Merge pull request #2895 from biswanathmukherjee/biswanathmukherjee-feature-apigw-lambda-tenant-isolation

AWS Lambda tenant isolation

Author: julianwood

apigw-lambda-tenant-isolation/README.md

@@ -0,0 +1,205 @@
+# Multi-tenant API with AWS Lambda tenant isolation
+
+This sample project demonstrates tenant isolation mode of AWS Lambda functions by comparing two Lambda functions - one with tenant isolation enabled and one without. The demonstration uses in-memory counters to visually show how tenant isolation provides separate execution environments for different tenants.
+
+## Requirements
+
+- [Create an AWS account](https://portal.aws.amazon.com/gp/aws/developer/registration/index.html) if you do not already have one and log in. The IAM user that you use must have sufficient permissions to make necessary AWS service calls and manage AWS resources.
+- [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) installed and configured
+- [Git Installed](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git)
+- [AWS Serverless Application Model](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-install.html) (AWS SAM) installed
+- [Python 3.14 or above](https://www.python.org/downloads/) installed
+
+
+## Deployment Instructions
+
+1. Create a new directory, navigate to that directory in a terminal and clone the GitHub repository:
+
+   ```bash
+   git clone https://github.com/aws-samples/serverless-patterns
+   ```
+
+2. Change directory to the pattern directory:
+
+   ```bash
+   cd serverless-patterns/apigw-lambda-tenant-isolation
+   ```
+
+3. From the command line, run the following commands:
+
+   ```bash
+   sam build
+   sam deploy --guided --capabilities CAPABILITY_NAMED_IAM
+   ```
+
+4. During the prompts:
+
+   - Enter a stack name
+   - Enter the desired AWS Region e.g. `us-east-1`.
+   - Allow SAM CLI to create IAM roles with the required permissions.
+   - Keep default values to the rest of the parameters.
+
+   Once you have run `sam deploy --guided` mode once and saved arguments to a configuration file (samconfig.toml), you can use `sam deploy` in future to use these defaults.
+
+5. Note the outputs from the SAM deployment process. These contain the resource names and/or ARNs which are used for next step as well as testing.
+
+## How it works
+
+The SAM template deploys two Lambda functions - one with tenant isolation mode enabled, and another with tenant mode disabled.
+
+![End to End Architecture](diagram/architecture.png)
+
+Here's a breakdown of the steps:
+
+1. **Standard AWS Lambda Function**: Receives tenant headers (`x-tenant-id`) but shares execution environment across all tenants. The counter variable, when increased for one tenant, impacts the other tenants (demonstrates the limitation)
+
+2. **Tenant-Isolated AWS Lambda Function**: Maintains separate execution environments per tenant using AWS Lambda tenant isolation mode (demonstrates the solution)
+
+3. **Amazon API Gateway**: Provides REST endpoints for both functions with header mapping
+
+## Testing
+
+Use [curl](https://curl.se/) to send a HTTP POST request to the API. Make sure to replace `api-id` with the one from your `sam deploy --guided` output:
+
+### Standard Function (The limitation)
+
+The standard function receives tenant headers but cannot isolate tenants - all requests share the same counter:
+
+Replace with `StandardMultiTenantAPIEndpointUrl`:
+
+```bash
+STANDARD_URL="https://your-api-id.execute-api.region.amazonaws.com/dev/standard"
+```
+
+BlueTenant request:
+
+```bash
+curl -H "tenant-id: BlueTenant" "$STANDARD_URL"
+```
+
+Response:
+
+```bash
+{
+  "counter": 1,
+  "tenant_id": "BlueTenant",
+  "isolation_enabled": false,
+  "message": "Counter incremented successfully - SHARED across all tenants! (Received tenant: BlueTenant)",
+  "warning": "This function does NOT provide tenant isolation - all tenants share the same counter!"
+}
+```
+
+RedTenant request:
+
+```bash
+curl -H "x-tenant-id: RedTenant" "$STANDARD_URL"
+```
+
+Response:
+
+```bash
+{
+  "counter": 2,
+  "tenant_id": "RedTenant",
+  "isolation_enabled": false,
+  "message": "Counter incremented successfully - SHARED across all tenants! (Received tenant: RedTenant)",
+  "warning": "This function does NOT provide tenant isolation - all tenants share the same counter!"
+}
+```
+
+GreenTenant request:
+
+```bash
+curl -H "x-tenant-id: GreenTenant" "$STANDARD_URL"
+```
+
+Response:
+
+```bash
+{
+  "counter": 3,
+  "tenant_id": "GreenTenant",
+  "isolation_enabled": false,
+  "message": "Counter incremented successfully - SHARED across all tenants! (Received tenant: GreenTenant)",
+  "warning": "This function does NOT provide tenant isolation - all tenants share the same counter!"
+}
+```
+
+Continue to invoke the API for different tenants. Note the `counter` values. As all the three tenants are reusing the same Lambda execution environment, the counter variable is also shared and continuously increasing across tenants.
+
+### Isolated Function (The solution)
+
+The isolated function provides true tenant isolation - each tenant gets separate Lambda execution environments:
+
+Replace with `IsolatedTenantAPIEndpointUrl`:
+
+```bash
+
+ISOLATED_URL="https://your-api-id.execute-api.region.amazonaws.com/dev/isolated"
+```
+
+BlueTenant requests (independent counter):
+
+```bash
+curl -H "x-tenant-id: BlueTenant" "$ISOLATED_URL"
+```
+
+Response:
+
+```bash
+{
+  "counter": 1,
+  "tenant_id": "BlueTenant",
+  "isolation_enabled": true,
+  "message": "Counter incremented successfully for tenant BlueTenant"
+}
+```
+
+GreenTenant requests (separate independent counter):
+
+```bash
+curl -H "x-tenant-id: GreenTenant" "$ISOLATED_URL"
+```
+
+Response:
+
+```bash
+{
+  "counter": 1,
+  "tenant_id": "GreenTenant",
+  "isolation_enabled": true,
+  "message": "Counter incremented successfully for tenant GreenTenant"
+}
+```
+
+Continue to invoke the API for different tenants. Note the `counter` values. Each tenant maintains independent counters (BlueTenant: 1→2→3, GreenTenant: 1→2), showing true isolation.
+
+### Monitoring
+
+Check CloudWatch logs to see tenant isolation in action:
+
+```bash
+# View logs for standard function
+aws logs filter-log-events \
+  --log-group-name "/aws/lambda/your-stack-name-counter-standard" \
+  --start-time $(date -d '10 minutes ago' +%s)000
+
+# View logs for isolated function (notice tenantId in platform events)
+aws logs filter-log-events \
+  --log-group-name "/aws/lambda/your-stack-name-counter-isolated" \
+  --start-time $(date -d '10 minutes ago' +%s)000
+```
+
+## Cleanup
+
+1. To delete the resources deployed to your AWS account via AWS SAM, run the following command:
+
+```bash
+sam delete
+```
+
+---
+
+Copyright 2026 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+
+SPDX-License-Identifier: MIT-0

apigw-lambda-tenant-isolation/apigw-lambda-tenant-isolation.yaml

@@ -0,0 +1,78 @@
+{
+    "title": "Multi-tenant API with AWS Lambda tenant isolation",
+    "description": "This sample project demonstrates the tenant isolation mode of AWS Lambda functions.",
+    "language": "Python",
+    "level": "200",
+    "framework": "AWS SAM",
+    "introBox": {
+        "headline": "How it works",
+        "text": [
+            "Amazon API Gateway receives the HTTP GET request with tenant id in the header x-tenant-id.",
+            "The API Gateway triggers either the standard or the tenant isolated Lambda functions depending on the URI.",
+            "Observe the counter variable value between standard and tenant isolation mode enabled Lambda function as you invoke the APIs for different tenant."
+        ]
+    },
+    "gitHub": {
+        "template": {
+            "repoURL": "https://github.com/aws-samples/serverless-patterns/tree/main/apigw-lambda-tenant-isolation",
+            "templateURL": "serverless-patterns/apigw-lambda-tenant-isolation",
+            "projectFolder": "apigw-lambda-tenant-isolation",
+            "templateFile": "template.yaml"
+        }
+    },
+    "resources": {
+        "bullets": [
+            {
+                "text": "AWS Lambda tenant isolation",
+                "link": "https://docs.aws.amazon.com/lambda/latest/dg/tenant-isolation.html"
+            },
+            {
+                "text": "AWS Blog - Building multi-tenant SaaS applications with AWS Lambda’s new tenant isolation mode",
+                "link": "https://aws.amazon.com/blogs/compute/building-multi-tenant-saas-applications-with-aws-lambdas-new-tenant-isolation-mode/"
+            }
+        ]
+    },
+    "deploy": {
+        "text": [
+            "sam build",
+            "sam deploy --guided"
+        ]
+    },
+    "testing": {
+        "text": [
+            "See the GitHub repo for detailed testing instructions."
+        ]
+    },
+    "cleanup": {
+        "text": [
+            "Delete the stack: <code>sam delete</code>."
+        ]
+    },
+    "authors": [
+        {
+            "name": "Biswanath Mukherjee",
+            "image": "https://serverlessland.com/assets/images/resources/contributors/biswanath-mukherjee.jpg",
+            "bio": "I am a Sr. Solutions Architect working at AWS India. I help strategic global enterprise customer to architect their workload to run on AWS.",
+            "linkedin": "biswanathmukherjee"
+        }
+    ],
+    "patternArch": {
+        "icon1": {
+            "x": 20,
+            "y": 50,
+            "service": "apigw",
+            "label": "API Gateway REST API"
+        },
+        "icon2": {
+            "x": 80,
+            "y": 50,
+            "service": "lambda",
+            "label": "AWS Lambda"
+        },
+        "line1": {
+            "from": "icon1",
+            "to": "icon2",
+            "label": "Request by tenant"
+        }
+    }
+}

apigw-lambda-tenant-isolation/diagram/architecture.png

@@ -0,0 +1,59 @@
+{
+  "title": "Multi-tenant API with AWS Lambda functions tenant isolation",
+  "description": "This sample project demonstrates tenant isolation mode of AWS Lambda functions.",
+  "language": "Python",
+  "level": "200",
+  "framework": "AWS SAM",
+  "introBox": {
+    "headline": "How it works",
+    "text": [
+      "Amazon API Gateway receives the HTTP GET request with tenant id in the header x-tenant-id.",
+      "The API Gateway triggers either the standard or the tenant isolated Lambda functions depending on the URI.",
+      "Observe the counter variable value between standard and tenant isolation mode enabled Lambda functions are you invoke the APIs for different tenant."
+    ]
+  },
+  "gitHub": {
+    "template": {
+      "repoURL": "https://github.com/aws-samples/serverless-patterns/tree/main/apigw-lambda-tenant-isolation",
+      "templateURL": "serverless-patterns/apigw-lambda-tenant-isolation",
+      "projectFolder": "apigw-lambda-tenant-isolation",
+      "templateFile": "template.yaml"
+    }
+  },
+  "resources": {
+    "bullets": [
+      {
+        "text": "AWS Lambda tenant isolation",
+        "link": "https://docs.aws.amazon.com/lambda/latest/dg/tenant-isolation.html"
+      },
+      {
+        "text": "AWS Blog - Building multi-tenant SaaS applications with AWS Lambda’s new tenant isolation mode",
+        "link": "https://aws.amazon.com/blogs/compute/building-multi-tenant-saas-applications-with-aws-lambdas-new-tenant-isolation-mode/"
+      }      
+    ]
+  },
+  "deploy": {
+    "text": [
+      "sam build",
+      "sam deploy --guided"
+    ]
+  },
+  "testing": {
+    "text": [
+      "See the GitHub repo for detailed testing instructions."
+    ]
+  },
+  "cleanup": {
+    "text": [
+      "Delete the stack: <code>sam delete</code>."
+    ]
+  },
+  "authors": [
+    {
+      "name": "Biswanath Mukherjee",
+      "image": "https://serverlessland.com/assets/images/resources/contributors/biswanath-mukherjee.jpg",
+      "bio": "I am a Sr. Solutions Architect working at AWS India. I help strategic global enterprise customer to architect their workload to run on AWS.",
+      "linkedin": "biswanathmukherjee"
+    }   
+  ]
+}