By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

WebACL/WAF rules for multi-tenant SaaS application

0

Our HIPAA-compliant SaaS application is implemented on AWS using Cognito and AppSync. A web client is deployed via Amplify and we have mobile applications for iOS and Android.

Our enterprise customers often ask us to lock down application access to an allow-list of IP addresses and CIDR ranges. We're evaluating the best architecture for honoring this request.

Both AppSync and Cognito have WAF integrations. Our application is multi-tenant and today we have a single user pool and single domains for AppSync api calls and subscriptions. Typically enterprise customers are using SSO which we've implemented with Cognito. We've considered injecting tenant information as a custom Cognito attribute and injecting a custom HTTP tenant header. In theory, this would allow us to write a WebACL of the basic form

(tenant === 'enterprise-1' and IP address in allowlist-enterprise-1) or
(tenant === `enterprise-2` and IP address in allowlist-enterprise-2) or
...

There are several issues with this approach, and we're hoping there are better alternatives:

  • Maintaining the rules would be ad-hoc and manual. We currently have a highly automated devops environment and don't want to deviate from our current approach.
  • We could generate WebACLs via the API, but then we would essentially have to rewrite a subset of the WAF interface. This isn't a place where we want to invest product resources.
  • In our current model, traffic from all tenants would be processed by a single set of WAF rules.
  • The enterprise tenant header is obviously easily spoofed, so we also need to add a custom cognito authenticator to ensure the header is present for tenants that have opted into this behavior.

This seems like it would be a common problem for SaaS vendors and we're hoping there are more elegant solutions. Note that we're great developers, average cloud architects. As such, we're comfortable with Cognito triggers, the CDK, custom lambdas, etc. We are open, but not thrilled, to deploying a dedicated AppSync instance via the CDK for each enterprise customer. In this case we would like to be able to route traffic based on the URL pattern. For example enterprise1.api.serenityconnect.com routes to the AppSync instance for enterprise 1, etc. (using AppSync. custom domains).

(Also note: we've also considered VPN to VPN tunneling, but it adds a lot of deployment friction. We're completely serverless, i.e., no containers or EC2 so we don't currently have any gateways in our architecture).

What architectural approaches are recommended for addressing this issue? Are we better off attacking this from Cognito, AppSync, or do we need to do both? Should we be operating at the network layer and placing a network gateway in front, which routes to serverless AppSync?

Topics
ServerlessFront-End Web & MobileApplication IntegrationSecurity, Identity, & ComplianceNetworking & Content Delivery
Tags
AWS AppSyncAWS WAFAmazon CognitoAmazon Route 53
Language
English
robtimism
asked 9 months ago320 views
1 Answer
0

Hi, you seem extremely precise on what you need. So, I'd would suggest your to read in details this recent wp "SaaS Lens - AWS Well-Architected Framework" applying Well-Architected Framework specifically to Saas.

See https://docs.aws.amazon.com/pdfs/wellarchitected/latest/saas-lens/wellarchitected-saas-lens.pdf#saas-lens

On your particular questions, sections about Silo, Pool & Bridge models and corresponding isolation levels will provide good guidance.

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content