SEC 2: How are you ensuring that tenant resources are protected from cross-tenant access?

Create isolation boundaries between the tenants of your system, ensuring that tenants are not able to access the resources of another tenant. Use AWS accounts, network constructs, microservice decomposition, and policies to define and enforce these boundaries.

Resources

SaaS Tenant Isolation Strategies Isolating Resources in a Multi-Tenant Environment Whitepaper
Isolating SaaS Tenants with Dynamically Generated IAM Policies
SaaS Tenant Isolation Patterns (ARC372-P)
Modeling SaaS Tenant Profiles on AWS
SaaS Storage Strategies whitepaper

Best Practices:

• Use coarse-grained constructs, application-enforced policies, or both: Some applications might use more coarse-grained constructs, such as accounts or VPCs, to isolate tenant resources. Access to more fine-grained or shared infrastructure resources are controlled through application-enforced policies.

• Apply a combination of IAM and application-enforced policies: AWS Identity and Access Management (IAM) policies are used to restrict access to those tenant resources that can be isolated by IAM roles and policies. Application-enforced policies protect resources that cannot be expressed by IAM policies.

Improvement Plan

Use coarse-grained constructs, application-enforced policies, or both

Use a silo isolation model for resources that have strict isolation requirements

• For whole stack isolation, each tenant can be placed in separate AWS constructs that fully isolate tenant resources to prevent cross-tenant access. This model trades some cost and operational efficiency for an isolation model that can meet specific domain or regulatory requirements.
  • Isolate tenant resources by placing each tenant in a separate AWS account. Use cross-account access to enable management and operational control of each tenant’s resources.
  • Isolate tenant resources by placing each tenant in a separate VPC for each tenant. Use AWS PrivateLink or VPC peering to enable management and operational control of each tenant’s resources.
    SaaS Tenant Isolation Strategies Isolating Resources in a Multi-Tenant Environment Whitepaper

For compute isolation, tenants must have dedicated compute resources. These resources can be separate EC2 instances, separate container clusters, or separate functions for each tenant. These resources run in the context of specific IAM roles that scope their access to downstream resources.
SaaS Tenant Isolation Strategies Isolating Resources in a Multi-Tenant Environment Whitepaper

For storage isolation, tenant data is partitioned in a way that each has distinct storage resources. This partitioning could be achieved using separate databases for each tenant with Amazon RDS, separate tables with DynamoDB, separate buckets/keys for S3, and so on. Data for tenants is not comingled in this model. Each storage service can have its own notion of isolation.
SaaS Storage Strategies whitepaper

For message processing with Amazon SQS, tenants have dedicated queues that process their messages to isolate message processing.

Use application-enforced policies to enforce tenant isolation boundaries

• For pooled compute resources, each attempt to access a tenant resource is challenged by policy that validates that the request does not cross a tenant boundary.
• Policies are applied to all flavors of isolation, ensuring that access to pooled or siloed resources is applied and enforced in any scenario where there may be an attempt to cross a tenant boundary.
• The policy description, management, and enforcement are all managed outside of IAM. This can be addressed through a variety of mechanisms including language-specific security frameworks and third-party access control libraries.
  See the section “Application-Enforced Pool Isolation” in SaaS Tenant Isolation Strategies Isolating Resources in a Multi-Tenant Environment whitepaper

Apply a combination of IAM and application-enforced policies

IAM is used to configure and enforce tenant isolation policies

• Policies are associated (dynamically or statically) with each tenant, expressing how tenant isolation is defined for each resource that can be accessed by that tenant.
• Each request is accompanied by tenant context that is used to acquire tenant-scoped credentials that are used to access resources associated with that tenant.
  AWS re:Invent 2019: SaaS tenant isolation patterns (ARC372-P)
• For siloed partitioning models, a policy might simply describe whether an entire resource (VPC, database, queue, etc.) is accessible to a given tenant. For pooled (shared) tenant resources, fine-grained policies will describe which portions of a resource are accessible for a given tenant (DynamoDB leading keys, for example).
• Example
  Partitioning Pooled Multi-Tenant SaaS Data with Amazon DynamoDB

Add application-enforced policies with IAM

• Application-enforced policies are used to supplement IAM policies when IAM policies are not granular enough to support the isolation requirements of a given resource.
  See the section “Application-Enforced Pool Isolation” in SaaS Tenant Isolation Strategies Isolating Resources in a Multi-Tenant Environment whitepaper
• Example
  Multi-tenant data isolation with PostgreSQL Row Level Security