Building a SaaS

solution on AWS
using Serverless
Anubhav Sharma
Principal Solutions Architect
AWS SaaS Factory

© 2022, Amazon Web

© 2022,
Services,
Amazon
Inc. or
Webits Services,
affiliates.Inc.
All or
rights
its affiliates.
reserved.All
Amazon
rights Confidential
reserved. Amazon
and Trademark.
Confidential and Trademark.
Software-as-a-Service (SaaS) is a
business and software delivery model
that enables organizations to offer
their solution in a low-friction,
service-centric approach.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. 2
 There are many advantages to a customer-centric
approach, but here’s the big one: Customers are
always beautifully, wonderfully dissatisfied, even
when they report being happy and business is great.
Even when they don’t yet know it, customers want
something better, and your desire to delight
customers will drive you to invent on their behalf.

Jeff Bezos
Founder and Executive Chair, Amazon.com, Inc.
2016 letter to shareholders

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
What it means to be SaaS
Application plane Control plane

Web tier Admin console

Onboarding Provisioning
Multi-tenant Multi-tenant
microservice microservice

Identity Tenant

Metrics Admin user

Multi-tenant Multi-tenant
microservice microservice

Billing Tenant user

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Application plane deployment models

Tenant 1 Tenant 2 Tenant 1 Tenant 2

Service Service Service Service Service Service

Service Service Service Service Service Service

Dedicated resources for each tenant Shared resources for all tenants
(silo model) (pool model)
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Serverless SaaS reference
architecture

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
AWS Services & Features Used
• AWS Serverless Application Model (SAM)
• AWS Cloud Development Kit (CDK)
• Amazon API Gateway
§ REST APIs
§ Lambda Authorizer
§ Usage plans & API keys

• Amazon Cognito
§ User Pools

• AWS Lambda
§ Fine-grained access control (AWS STS)
§ Lambda Layers

• Code Pipeline
§ Canary deployments

• Amazon DynamoDB

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Tiered based deployment model

Application plane Control plane

Basic & Standard tier Platinum tier Platinum tier Registration
Pooled services Siloed services Siloed services

Microservice Microservice Microservice

Tenant management

User management

Tenant provisioning
Tenant 3..N Tenant 1 Tenant 2

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Baseline Architecture
Web application

Landing/sign- Sample SaaS SaaS provider

up application application admin console
SaaS
Tenant Amazon Cognito provider

Amazon API Gateway

Lambda API Keys &
Authorizer Usage Plans

Application services Shared services Layers

Pooled services Registration Tenant management

Auth Manager
Order Product

Tenant provisioning User management Metrics Manager

Log Manager

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
 Registering new tenants

Landing/sign- User management • Create user pool (silo)

up application • Create user pool group (pool)
Tenant • Create tenant admin user
2

1 Registration 3 Tenant management

• Create tenant
• Store tenant configuration

• Provision tenant
• Configure tenant settings
(silo/pool) 4
Tenant Provisioning
• Create stack for siloed
SaaS Admin
tenants
Console
Administrator

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Tenant registration

Create user Create tenant

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
 Authentication and authorization
Cognito Hosted UI

{
1 2
JWT
tenantId: “abc”
userRole: “Admin” Evaluate usage based
} upon API key

GET

Sample SaaS 3 4
Authorizer
5
policy
Tenant commerce
JWT
application Authorizer POST
Lambda
Allow/disallow routes functions

API Gateway

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Routes based on user roles

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Tenant isolation: Silo model

JWT
Tenant
API Gateway Lambda function Order_Tenant1

Lambda execution role

{
"Sid": ”Tenant1Role",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
],
Authorizer "Resource": [
”arn:aws:dynamodb:us-east-1:xxx:table/Tenant1-Order"
]
}

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Dynamic policy
{
"Effect": "Allow",
"Action": [
"dynamodb:UpdateItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:DeleteItem",
"dynamodb:Query"
],
"Resource": [
"arn:aws:dynamodb:{0}:{1}:table/Product-*".format(region, aws_account_id),
],
"Condition": {
"ForAllValues:StringLike": {
"dynamodb:LeadingKeys": [
"{0}-*".format(tenant_id)
]
}
}
}

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Code snippet: STS credentials

#get IAM policy

iam_policy = getPolicyForUser(user_role, tenant_id)

#use STS client to generate the credentials

assumed_role = sts_client.assume_role(
RoleArn=role_arn,
RoleSessionName="tenant-aware-session",
Policy=iam_policy,
)
credentials = assumed_role["Credentials"]

#pass sts credentials to lambda

context = {
'accesskey': credentials['AccessKeyId'], # $context.authorizer.key -> value
'secretkey' : credentials['SecretAccessKey’],
'sessiontoken' : credentials["SessionToken"],
}

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Authorizer output

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Tenant isolation: Pooled model

Tenant Id, user role,

access key, secret key

Tenant JWT Scoped access using short-lived credentials

Pooled DynamoDB
API Gateway Lambda functions (basic, standard,
{tenantId: 1}
premium)
dynamodb = boto3.resource('dynamodb’,
aws_access_key_id=accesskey,
aws_secret_access_key=secretkey,
aws_session_token=sessiontoken
)
Authorizer

Runtime-acquired
tenant scope

IAM
AWS STS

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
 Pool-based partition with DynamoDB

• Tenant data in the same table

• TenantID used as ShardID
• Isolation policies applied by
ShardID

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Multi-tier, multi-account, multi-region CI/CD
Deployment
pipelines

Pooled
Build pipeline

Prod

Source Build Artifacts Test Start Deployments

(S3)
Tenant 1

Prod

tenantId stackName accountId region status commitId

Tenant 2
pooled pooled 1234569890 us-east-1 deploying ddddd
Tenant1 tenant1 5678901245 us-west-2 deployed eeeeee
Tenant2 tenant2 1111112222 us-east1 deployed eeeeee
Prod

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Tenant routing
Pooled

Hosted UI redirect
3
Sample SaaS application
1 Platinum 1
Login à Tenant Name JWT token
Tenant 1 4
Platinum 2
5
JWT token 2
Tenant identity
settings
Pooled Platinum 1 Platinum 2

Tenant
management

Product Product Product • Tenant name → tenantName

• User pool mapping
• API Gateway URL

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Final View of Architecture
Source Sign-up SaaS Admin
application application console
Tenant Amazon Cognito Tenant SaaS provider

Build

Deploy API keys/

usage plans Amazon API Gateway Lambda authorizer AWS STS Amazon CloudFront S3

Application services Shared services

Pooled Tenant 1 Tenant 2 Layers
Tenant Tenant
registration management
Order Product Order Product Order Product

Logging &
metrics
Tenant User
provisioning management

Auth

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Serverless SaaS reference links
• https://catalog.us-east-1.prod.workshops.aws/workshops/b0c6ad36-0a4b-45d8-856b-
8a64f0ac76bb/en-US
• https://github.com/aws-samples/aws-serverless-saas-workshop
• https://aws.amazon.com/blogs/apn/building-a-multi-tenant-saas-solution-using-aws-
serverless-services/
• https://github.com/aws-samples/aws-saas-factory-ref-solution-serverless-saas
• https://aws.amazon.com/blogs/devops/parallel-and-dynamic-saas-deployments-with-cdk-
pipelines/

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.