36

your customers and this is an a platform

04:39

that obviously is multi-tenant by

04:42

default and what does it mean what it

04:44

really means is you'll have multiple

04:45

businesses multiple customers multiple

04:48

users within those businesses who will

04:50

be subscribed to your SAS platform and

04:53

be leveraging all at same time

04:56

on the other hand what we have is a

04:58

control plane and the controller plane

05:00

is pretty much what is managing this

05:03

entire application plane right

05:05

um this is basically your platform or

05:08

set of micro Services which are

05:10

responsible for onboarding a new tenant

05:12

as an example right managing the

05:14

security aspects of a SAS solution

05:16

you'll have some sort of identity

05:19

management system

05:20

you will have some sort of micro

05:22

Services which will collect the logs and

05:25

Mattress metrics from a SAS platform and

05:27

consolidate them together and and then

05:29

be able to visualize them right and then

05:32

you'll have some sort of microservices

05:35

which will allow you to provision a new

05:37

tenant or maybe provision the resources

05:40

of a new tenant inside your SAS platform

05:42

so this control plane are basically set

05:44

of services which do not need to be

05:47

multi-tenant I mean they are just to

05:49

control the application plane or the

05:51

deployment and and operational aspects

05:54

of a SAS solution

05:58

now within the application plane there

06:01

are two typical deployment models that

06:04

we see customers follow when they deploy

06:06

inside AWS

06:08

the first one which is pretty common is

06:10

you have dedicated resources for each

06:12

tenant so take an example where you have

06:16

tenant one who is trying to onboard into

06:18

your system and you provision may be a

06:20

separate eqs cluster or an RDS database

06:23

instance for them all together right and

06:26

this model is what we call it a silo

06:29

model

06:30

basically you are just provisioning

06:32

separate infrastructure resources for

06:34

all of your tenants

06:36

now the other model is what we call it

06:38

as pool model and in this case as you

06:41

can imagine you have your existing or

06:45

your services or your resources shared

06:48

across all these tenants so imagine an

06:52

RDS cluster or maybe a eks cluster you

06:56

know being accessed by and shared by all

06:58

the tenants and as you can imagine right

07:01

it's probably pretty evident that each

07:04

model has their pros and cons right so

07:07

in case of a silo model on the left side

07:10

you see you have little bit of better

07:13

compliance alignment so if you have

07:15

customers who are little bit concerned

07:17

about the compliance and security

07:19

aspects or maybe you have Tighter slas

07:22

and you want to tune the resources

07:25

according to those tenants The Silo

07:27

model will be more suitable in those

07:29

cases whereas if you are trying to

07:32

maximize your resource utilization if

07:34

you're trying to make sure that you have

07:36

resources which are shared by multiple

07:39

users and customers and tenants which

07:42

gives you obviously better cost

07:43

efficiency you probably go for for us

07:46

for a pool model

07:47

now having said that it is important as

07:50

a SAS provider that you make sure that

07:52

proper tenant isolation and security

07:54

requirements are followed regardless of

07:57

what model you choose

07:59

in fact today the reference solution

08:01

that we will talk about I have a hybrid

08:04

model in place where we will provision

08:06

some resources or some tenants in a silo

08:09

model and some tenants in a pool model

08:12

and we will actually see how you can

08:14

enforce the tenant isolation

08:16

authentication authorization in in both

08:19

both ways

08:22

so let me just you know jump on to the

08:24

reference solution that I was talking

08:26

about which we have built which kind of

08:28

uses all these design patterns

08:31

um and it kind of applies them together

08:33

to build a working solution

08:37

um I'm going to first talk about the AWS

08:40

services and features that we leverage

08:42

as part of this reference solution

08:44

um so what we did we we first leveraged

08:46

what we call it as AWS serverless

08:48

application model or Sam and we we

08:51

deployed our resources using Sam so Sam

08:54

is basically an open source framework to

08:57

deploy your serverless resources on AWS

09:00

and then alongside we also leverage cdk

09:03

to deploy some more components mainly

09:06

for the devops footprint of our SAS

09:09

application now the difference between

09:12

Sam and cdk Sam is more like markup you

09:15

you probably use yaml or Json ctk is

09:18

more programming language so basically

09:20

you can actually write a typescript and

09:23

deploy your resources the idea was to

09:25

show that they both can work in parallel

09:27

and hand in hand

09:29

um but in your case you might just do

09:31

cdk to deploy your resources but we

09:33

intentionally use both just to show how

09:36

the kind of work hand in hand

09:39

so then our API layer was built using

09:44

Amazon API Gateway and we specifically

09:47

leveraged the rest API capabilities of

09:51

API Gateway to build our API layer so

09:54

all our apis are restful apis

09:56

um they follow that get put post kind of

09:59

methods

10:01

then for the authentication and

10:03

authorization purposes we leverage a

10:05

feature we called as Lambda authorizer

10:08

within API Gateway and I'll talk about a

10:10

little bit more detail on how that works

10:12

in subsequent slides

10:15

another feature that we use was usage

10:18

plans and API keys so typically in a SAS

10:22

portal if you have multiple tenants who

10:25

are trying to access the system

10:26

you need to be really careful about

10:29

enabling some sort of throttling

10:31

mechanisms in your application right so

10:33

think about it that you're trying to

10:35

open up your apis to hundreds of

10:37

customers what if one customer just run

10:40

accidentally maybe run a script and just

10:42

trying to bombard your apis right so

10:44

there are chances that your resources

10:46

might get exhausted so in order to

10:49

enforce some sort of throttling

10:50

mechanisms we leverage this feature and

10:54

I'll show you how that works exactly as

10:56

well

10:57

then we leverage Amazon Cognito as our

11:01

identity management platform and we we

11:04

specifically leverage what we call it as

11:07

user pools as a feature with Incognito

11:09

to store our users

11:12

um so your users can come and register

11:13

themselves and then later can

11:15

authenticate themselves using a username

11:18

password based workflow

11:21

then for the compute layer we leveraged

11:24

AWS Lambda and specifically I will also

11:27

talk about how we leverage the fine grid

11:30

Access Control using AWS SDS service

11:33

this is more relevant when you are

11:36

working in that pool model where a

11:38

single Lambda function is shared across

11:40

multiple tenants and users like how does

11:42

that find that access control work

11:44

and then we leverage Lambda layers which

11:48

is another functionality a feature

11:50

inside Lambda service which basically

11:53

let you create reusable libraries and

11:56

share those reusable libraries across

11:58

multiple Lambda functions so in our case

12:01

specifically we we leverage metrics and

12:04

logging and authentication authorization

12:06

which was more like a reusable pattern

12:09

and build them using Lambda layers and

12:11

we then you know we basically then

12:15

leverage those layers across multiple

12:16

Lambda functions

12:18

and then finally I'm not going to talk

12:21

about this in more detail today but um

12:23

obviously at the end of this slide I'll

12:25

give you some links of of the reference

12:28

solution in which is inside GitHub which

12:31

you can go and refer yourself but there

12:33

are more features like code Pipeline and

12:35

Canary deployments like how to do

12:37

traffic traffic shifting uh between your

12:39

version of Lambda so let's say you're

12:41

trying to deploy a new version of Lambda

12:44

function you might want to you know

12:46

slowly shift traffic towards that new

12:48

function

12:49

um just a way to you know automate the

12:50

canary deployment so that's another

12:52

feature that we implemented within this

12:55

reference solution

12:56

and then finally uh we use dynamodb as

12:59

our layer of storage and um dynamodb

13:03

again is a key Value Store provides you

13:06

a great way to you know store your data

13:08

in a serverless fashion

13:12

one more thing I wanted to mention at

13:15

this point is that the application plane

13:18

as I mentioned to you is deployed in a

13:20

hybrid model

13:22

so I'll show you how you actually

13:25

onboard your tenants into the system but

13:27

you will see that when you once you

13:29

onboard the tenant into the system the

13:32

basic and the standard ta tenants are

13:34

deployed in a pool model so basically

13:37

these standards will be sharing the same

13:40

set of API Gateway Lambda functions and

13:42

dynamodb table

13:44

whereas when we create a new tenant as a

13:48

platinum tier tenant um we actually

13:50

deploy separate resources for those

13:52

tenants uh again you know the whole

13:55

concept of tiering not sure if you if

13:58

you are aware of that or not but

13:59

typically when you're building a SAS

14:01

model you try to create different sort

14:03

of tiers for your for your tenants and

14:06

you kind of maybe sometimes provide more

14:10

um as you know maybe more functionality

14:12

to certain tenants provide better slas

14:14

to certain tenants so the idea here was

14:17

to show like how you can leverage those

14:18

steering based strategies to you know

14:20

even influence your architecture in this

14:22

case

14:23

and then the control plane has been

14:26

built using four different microservices

14:28

all using Lambda functions

14:32

um registration is for registering a new

14:34

tenant tenant management

14:37

is for managing the tenants and user

14:39

management is basically a facade in

14:42

front of your Cognito so if if if you

14:45

need to you know use a different IDP

14:47

instead of Cognito you can you just need

14:48

to change and set this user Management

14:50

Service

14:51

um and and you and the rest of your

14:53

application doesn't really get impacted

14:54

a lot and then finally we have a

14:57

microservice for provisioning resources

15:00

for this Platinum tier tenants

15:02

um and as you onboard

15:04

okay so let's now dive a little deep

15:07

um and and see you know how what you

15:10

really get when you deploy this Baseline

15:13

architecture right

15:14

so when you get the code from GitHub

15:17

you will see in the instructions that

15:20

you will be asked to deploy the the the

15:23

architecture using some sort of

15:25

deployment Scripts and when you deploy

15:27

that the first thing that you will see

15:29

you will get a you will probably get

15:30

three different web applications

15:33

so the first web application that you

15:35

will see here is um is the landing

15:37

signup application which we built using

15:40

angular 2 and the idea here was to

15:43

automate that whole onboarding

15:45

experience so your tenants can come and

15:47

register themselves into this

15:49

application

15:50

then at the center right here you see a

15:54

sample SAS application and this is just

15:56

a example SAS application we we just

15:59

took like a very basic e-commerce use

16:02

case

16:03

um basically it's it's very simple use

16:06

case of a order and a product service

16:09

um this will change depending upon your

16:11

needs right so you might have a totally

16:13

different use case but the sample SAS

16:16

application will give you like an idea

16:17

of how to implement multi-tenancy within

16:19

your micro services

16:21

and then we also built a admin console

16:24

for SAS providers again built using

16:27

angular 2. and in this case

16:30

um we basically you know allowed SAS

16:33

providers to manage tenants or onboard

16:35

tenants

16:36

um and you know just be able to add more

16:39

users into the system

16:40

the the authentication as I mentioned is

16:43

being managed through a cognito

16:45

then the next thing that that gets

16:47

deployed inside your AWS account is the

16:49

API Gateway and as I mentioned you will

16:53

get a Lambda authorizer which will be

16:55

responsible for the authentication and

16:56

authorization of your application

17:00

um you will get API keys and usage plans

17:03

feature built into this authorizer now

17:07

one thing you might notice which is

17:08

little different and you know sometimes

17:10

can get it confusing as well that we are

17:13

not really passing the API key from the

17:15

UI right normally typically the way

17:19

developers think that they need to pass

17:21

an API key to the API from the client

17:23

which is obviously one way to do it but

17:26

in our case what we actually did we were

17:29

generating the API key and mapping to

17:32

the tenant as part of the onboarding

17:34

process

17:35

and our Lambda authorizer is basically

17:38

trying to map the API key depending upon

17:40

the tenant so I'll show you how that

17:43

works in little bit more detail but we

17:45

are not really passing API key from the

17:47

UI but rather just mapping the API key

17:50

inside the Lambda authorizer itself

17:52

and what that really allows us to do is

17:54

it allows us to throttle all this

17:57

incoming requests so just keep in mind

18:00

that this API key is by tenant and the

18:03

way is typical SAS solution works you'll

18:05

have like a hierarchy right you'll have

18:07

a tenant like a like a business who buy

18:10

your SAS solution and you will have

18:12

multiple users within those tenants

18:13

right now the the whole concept of usage

18:18

plans and API key in our case is at the

18:20

tenant level so if you have a user who

18:23

is trying to abuse the system what that

18:27

basically means is that that abuse is

18:30

limited within that tenant because now

18:32

what you're saying is that hey

18:34

this tenant can only access the API

18:37

let's say 100 times in a day just an

18:40

example or maybe a million times in a

18:43

day right uh and if it tries to go

18:45

beyond that this usage plan will not let

18:48

you do so

18:50

then the next thing that gets deployed

18:52

as part of the architecture is those

18:54

four microservices as I mentioned for

18:57

registration tenant management

18:59

provisioning a user management

19:02

and then we are also deploying The Pool

19:05

services for the application plane so in

19:08

this case as I mentioned we took a very

19:11

basic example of an order and a product

19:14

service so we are deploying this order

19:17

and product service which will be

19:19

leveraged by all the basic and standard

19:21

tier tenants so this is something that's

19:23

that's getting deployed up front and

19:26

then we are deploying some Lambda layers

19:28

for authentication metrics logging Etc

19:32

so this is the basic architecture that

19:34

gets deployed initially

19:37

um obviously there are some things that

19:39

get added or provisioned as you onboard

19:41

and more tenants um so that's kind of

19:43

that's something I'm going to you know

19:44

talk about next at how that really works

19:47

all right so let's maybe dive a little

19:50

deeper now so you know so far I've

19:52

talked about some basic concepts I've

19:53

talked about the high level architecture

19:55

now I'll probably talk about some more

19:58

deep Concepts and also maybe show you

20:01

some code as we go along and how those

20:03

things really work

20:04

so the first thing I wanted to talk

20:06

about is registering new tenants or

20:09

onboarding new tenants right so if you

20:11

remember

20:12

we had two different user interfaces

20:15

that we talked about that could be

20:17

leveraged to onboard your tenants right

20:19

now this could be

20:21

in your case you might only have one or

20:24

both so what we have seen is that if

20:27

you're trying to operate a B2B kind of

20:29

SAS application sometimes you don't

20:31

expose your Landing or sign up

20:33

application publicly you just have an

20:35

admin console and you just use that to

20:37

to register your tenants so what you

20:41

will do is when you register a tenant

20:42

the first thing that happens is you

20:45

invoke the registration micro service

20:47

and in this case

20:49

um and this is by the way an open

20:50

endpoint right

20:52

um resistance microservice because this

20:54

is something you're exposing to your

20:55

public to your customers

20:56

and depending upon the tenant tier so if

21:00

it's a basic or a standard tier then you

21:02

follow a different workflow and if you

21:04

are like a platinum tier you follow a

21:06

different workflow right and the

21:08

workflow in this case is as I showed to

21:10

you like in couple of slides back for

21:12

for platinum tier tenants we are

21:14

deploying a whole set of AWS resources

21:17

separately in Asylum model foreign

21:20

so this service kind of orchestrates

21:23

some sort of workflow on how to

21:26

provision a new tenant and the first

21:27

thing that happens in this workflow it

21:30

it's basically creating a new

21:32

um user a new tenant admin user and this

21:35

new tenant admin user is then

21:37

responsible for onboarding more tenant

21:40

users later on

21:42

and as I mentioned depending upon the

21:44

tier of the tenant this user management

21:47

decides if I need to create a whole

21:49

separate user pools pool Incognito or

21:52

should I just kind of group

21:54

all the users within a single user pool

21:56

and for those who are not who don't know

21:59

how I'm cognitive user pools work they

22:02

are basically a way to kind of group

22:04

your users right so so if you have a

22:06

tenant who wants some sort of settings

22:09

like multi-factor authentication

22:11

different password policies it makes

22:14

sense to have a silo user pool for them

22:16

right but if you have tenants who don't

22:20

really have any unique requirements you

22:21

can just pull them into a single user

22:23

pool so again based up in our case based

22:26

upon the tenant tier we are making that

22:27

decision at this point

22:30

the second thing that happens is

22:32

actually the creation of Canon inside a

22:34

dynamodb table and this is we're used to

22:36

attendant configurations like Canon name

22:39

address billing information etc etc

22:42

and then finally if it is a silo tenant

22:45

if it is a platinum tier tenant that

22:47

requires separate AWS resources we

22:51

conditionally invoke this tenant

22:52

provisioning service to onboard those

22:55

tenants in Asylum model and I'll

22:57

actually talk about a devops pipeline as

22:59

well later I hope we'll get enough time

23:02

to talk about that which which will show

23:04

you how you can you know automate that

23:06

whole onboarding process across

23:08

different tenets as well

23:11

so I I have some code here in the slides

23:14

itself

23:15

um you know instead of Shifting screens

23:17

I thought it would be easier if you just

23:19

you know look at some of the code

23:20

obviously you can go to the GitHub

23:22

repository and do a deep dive but um so

23:25

if you look at here this code snippet is

23:28

from the user Management Service and one

23:31

thing I wanted to highlight here is that

23:33

so obviously you're getting you know in

23:35

the even body you're getting the user

23:37

details you get the tenant ID as well

23:40

and by the way this tenant ID is being

23:42

generated by the registration service

23:44

which then invokes this service right so

23:47

you get all this information and then

23:49

you have this

23:52

Cognito client and you basically are

23:55

creating a user inside Cognito at this

23:57

point and this is where we are providing

24:00

all the user attributes and these two

24:03

attributes if I just you know may pull

24:05

your attention here these are two

24:07

attributes we call as custom attributes

24:10

um so for those who who understand how

24:12

oauth and what custom attributes really

24:14

means within um within the IDP

24:17

um this is a way to add some sort of

24:19

metadata to this user right um so in

24:22

this case we are saying that okay this

24:24

user has a user role let's say tenant

24:27

admin or tenant read-only user and

24:30

belongs to this particular tenant which

24:32

is being registered which was being

24:33

registered or or what tenant this user

24:36

really belongs to right so this is our

24:38

way of telling inside the RDP which user

24:43

the standard belong to and the way we

24:45

are enforcing this is by using custom

24:47

attributes right

24:49

and on the right side

24:51

um this small code snippet is from the

24:53

create tenant from the tenant Management

24:55

Service

24:56

and this is where you have all those

25:00

um Talent attributes like name address

25:02

email etc etc

25:04

um but I am also saving an attribute

25:08

called as API key here as well so what I

25:11

do is you know I'm generating this API

25:13

key as part of the registration process

25:15

itself and mapping that API key to the

25:18

Tanner inside the standard management

25:19

table and then you know we are also

25:22

saving what user pool and app client

25:25

this um

25:26

this this tenant is supposed to

25:29

authenticate against so in this case you

25:31

know if you are generating a new user

25:33

pool per tenant for the for for The Silo

25:36

tenants

25:37

um this is where we are kind of saving

25:39

all the information so basically all the

25:40

internet information

25:41

[Music]

25:43

um is being saved inside this dynamodb

25:44

table

25:47

so at this point um you know you have

25:50

onboarded a a tenant into the system

25:53

right

25:54

um now you have a tenant admin who who

25:58

has access to your sample SAS

26:00

application

26:01

and the next thing your tenant admin or

26:04

your tenant user will do it will try to

26:06

you know login into your application

26:08

into your SAS application so this is

26:10

actually your application which they

26:12

will be using in long term like it could

26:13

be like a storage as a service or some

26:15

sort of e-commerce platform right so

26:18

it's important to understand how the

26:21

authentication and authorization really

26:23

works in this whole multi-tenant

26:25

um complex system right

26:28

so let's say a tenant user is trying to

26:31

access the system the first thing

26:33

obviously you will do is you will ask

26:35

them to provide a their username and

26:37

password credentials right

26:39

um and and basically in our case since

26:41

we are using Cognito we are just

26:42

redirecting that tenant to the Cognito

26:45

hosted UI which provides this nice

26:48

username password

26:49

um it's it's something which is already

26:51

built in you don't have to build this

26:53

username password UI right so they will

26:55

authenticate so once the authentication

26:58

is successful Cognito will send back a

27:00

jar token and in this dot token as I

27:04

showed to you you'll have tenant ID and

27:06

use the role as as custom attributes

27:08

right

27:08

so now what you will do is you will try

27:12

to access the API Gateway or your UI

27:15

your sample SAS application will try to

27:17

access the API Gateway

27:20

and the first thing that happens in this

27:22

whole workflow ad you will hit that

27:23

authorizer which will first of all make

27:26

sure that your jaw token is valid it

27:29

will go back to the Cognito endpoint and

27:32

make sure that your jaw token has an

27:34

expired it's a valid token and then it

27:38

will build something called as an

27:40

authorizer policy and this authorizer

27:42

policy

27:43

will do at least two things for now

27:46

right first of all based upon this user

27:50

role it will say that okay you know what

27:52

is this user even authorized to access

27:54

this endpoint right so let's let's say

27:57

you have a read-only user

27:59

you don't want a read-only user to

28:01

access your post and put endpoints it

28:03

probably you only want them to access

28:05

get right so in that case

28:08

um this authorization policy will

28:10

prevent you based upon the user role and

28:13

then the second thing it will do it will

28:15

basically you know provide that API key

28:18

which is stored inside the tenant

28:19

management table and enable the

28:22

throttling

28:23

um so or in other words it will say that

28:25

hey this user or this tenant is only

28:28

authorized to access your apis let's say

28:31

100 times in a minute or 100 times in an

28:33

hour and so on and so forth

28:36

so and then you know once this whole

28:38

authorization process completes once the

28:40

jaw token is validated once you make

28:42

sure that your your quotas are well

28:44

within the limits once you make sure

28:46

that the authorization is is valid then

28:49

you actually go ahead and actually call

28:51

that relevant Lambda function which is

28:53

basically your compute layer right so

28:55

this is like a typical workflow that you

28:58

follow

28:59

um and and I think the important things

29:01

to highlight here was the whole concept

29:04

around multi-tenancy in terms of how you

29:07

match manage API keys and how you

29:09

validate jaw tokens here

29:12

now

29:14

just kind of diving deep into the code

29:16

again a little right so this is again a

29:18

small code snippet I took from the from

29:20

the GitHub repository

29:22

and if you see this auth manager is

29:26

basically a python module it's slammed

29:28

earlier actually so what we have is we

29:31

have some methods inside the Lambda

29:33

layer which take the user role and tells

29:36

you whether you should allow method or

29:39

whether you should deny methods right so

29:41

in this case I'm denying

29:43

certain endpoints based upon certain

29:45

user roles and I'm allowing certain

29:47

endpoints based upon certain user roles

29:49

and basically you just you know build

29:51

that policy and pass to the uh

29:53

authorization policy as I was mentioning

29:55

previously

29:58

now

30:00

the whole tenant isolation

30:02

um is a separate so so I so I just

30:04

talked about the whole authentication

30:05

authorization how that works right um

30:07

the next next thing I want to talk about

30:09

was how do you actually enforce tenant

30:12

isolation into the system and what I

30:15

really mean by that is like let's say

30:17

you have data from multiple tenants

30:19

multiple users inside your dynamodb or

30:23

whatever data store of your choice right

30:25

how do you make sure that one tenant is

30:29

not able to access other tenants data

30:31

typically like you know going back maybe

30:34

15 years back you know I would say that

30:37

I will just write a rear class right

30:38

where customer ID is equal to one where

30:41

tenant ID is equal to ABC and that will

30:44

that's probably sufficient right but but

30:46

but then we are kind of handing over the

30:49

whole security aspects of our system in

30:52

the hands of developers right so what we

30:54

are saying that hey it's supposed to be

30:56

developers to write a code and make sure

30:58

you have beer Clause everywhere and then

31:00

you test them and then you test them

31:01

against all those security measures so

31:04

typically that that way of isolating

31:07

tenants is prone to lot of errors and a

31:10

lot of you know issues in general

31:12

so in AWS you have a concept of IAM and

31:16

I'll show you how you can apply that

31:18

um typically to enforce tenant isolation

31:21

so first of all in a silo model assume

31:24

that there is a tenant now who is trying

31:26

to access the system

31:28

it has gone through all those

31:30

authentication and authorization checks

31:32

we just talked about it's all good and

31:34

now it's time to access your Lambda

31:36

function

31:37

so now in case of a silo model we

31:40

deployed separate Lambda functions and

31:42

Separate dynamodb Tables per tenant

31:45

so our isolation story is very simple in

31:48

our case right so in our case all we are

31:51

saying is that we will associate this um

31:53

this Lambda function with an execution

31:55

role and this execution role have access

31:58

to only this dynamodb table right so

32:01

this makes the whole tenant isolation

32:04

story much more simpler

32:06

but in case of a pool model you can

32:08

imagine you could just when you have

32:10

like a single Lambda function when you

32:12

have a single dynamodb table shared

32:14

across all the tenants

32:16

this way of isolating may not be

32:18

sufficient right so how do we solve that

32:21

challenge so in order to solve that

32:22

challenge we we introduce a concept of

32:25

dynamic policies and the way it works is

32:27

you are able to at runtime

32:31

can inject a tenant ID into a dynamic

32:35

policy so this policy by the way is

32:37

stored in some sort of configuration

32:38

right so what you are doing is you are

32:40

saying that hey this policy allows you

32:42

to

32:43

make these five actions on a dynamodb

32:45

table on this particular table but only

32:49

allow an action to those rows which

32:52

start with the primary key of tenant ID

32:54

right and in this case the standard ID

32:56

is is basically a placeholder which gets

32:59

injected at runtime

33:01

so let's let's look at the code and how

33:03

that actually works right so

33:06

imagine this this is one of my code

33:08

which I have in my in my Lambda

33:10

authorizer and this method get policy

33:13

for user basically takes two arguments

33:15

right user role and tenant ID and by the

33:18

way these two arguments are already

33:20

available to us as part of the jaw token

33:22

right so what we typically do is we

33:25

decide that for this user role what kind

33:28

of policy I need to implement do I need

33:30

to you know provide like get or just or

33:33

or maybe maybe write as well and then

33:35

this tenant ID which which I get from

33:37

the Jaw token gets dynamically injected

33:40

into that policy and then I'm leveraging

33:43

this service which we call it as AWS STS

33:46

and passing that policy to get back

33:49

credentials which are now scoped to the

33:51

tenant in short what we are trying to do

33:54

is we are trying to enforce row level

33:56

security inside dynamodb right

33:59

um so basically this is a way of

34:00

implementing row level security inside a

34:03

dynamodb table by leveraging am AWS IM

34:07

policies and that and these credentials

34:11

um which are now only scope to their

34:13

tenant are passed onto the Lambda

34:15

function and when the Lambda function is

34:18

now trying to access the dynamodb table

34:21

it will Leverage

34:23

and that these credentials to access the

34:25

table right so in the typical uh

34:27

database relational database you can

34:30

think of it as a database user right so

34:32

database users normally have access to

34:34

let's say only database one database two

34:36

so you create separate users to give

34:38

access to different databases and and

34:41

you basically make sure that that that's

34:43

how you enforce some sort of security in

34:46

this case we are we are basically

34:48

leveraging the scope Dynamic policies to

34:51

to implement that kind of isolation in a

34:54

pool model

34:55

so as I mentioned this this context or

34:59

these credentials are passed as to your

35:02

Lambda function as part of the context

35:04

from the Lambda authorizer so this code

35:06

I actually took from the Lambda

35:08

authorizer and this is basically the

35:09

entire policy I was talking about the

35:11

authorization policy right

35:13

um and and there are a bunch of things

35:14

that I'm doing here so I'm passing those

35:16

success secret key I'm also passing the

35:19

API key which actually enforces the

35:21

whole

35:22

actually this is this is where you

35:23

actually enforce that whole usage plan

35:27

as well right so so you basically pass

35:29

all these information to your authorizer

35:31

output

35:33

um and and now when you are into that

35:36

whole authentication authorization

35:37

workflow right so again

35:39

you're trying to access a system this

35:42

isn't this is a example where you're

35:43

trying to access in a pool model

35:45

your authorizer is now able to access

35:48

that IAM STS service I was talking about

35:50

to get that runtime acquired tenant

35:53

scope

35:54

and pass those credentials to a Lambda

35:57

function and when now this Lambda

36:00

function is trying to access your

36:02

dynamodb table

36:04

you have to make sure to pass you know

36:06

these um so as long as you you have that

36:08

reusable date access layer which you

36:11

know passes the access secret key

36:13

um you can be assured that

36:16

that row level security is implemented

36:18

because of the IM Dynamic policy that we

36:20

talked about

36:21

now

36:23

one more thing I wanted to highlight at

36:25

this point is how would you you know

36:28

partition your dynamodb table right so

36:30

if you remember the condition of the

36:33

dynamic policy I was referring to

36:35

had a concept that okay only allow

36:39

where can where where your shot ID

36:42

starts with or where your primary key

36:43

starts with a tenant uh ID

36:46

Etc right whatever tenant ID in your

36:48

case

36:48

so now in this case I have one two three

36:51

four different rows for the tenant and a

36:55

random

36:56

suffix right so the reason I'm I'm not

36:58

really just putting

37:00

tenant ID as the primary key is just to

37:01

avoid that hotkey issue right so I'm

37:04

kind of Distributing the workload uh or

37:08

just Distributing the data across

37:09

multiple partitions but still be able to

37:13

apply that condition by using a string

37:16

like kind of fashion so basically all

37:19

I'm all I'm saying is that hey this

37:21

policy is basically applicable where

37:25

your primary key starts with tenant ID

37:27

right if you want to think of that way I

37:29

mean I I totally understand this is a

37:31

bit of a complex

37:32

um thing to understand if you're not

37:34

really used to these kind of terminology

37:37

so I will highly recommend that you go

37:39

back and look at the GitHub repositive

37:41

which I'll just show you in a minute

37:43

and then just one more thing I wanted to

37:46

cover

37:46

um and then we'll yes you know see if