Manage tenants across multiple SaaS products on a single control plane
Created by Ramanna Avancha (AWS), Jenifer Pascal (AWS), Kishan Kavala (AWS), and Anusha Mandava (AWS)
Environment: PoC or pilot | Technologies: Serverless | AWS services: Amazon API Gateway; Amazon Cognito; AWS Lambda; AWS Step Functions; Amazon DynamoDB |
Summary
This pattern shows how to manage tenant lifecycles across multiple software as a service (SaaS) products on a single control plane in the AWS Cloud. The reference architecture provided can help organizations reduce the implementation of redundant, shared features across their individual SaaS products and provide governance efficiencies at scale.
Large enterprises can have multiple SaaS products across various business units. These products often need to be provisioned for use by external tenants at different subscription levels. Without a common tenant solution, IT administrators must spend time managing undifferentiated features across multiple SaaS APIs, instead of focusing on core product feature development.
The common tenant solution provided in this pattern can help centralize the management of many of an organization's shared SaaS product features, including the following:
Security
Tenant provisioning
Tenant data storage
Tenant communications
Product management
Metrics logging and monitoring
Prerequisites and limitations
Prerequisites
An active AWS account
Knowledge of Amazon Cognito or a third-party identity provider (IdP)
Knowledge of Amazon API Gateway
Knowledge of AWS Lambda
Knowledge of Amazon DynamoDB
Knowledge of AWS Identity and Access Management (IAM)
Knowledge of AWS Step Functions
Knowledge of AWS CloudTrail and Amazon CloudWatch
Knowledge of Python libraries and code
Knowledge of SaaS APIs, including the different types of users (organizations, tenants, administrators, and application users), subscription models, and tenant isolation models
Knowledge of your organization's multi-product SaaS requirements and multi-tenant subscriptions
Limitations
Integrations between the common tenant solution and individual SaaS products aren’t covered in this pattern.
This pattern deploys the Amazon Cognito service in a single AWS Region only.
Architecture
Target technology stack
Amazon API Gateway
Amazon Cognito
AWS CloudTrail
Amazon CloudWatch
Amazon DynamoDB
IAM
AWS Lambda
Amazon Simple Storage Service (Amazon S3)
Amazon Simple Notification Service (Amazon SNS)
AWS Step functions
Target architecture
The following diagram shows an example workflow for managing tenant lifecycles across multiple SaaS products on a single control plane in the AWS Cloud.
The diagram shows the following workflow:
An AWS user initiates tenant provisioning, product provisioning, or administration-related actions by making a call to an API Gateway endpoint.
The user is authenticated by an access token that’s retrieved from an Amazon Cognito user pool, or another IdP.
Individual provisioning or administration tasks are run by Lambda functions that are integrated with API Gateway API endpoints.
Administration APIs for the common tenant solution (for tenants, products, and users) gather all of the required input parameters, headers, and tokens. Then, the administration APIs invoke the associated Lambda functions.
IAM permissions for both the administration APIs and the Lambda functions are validated by the IAM service.
Lambda functions store and retrieve data from the catalogs (for tenants, products, and users) in DynamoDB and Amazon S3.
After permissions are validated, an AWS Step Functions workflow is invoked to perform a specific task. The example in the diagram shows a tenant provisioning workflow.
Individual AWS Step Functions workflow tasks are run in a predetermined workflow (state machine).
Any essential data that’s needed to run the Lambda function associated with each workflow task is retrieved from either DynamoDB or Amazon S3. Other AWS resources might need to be provisioned by using an AWS CloudFormation template.
If needed, the workflow sends a request to provision additional AWS resources for a specific SaaS product to that product’s AWS account.
When the request succeeds or fails, the workflow publishes the status update as a message to an Amazon SNS topic.
Amazon SNS is subscribed to the Step Functions workflow’s Amazon SNS topic.
Amazon SNS then sends the workflow status update back to the AWS user.
Logs of each AWS service’s actions, including an audit trail of API calls, are sent to CloudWatch. Specific rules and alarms can be configured in CloudWatch for each use case.
Logs are archived in Amazon S3 buckets for auditing purposes.
Automation and scale
This pattern uses a CloudFormation template to help automate the deployment of the common tenant solution. The template can also help you quickly scale the associated resources up or down.
For more information, see Working with AWS CloudFormation templates in the AWS CloudFormation User Guide.
Tools
AWS services
Amazon API Gateway helps you create, publish, maintain, monitor, and secure REST, HTTP, and WebSocket APIs at any scale.
Amazon Cognito provides authentication, authorization, and user management for web and mobile apps.
AWS CloudTrail helps you audit the governance, compliance, and operational risk of your AWS account.
Amazon CloudWatch helps you monitor the metrics of your AWS resources and the applications you run on AWS in real time.
Amazon DynamoDB is a fully managed NoSQL database service that provides fast, predictable, and scalable performance.
AWS Identity and Access Management (IAM) helps you securely manage access to your AWS resources by controlling who is authenticated and authorized to use them.
AWS Lambda is a compute service that helps you run code without needing to provision or manage servers. It runs your code only when needed and scales automatically, so you pay only for the compute time that you use.
Amazon Simple Storage Service (Amazon S3) is a cloud-based object storage service that helps you store, protect, and retrieve any amount of data.
Amazon Simple Notification Service (Amazon SNS) helps you coordinate and manage the exchange of messages between publishers and clients, including web servers and email addresses.
AWS Step Functions is a serverless orchestration service that helps you combine AWS Lambda functions and other AWS services to build business-critical applications.
Best practices
The solution in this pattern uses a single control plane to manage the onboarding of multiple tenants and to provision access to multiple SaaS products. The control plane helps administrative users manage four other, feature-specific planes:
Security plane
Workflow plane
Communication plane
Logging and monitoring plane
Epics
Task | Description | Skills required |
---|---|---|
Establish the requirements for your multi-tenant SaaS platform. | Establish detailed requirements for the following:
| Cloud architect, AWS systems administrator |
Set up the Amazon Cognito service. | Follow the instructions in Getting started with Amazon Cognito in the Amazon Cognito Developer Guide. | Cloud architect |
Configure the required IAM policies. | Create the required IAM policies for your use case. Then, map the policies to IAM roles in Amazon Cognito. For more information, see Managing access using policies and Role-based access control in the Amazon Cognito Developer Guide. | Cloud administrator, Cloud architect, AWS IAM security |
Configure the required API permissions. | Set up API Gateway access permissions by using IAM roles and policies, and Lambda authorizers. For instructions, see the following sections of the Amazon API Gateway Developer Guide: | Cloud administrator, Cloud architect |
Task | Description | Skills required |
---|---|---|
Create the required data catalogs. |
For more information, see Setting up DynamoDB in the Amazon DynamoDB Developer Guide. | DBA |
Task | Description | Skills required |
---|---|---|
Create Lambda functions and API Gateway APIs to run required control plane tasks. | Create separate Lambda functions and API Gateway APIs to add, delete, and manage the following:
For more information, see Using AWS Lambda with Amazon API Gateway in the AWS Lambda Developer Guide. | App developer |
Task | Description | Skills required |
---|---|---|
Identify the tasks that AWS Step Functions workflows must run. | Identify and document the detailed AWS Step Functions workflow requirements for the following:
Important: Make sure that key stakeholders approve the requirements. | App owner |
Create the required AWS Step Functions workflows. |
| App developer, Build lead |
Task | Description | Skills required |
---|---|---|
Create Amazon SNS topics. | Create Amazon SNS topics to receive notifications about the following:
For more information, see Creating an SNS topic in the Amazon SNS Developer Guide. | App owner, Cloud architect |
Subscribe endpoints to each Amazon SNS topic. | To receive messages published to an Amazon SNS topic, you must subscribe an endpoint to each topic. For more information, see Subscribing to an Amazon SNS topic in the Amazon SNS Developer Guide. | App developer, Cloud architect |
Task | Description | Skills required |
---|---|---|
Activate logging for each component of the common tenant solution. | Activate logging at the component level for each resource in the common tenant solution that you created. For instructions, see the following:
Note: You can consolidate logs for each resource into a centralized logging account by using IAM policies. For more information, see Centralized logging and multiple-account security guardrails. | App developer, AWS systems administrator, Cloud administrator |
Task | Description | Skills required |
---|---|---|
Create CloudFormation templates. | Automate the deployment and maintenance of the full common tenant solution and all its components by using CloudFormation templates. For more information, see the AWS CloudFormation User Guide. | App developer, DevOps engineer, CloudFormation developer |
Related resources
Control access to a REST API using Amazon Cognito user pools as authorizer (Amazon API Gateway Developer Guide)
Use API Gateway Lambda authorizers (Amazon API Gateway Developer Guide)
Amazon Cognito user pools (Amazon Cognito Developer Guide)
Cross-account cross-Region CloudWatch console (Amazon CloudWatch User Guide)