1

We plan a multi tenant application using the AWS Timestream database. Unfortunately the database does not support any resource-based policy. To get the isolation we need to somehow proxy the query through a Lambda Function where we can control the query (see below). We put that behind an Appsync API. Ultimately we want to run queries from a user-frontend by a user who is associated with a certain tenant.

User -> Webapp -> Appsync -> Lambda -> Timestream

The query will need to have a certain condition like:

SELECT * FROM <database>.<table> WHERE tenantId = <tenantId>

Ideally we could model the query on the Webapp and send it to the backend. But as we need to protect against sql-injection attacks then I wonder if there is any possibility (like a global sql scope, or proper validation, etc) to make calls to the database in a secure (isolated) manner?

Otherwise we would have to model each query on the backend or specify some parameters of the query as input to a fixed query on the backend. Which is doable but not as flexible as I would like.

Saravanan
  • 7,637
  • 5
  • 41
  • 72
pfried
  • 5,000
  • 2
  • 38
  • 71
  • unable to understand the need for proxying the query to a lambda function. The application can identify the tenant that is making the query for the data which can be translated to the query filters and use the AWS SDK or the AWS API for getting the data. – Saravanan Feb 23 '21 at 02:43
  • @Saravanan You sure can, but from the client side (customer webapp) I cannot assure you access only your own data (tenant isolation). Therefore I need extra logic which I need to run on the backend. – pfried Feb 24 '21 at 06:11

1 Answers1

1

@pfried What about each tenant has their own Timestream table, then different tenants can be assigned different IAM execution roles to ensure that they can only access their own table. Once you have this layer of protection, you can model your query on the client webapp without worrying about cross-tenant data access.

Notes:

  1. The maximum number of tables for Timestream is 50,000 per AWS account
  2. Each tenant can have their own database, while the maximum number of databases for Timestream is 500 per AWS account.

See service quotas at: https://docs.aws.amazon.com/general/latest/gr/timestream.html

Yuci
  • 27,235
  • 10
  • 114
  • 113
  • I will accept it as an answer since there seems to be no other solution. We are now using a Lambda to do the separation (actually its a timescale db now) and isolating the context. Also I would worry a bit over having to manage 50k Tables, as normally there is some data altering / migration (not for schemaless of course) work to do during the lifetime of an application – pfried Aug 04 '22 at 12:43