AWS re:Invent 2025 - Secure Multi-tenant SaaS with AWS Lambda: A Tenant Isolation Deep Dive (CNS381)

Secure Multi-tenant SaaS with AWS Lambda: A Tenant Isolation Deep Dive

Overview

• This presentation covers the challenges of building secure multi-tenant SaaS applications using AWS Lambda, and introduces a new "Tenant Isolation Mode" feature to address these challenges.
• The presenters, Anton and Bill, walk through the journey of a fictional character named Joe, a cloud engineer tasked with building a multi-tenant SaaS application on AWS.

The Multi-tenant Challenge

• In a multi-tenant environment, multiple customers/tenants share the same compute resources, which can lead to "noisy neighbor" problems where one tenant's activity affects others.
• Traditional solutions include:
  • Function-per-tenant model: Highest isolation but operationally complex at scale
  • Custom tenant isolation framework: Provides isolation but requires additional development effort

Tenant Isolation with AWS Lambda

• AWS Lambda now offers a "Tenant Isolation Mode" that automatically provides separate execution environments for each tenant, ensuring complete isolation.
• To use this feature:
  1. Enable "Tenant Isolation" when creating a new Lambda function
  2. Pass a unique "Tenant ID" when invoking the function
• Lambda will then create separate execution environments for each unique Tenant ID, ensuring complete isolation of compute resources, memory, disk, and more.

Technical Deep Dive

• Under the hood, Lambda uses Firecracker micro-VMs to provide strong isolation between execution environments.
• Each Tenant ID is mapped to a separate execution environment, ensuring no sharing of resources, environment variables, permissions, or code between tenants.
• Observability features:
  • Tenant-specific logs are automatically captured and can be queried in CloudWatch
  • Custom tenant-specific metrics can be emitted using the AWS X-Ray SDK
• Integration with API Gateway:
  • API Gateway can pass the Tenant ID to Lambda using the X-Amazon-Tenant-ID header
  • Tenant-specific authorization and usage plans can be implemented in API Gateway

Business Impact

• Tenant Isolation Mode addresses key challenges in building secure multi-tenant SaaS applications:
  • Eliminates "noisy neighbor" problems by ensuring complete isolation of compute resources
  • Simplifies development by offloading tenant isolation concerns to the platform
  • Provides stronger observability and security controls at the tenant level
• Enables SaaS providers to innovate faster and focus on delivering business value, rather than managing complex tenant isolation mechanisms.

Real-world Examples and Use Cases

• The presenters showcase a demo application that demonstrates the Tenant Isolation Mode in action, including:
  • Invoking the same Lambda function with different Tenant IDs
  • Observing separate execution environments and resource usage for each tenant
  • Integrating with API Gateway to pass Tenant ID and implement tenant-specific authorization

Key Takeaways

• AWS Lambda's new Tenant Isolation Mode provides a vendor-provided solution for achieving strong compute isolation in multi-tenant SaaS applications.
• This feature simplifies development, improves observability, and enhances security by offloading tenant isolation concerns to the AWS platform.
• SaaS providers can leverage this capability to innovate faster, focus on business value, and deliver a more secure and reliable multi-tenant experience for their customers.