2

My Dynamo Tables have tenant_id as the partition key in my multi-tenant application but my partition key also has other types of entities in it in addition to tenant_id.

For example: (This is a small example, we are using this pattern throughout)

PK                                        SK                               Att
Customer-4312a674-54a                  user-abc                            672453782
user-abc                                   user-abc                            672453782

I would like to use dynamodb:LeadingKeys to ensure data of one tenant can never be accessed by another tenant. How can I go about that in this case when PK is overloaded and has other entities in it as well.

systemdebt
  • 4,589
  • 10
  • 55
  • 116
  • 1
    Just to clarify: The tenants need access to both types of information (i.e. those that have the tenant-id-prefix and those that don't)? My general suggestion would be to use the tenant-id as a prefix for all tenant-specific data. For data that shared between tenants you could add a separate policy statement with an allow. – Maurice Dec 25 '20 at 12:12
  • 1
    I don't see how it does, if it is the prefix for _every_ item belonging to that tenant, but I guess that depends on the access patterns you have. My assumption is that you have the tenant-id present when you do any query, since it appears to be a user-facing system and that may be part of the session info and thus can construct the correct key. – Maurice Dec 26 '20 at 20:36
  • That answers my question. Thank you – systemdebt Dec 26 '20 at 22:03
  • Happy to hear that, I'll add it as an answer. – Maurice Dec 28 '20 at 10:37

1 Answers1

4

In a multi-tenant system my recommendation would be to add the tenant-id as a prefix to the partition key of all items belonging to the tenant. That way you can use the dynamodb:LeadingKeys condition for access control.

The tenant-id should be known at query time for every query anyway, my guess is that it's probably stored in the session information. This means you can add the tenant-id to every Key and still do partition key overloading.

Maurice
  • 11,482
  • 2
  • 25
  • 45
  • Do I need to use identity pool in addition to user pool to accomplish this? For example: https://stackoverflow.com/questions/43515393/cognito-user-pool-custom-attribute-in-iam-policy-conditions-with-dynamodb-fine-g – systemdebt Jan 08 '21 at 04:29