Multi-Tenant SaaS on Serverless Architecture
EFS DevOps built an enterprise-grade multi-tenant SaaS platform on AWS Serverless with per-tenant isolation, reference-based secrets, an extension system, and audit-ready compliance — running 8 active tenants at ~$2.63/tenant/month.
The Challenge
- One database, shared secrets across all tenants — no isolation
- Tenant traffic spikes affecting other tenants
- Shared secrets making auditing impossible
- Feature deployment conflicts risking all tenants simultaneously
- Needed: separate fault domains, secret rotation without redeployment, modular extensions, compliance artifacts on demand
Architecture (Serverless Framework v4)
Orchestrator (Control Plane)
Manages tenant lifecycle, billing webhooks, and telemetry. Does not execute tenant workloads — strict separation of control and data planes.
Tenant Stacks (Execution Plane)
Each tenant gets dedicated Lambda, API Gateway, and DynamoDB with full IAM, data, and secret isolation. No cross-tenant data access is architecturally possible.
Reference-Based Secrets
Pointers in SSM Parameter Store / Secrets Manager resolved at runtime with TTL caching and webhook-driven rotation. Eliminates redeployments for credential changes. Tenant-specific IAM prevents cross-tenant access. Webhook rotation updates secrets in <1 second.
Extension System
Modular handlers, services, and models auto-loaded per tenant at startup. Example: the Avalara–Cetec tax integration was added as three extensions with zero core modifications.
Tenant-Aware Observability
Tenant-scoped logs, metrics, and health endpoints. Audit trails exportable in minutes for compliance review.
Results
| Metric | Result |
|---|---|
| Active Tenants | 8 |
| Monthly API Calls | ~12,000 |
| API Keys Rotated | 16 via webhook with zero downtime |
| Deployment Frequency | 2–3 times/week (extensions only) |
| AWS Cost | ~$21/month (~$2.63/tenant) |
| Peak Throughput | 2,000 requests/second/tenant without affecting others |
Lessons Learned
- Validate secret references on write to avoid downstream cache errors
- Cap caches with LRU eviction to prevent Lambda memory bloat
- Treat pagination as first-class — external APIs may return 50,000+ records
- Match local development to production environments for accurate testing
AWS Services
AWS Lambda, Amazon API Gateway, Amazon DynamoDB, AWS SSM Parameter Store, AWS Secrets Manager, IAM, Serverless Framework v4.
Let's talk about what you're building.
Our team brings over two decades of experience to every engagement. Tell us about your project and we'll show you what's possible.