hardSAPSCSSecurityArchitecture

Multi-Tenant SaaS — Tenant Isolation

A healthcare SaaS serves 500+ clinics. Each clinic's data must be fully isolated; a data leak between tenants would trigger HIPAA liability. Design the isolation model that's still cost-efficient.

Key Constraints

Strict tenant isolation (HIPAA)

500+ tenants — must be cost-efficient

Per-tenant key revocation required

Premium tenants may need dedicated infrastructure

Reference Architecture (interactive 3D)

🖱️ Drag to rotate · 📜 Scroll to zoom

Loading diagram...

Silo-Pool Hybrid with IAM-Scoped Pool

1Pool tier: shared Lambda + DynamoDB + S3, with IAM condition keys scoped to tenantId.
2DynamoDB partition key = `tenantId#entityId`; IAM uses `dynamodb:LeadingKeys` to enforce.
3S3: per-tenant prefix `s3://bucket/tenant-{id}/...` with IAM `Resource` scoping.
4KMS Customer-Managed Key per tenant — granular audit + instant revocation = legal kill-switch.
5API Gateway JWT authorizer extracts tenantId; Lambda assumes a tenant-scoped IAM role via STS before touching data.
6Premium tenants needing extra isolation get a silo deployment (own VPC, dedicated DB).
7Audit: CloudTrail + GuardDuty + Macie for PHI exposure detection.

Heuristics Applied

✓ Least privilege, always ✓ Encrypt at rest and in transit ✓ Use Customer-Managed Keys when compliance requires ✓ Prefer IAM roles over access keys

Common Traps (Wrong Answers)

Trusting Lambda code to filter by tenantId (one bug = full cross-tenant data leak)
Single KMS key for all tenants (can't revoke one tenant's access independently)
Database-per-tenant for 500+ tenants (RDS sprawl, unaffordable, ops nightmare)
Shared S3 bucket without prefix-scoped IAM (`Resource: arn:.../bucket/*` allows any tenant)
Logging tenantId only at API edge — log it on every DB call too for auditability

Try the simulator

Build this architecture yourself in the drag-and-drop simulator.

Open Simulator →More Scenarios