TalksAWS re:Invent 2025 - Building multi-tenant SaaS agents with Amazon Bedrock AgentCore (SAS407)

AWS re:Invent 2025 - Building multi-tenant SaaS agents with Amazon Bedrock AgentCore (SAS407)

Building Multi-Tenant SaaS Agents with Amazon Bedrock AgentCore

Overview

  • This presentation discusses the key architectural challenges and best practices for building multi-tenant SaaS applications using Amazon Bedrock AgentCore.
  • The speakers cover topics such as tenant onboarding, identity management, data partitioning, tenant isolation, and observability.
  • They also walk through a sample architecture and demonstrate how to apply these principles in a real-world SaaS agent-based solution.

Architectural Challenges in SaaS

The speakers outline five key SaaS architectural challenges that need to be addressed:

1. Tenant Onboarding

  • Quickly onboarding new customers and getting them to realize value from the product is critical for SaaS success.
  • Poorly designed onboarding experiences can lead to high customer churn.

2. SaaS Identity

  • Properly authorizing and authenticating users, while injecting tenant context, is essential.
  • Propagating tenant identity throughout the solution is important.

3. Data Partitioning

  • Segregating tenant data, either logically or physically, is necessary to ensure data safety and isolation.

4. Tenant Isolation

  • Defining and enforcing policies around what resources and services each tenant can access is key.
  • Tenant resources should be explicitly defined and isolated.

5. SaaS Observability

  • Monitoring tenant health and usage is crucial for understanding the business impact and cost of operating the solution.

Introducing Amazon Bedrock AgentCore

  • Amazon Bedrock AgentCore is a platform that helps address these SaaS architectural challenges when building agent-based solutions.
  • It provides primitives for securely deploying and managing agents (AgentCore Runtime), tools (AgentCore Gateway), identity management (AgentCore Identity), memory management (AgentCore Memory), and observability (AgentCore Observability).

Implementing Multi-Tenant Agents

The speakers discuss two main approaches for building multi-tenant agents:

Silo or Dedicated Model

  • Each tenant has their own dedicated agent runtime, gateway, memory, and resources.
  • This is a simpler architecture but less efficient at scale.

Pooled or Shared Model

  • Agents, tools, and resources are shared across multiple tenants.
  • This introduces more complexity around tenant isolation and authorization.
  • The speakers demonstrate how to leverage AgentCore Identity and access control policies to implement tenant isolation in a pooled model.

Tenant Onboarding

  • The speakers describe how to use a SaaS control plane to provision either silo or pooled tenant architectures during the onboarding process.
  • This allows for flexible deployment models based on customer requirements and tiers.

Identity Management

  • AgentCore Identity is used to authorize both inbound calls from users and outbound calls from agents to external resources.
  • JWT tokens are leveraged to propagate tenant context, which is then used to enforce authorization policies.
  • The speakers demonstrate how to use pre-token generation Lambda triggers to copy custom claims into the access token for use within AgentCore.

Data Partitioning

  • For the AgentCore Memory (short-term and long-term), data is partitioned by tenant and user using conventions around namespaces and IDs.
  • For external AWS resources like DynamoDB and Amazon Athena, the speakers show how to leverage IAM policies and metadata filtering to isolate tenant data.

Tenant Isolation

  • In the silo model, tenant isolation is achieved through IAM execution roles attached to the dedicated resources.
  • In the pooled model, Attribute-Based Access Control (ABAC) roles are used to restrict access to shared resources based on the tenant context.

Observability

  • Observability is a critical aspect of multi-tenant SaaS solutions, especially for agent-based architectures.
  • AgentCore Observability provides built-in integrations with tools like CloudWatch, but the speakers emphasize the need for custom metrics and dashboards to track tenant-specific usage and costs.
  • They demonstrate how to instrument agent code to capture metrics like input and output tokens, and then correlate that data with actual costs to understand the unit economics of operating each tenant.

Sample Architecture Walkthrough

  • The speakers revisit the sample architecture introduced at the beginning, highlighting how the various AgentCore components and multi-tenant principles are applied.
  • The architecture uses a pooled model with shared agents, tools, and resources, demonstrating the use of AgentCore Identity, data partitioning, and tenant isolation techniques.

Key Takeaways

  • Building multi-tenant SaaS solutions, especially with agent-based architectures, requires careful consideration of architectural challenges around onboarding, identity, data, isolation, and observability.
  • Amazon Bedrock AgentCore provides a set of primitives and features to help address these challenges, including runtime, gateway, identity, memory, and observability components.
  • Implementing multi-tenant agents can follow either a silo or pooled model, each with their own trade-offs in terms of complexity and efficiency.
  • Proper tenant isolation, data partitioning, and observability are critical for understanding and managing the operational costs of a multi-tenant SaaS solution.

Your Digital Journey deserves a great story.

Build one with us.

Talk to us
Cookies Icon

This website stores cookies on your computer.

These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.