In this hands-on session, we crack open the IDE and transform a SaaS web app comprised of several monolithic single-tenant environments into an efficient, scalable, and secure multi-tenant SaaS platform using ReactJS and NodeJS serverless microservices. We use Amazon API Gateway and Amazon Cognito to simplify the operation and security of the service’s API and identity functionality. We enforce tenant isolation and data partitioning with OIDC’s JWT tokens. We leverage AWS SAM and AWS Amplify to simplify authoring, testing, debugging, and deploying serverless microservices, keeping operational burden to a minimum, maximizing developer productivity, and maintaining a great developer experience.

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Optimize Your SaaS Offering
with Serverless Microservices
Gerardo Estaba
Solutions Architect
Amazon Web Services
G P S T E C 4 0 5

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Pixabay / Free-Photos
https://creativecommons.or
g/publicdomain/zero/1.0/

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Meet DoCaaS
Deck of Cards as a Service!
 Create decks
 Get decks
 Shuffle decks
 Deal game

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Current state: Codebase/application
 1:1 customer:codebase mapping
 100s ReactJS codebases
 100s NodeJS codebases
 Bespoke functionality per customer
 Manual sign-up

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Current state: Infrastructure
EC2
DynamoDB
Dedicated infrastructure 1 Dedicated infrastructure 2 100s Dedicated infrastructure
Customer 1 Customer 2 100s Customers…
…
…
 1:1 customer:infra mapping
 Bespoke configuration per customer
 100s single-tenant monoliths
 Hard to scale
 Underutilized infra
 Disruptive releases
 Manual provisioning for new users
EC2
DynamoDB
EC2
DynamoDB

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What we want: Speed
1. Self-service sign-up
2. Consolidate customer codebases
3. Centralized multi-tenant infrastructure
4. Break the monoliths into serverless microservices

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
API
End goal
Authentication
(User Pools)
All customers
S3
Authorization
(Identity Pools)

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Current state: Identity
HTTP request header
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,es;q=0.8,pt;q=0.7
Authorization: Basic Z2VyYXJkbzphc2Q=
Connection: keep-alive
DNT: 1
Host: customer1.estaba.net
If-None-Match: W/"11e-XXgiz47lFqcMcRw6gu7QC8B5BzA"
Referer: https://customer1.estaba.net/app/index.html
id username password
user customer1 asd
… … …
Front-end: Basic Auth Back-end: Stored in DB

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
User flows
☐ Optionally customizable flows
☐ Registration
☐ Verify email/phone
☐ Secure sign-in
☐ Forgot password
☐ Change password
☐ Sign-out
Security requirements
☐ Secure password handling (SRP)
☐ Scalable to 100s of millions of users
☐ MFA and password policies
☐ Encrypt all data server-side
☐ HIPAA, PCI-DSS, ISO, SOC
☐ OAuth 2.0, SAML 2.0, OpenID Connect
☐ Built-in, customizable web UI
Identity
Amazon Cognito
User Pools

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Cognito
Sign-up
Successful registration
Confirm registration
Verification SMS / Email
Register
Front
end
Back
end

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sign-up, sign-in
JWT Tokens
Authenticate (via SRP)
Successful registration
Confirm registration
Verification SMS / Email
Register
Front
end
Back
end
Amazon Cognito

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sign-up, sign-in, validation
JWT Tokens
Authenticate (via SRP)
Successful registration
Confirm registration
Verification SMS / Email
Register
Request with JWT Tokens
Front
end
JWTTokensvalid?
Y/N
Back
end
Amazon Cognito

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
JWT token: jwt.io
eyJraWQiOiI5ZXJydERLbHRxOFl3YUp5MkdadE9ieWtSREVBO
VNCNGlEVDZ2V21UZVFFPSIsImFsZyI6IlJTMjU2In0.eyJzdW
IiOiI2ZjU1NzM2OC1hODg0LTQ4NGUtYjY2Mi05ZmM2OWYzYzM
4MDIiLCJhdWQiOiI2bGtmczcwcm92a3ViaXJoMXF0bnR2ajAx
MiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJ0b2tlbl91c2UiO
iJpZCIsImF1dGhfdGltZSI6MTQ3ODQ0OTA2MCwiaXNzIjoiaH
R0cHM6XC9cL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5hbWF6b25
hd3MuY29tXC91cy1lYXN0LTFfWE1sVVc5c1V5IiwiY29nbml0
bzp1c2VybmFtZSI6InRlc3QxMjMiLCJleHAiOjE0Nzg0NTI2N
jAsImdpdmVuX25hbWUiOiJUZXN0IiwiaWF0IjoxNDc4NDQ5MD
YwLCJmYW1pbHlfbmFtZSI6IlRlc3QiLCJlbWFpbCI6InRyYW5
qaW1AYW1hem9uLmNvbSJ9.atQO0SJg9V97d6t
YonHNx0q7Zuof8-d-q0u69zNnuSJtmzGvOAW97tP2e3GydY9
K8q_2kG2IzkpEMUEdaeWjz2qG5dS328Scm6pRDPpC5pOkU8ym
jH7DBPfVXhtgS3iOhyleFhtmaTaYb_lYLpaaV10m8sVFOMHtj
dfrAm26Fq7zyjWYTSfzhqud29Ti4zn9PhcE7aL3s7BB8CJ18_
yFXSoG5CYCpLszvHazx1cbmPoXFrlFlPvZ07Oy8EbOaGs4Cuk
moYiV-5RnZsA9JXj405Kp50k-v8HCL6ZACDw3OYMV87P
e6PuEqbzQLlc8BufKThm0xBiO6NJtvI7iC2sEIQ
{
"kid":"9errtDKltq8YwaJy2GZtObykRDEA9SB4iDT6vWmTeQE=",
"alg":"RS256”
}
Header
{
"sub":"6f557368-a884-484e-b662-9fc69f3c3802",
"aud":"6lkfs70rovkubirh1qtntvj012",
"email_verified":true,
"token_use":"id",
"auth_time":1478449060,
"iss":"https://cognito-idp.us-east-1.amazonaws.com
/us-west-2_XMlUW9sUy",
"cognito:username":"test123",
"exp":1478452660,
"given_name”:"Test",
"iat":1478449060,
"family_name":"Test",
"email":”test@example.com"
}
Payload
Signature
HMACSHA256(base64UrlEncode(header) + "." +
base64UrlEncode(payload), {secret});Identity token -> OIDC Claims

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo 1
API
Authentication
(User Pools)
Customers
S3
Authorization
(Identity Pools)

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Amplify
Easy-to-use library
aws-amplify.github.io
Powerful toolchain Beautiful UI components

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo 1 summary
Amazon Cognito
User Pools
1. Self-service sign-up + sign-in
2. Secure flows (SRP, OAuth 2.0, OIDC)
3. AWS Amplify = Libraries + Toolchain + UI

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What we want: Speed
1. Self-service sign up
2. Consolidate customer codebases
3. Centralized multi-tenant infrastructure
4. Break the monolith into serverless microservices

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
API
Demo 2
Authentication
(User Pools)
Customers
S3
Authorization
(Identity Pools)

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Bronze Silver
Create Yes Yes
Get Yes Yes
Game Yes Yes
Shuffle Yes
Standardize service offerings
Create “plan” custom attribute

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Access control to API Gateway with Lambda Authorizer
Bronze Silver
Create Yes Yes
Get Yes Yes
Deal Yes Yes
Shuffle Yes
Amazon
API Gateway
AWS
Lambda
Authorizer
function
Client
Request with tokens
Policy evaluated
Policy cached
Allowed Back
end
Denied
Tokens + Context
"plan": ”...”
"sub": ”...”
"accessKeyId": ”...”
"secretAccessKey": ”...”
"sessionToken": ”...”
"identityId": ”...”

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data partitioning with IAM policy
{
"Sid": ”DecksTable",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:PutItem"
],
"Resource": "arn:aws:dynamodb:us-west-2:*:table/decks”,
"Condition": {
"ForAllValues:StringLike": {
"dynamodb:LeadingKeys":
”${cognito-identity.amazonaws.com:sub}-*"
}
}
}
<userid>-<deckid>

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Serverless Application Model (SAM)
AWS CloudFormation extension optimized for
serverless
Serverless resource types: Functions, APIs, and tables
and any resource AWS CloudFormation supports
Supports parameters, mappings, outputs, global
variables, intrinsic functions, and some ImportValues
github.com/awslabs/serverless-application-model

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CLI tool for local test, debug, and deploy serverless apps
Author Test Debug
Author/Test/Debug
CI/CD
Deploy
 No waiting
 No interruptions
SAM CLI

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Create sample app
Invoke Lambda functions locally
Mock AWS Lambda endpoint
Mock API Gateway endpoint
Generate sample event sources
Live debugging
pip install aws-sam-cli
github.com/awslabs/aws-sam-cli
SAM CLI

27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo 2 summary
1. OIDC + SaaS
2. = less code + less process = speed
3. Simplified dev experience
4. Dev Speed with
Author Test Debug
Author/Test/Debug

28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
API
Demo 3
Authentication
(User Pools)
Customers
S3
Authorization
(Identity Pools)

30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
From hundreds of datastores to three
All users
…
All decks
All games
id username password cards score
user gerardo asd
deck-<deckid> […] […]
deck-<deckid> […] […]
deck-<deckid> […] […]
… … … … …
id cards
<userid>-<deckid> […]
<userid>-<deckid> […]
<userid>-<deckid> […]
… …
id score
<userid>-<deckid> […]
<userid>-<deckid> […]
<userid>-<deckid> […]
… …

31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
1. Microservices make apps easier to scale and faster to develop
2. Independent datastores FTW!
3. Join the serverless revolution
Demo 3 summary

32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What we want have: Speed
 Self-service sign-up
 Consolidate customer codebases
 Centralized multi-tenant infrastructure
 Break the monolith into serverless microservices

33. “Customers want to cut the deck!”
Respectable CEO,
Deck of Cards as a Service
Demo 4

34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Bronze Silver Gold
Create Yes Yes Yes
Get Yes Yes Yes
Game Yes Yes Yes
Shuffle Yes Yes
Cut Yes
New service offering

35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
API
Authentication
(User Pools)
Customers
S3
Authorization
(Identity Pools)
Demo 4

36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Takeaways
 Simplify operations: Multi-tenant SaaS
 OIDC + SaaS
 Dev experience: Abstract security complexity
 Serverless microservices = Scale + Speed
 AWS Amplify + AWS SAM + SAM CLI

37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Resources
Repo: github.com/ge8/DoCaaS
AWS SaaS Factory: aws.amazon.com/partners/saas-factory
SaaS identity and isolation with Amazon Cognito AWS Quick Start
aws.amazon.com/quickstart/saas/identity-with-cognito
AWS Amplify: aws-amplify.github.io
AWS Serverless Application Model (SAM):
github.com/awslabs/serverless-application-model
AWS SAM CLI: github.com/awslabs/aws-sam-cli

38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Pixabay / Free-Photos
https://creativecommons.or
g/publicdomain/zero/1.0/

40. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Gerardo Estaba
Solutions Architect
Amazon Web Services
linkedin.com/in/estaba