Which solution will meet these requirements with the LEAST operational overhead?

By:
In: SAP-C01
Tagged:
With: 1 Comment
A company has a serverless multi-tenant content management system on AWS.The architecture contains a web-based front end that interacts with an AmazonAPI Gateway API that uses a custom AWS Lambda authorizer.The authorizer authenticates a user to its tenant ID and encodes the information in a JSON WebToken (JWT) token.After authentication, each API call through API Gateway targets a Lambda function that interacts with a single Amazon DynamoDB table to fulfill requests.To comply with security standards, the company needs a stronger isolation between tenants.The company will have hundreds of customers within the first year.

Which solution will meet these requirements with the LEAST operational overhead?

Create a DynamoDB table for each tenant by using the tenant ID in the table name. Create a service that uses the JWT token to retrieve the appropriate Lambda execution role that is tenant-specific. Attach IAM policies to the execution role to allow access only to the DynamoDB table for the tenant.

Add tenant ID information to the partition key of the DynamoDB table. Create a service that uses the JWT token to retrieve the appropriate Lambda execution role that is tenant-specific. Attach IAM policies to the execution role to allow access to items in the table only when the key matches the tenant ID.

Create a separate AWS account for each tenant of the application. Use dedicated infrastructure for each tenant. Ensure that no cross-account network connectivity exists.

Add tenant ID as a sort key in every DynamoDB table. Add logic to each Lambda function to use the tenant ID that comes from the JWT token as the sort key in every operation on the DynamoDB table.

Explanations:

Creating a separate DynamoDB table for each tenant would result in high operational overhead as the number of tenants grows, and managing individual IAM roles per tenant is complex and difficult to scale.

Adding tenant ID information to the partition key and creating tenant-specific IAM policies provides strong data isolation while minimizing operational overhead. This approach scales well as it centralizes data in a single table.

Creating separate AWS accounts per tenant provides isolation but incurs significant operational overhead for account management, billing, and resource handling, which is not feasible for hundreds of tenants.

Adding tenant ID as a sort key does not isolate tenants at the access policy level and relies solely on application logic, which is insufficient for strict data isolation and does not comply with security standards effectively.

2025-10-10

1 Comment

  1. Michael
    Author

    I calculate that the answer is:
    Add tenant ID information to the partition key of the DynamoDB table. Create a service that uses the JWT token to retrieve the appropriate Lambda execution role that is tenant-specific. Attach IAM policies to the execution role to allow access to items in the table only when the key matches the tenant ID.

Leave a Reply

Your email address will not be published. Required fields are marked *

eleven + 9 =