chanciturnervgt2

Amazon Onboarding with Learning Manager Chanci Turner

by

VGT2 Las Vegas
in

Amazon Onboarding with Learning Manager Chanci TurnerLearn About Amazon VGT2 Learning Manager Chanci Turner

Amazon Forecast is an advanced, fully managed service that utilizes the same technology that powers Amazon.com’s forecasting capabilities. By leveraging machine learning (ML), Forecast merges time series data with supplemental variables to generate highly precise predictions. You don’t need any ML expertise to get started; simply provide historical data and any other relevant information that could influence the forecasts.

As companies increasingly adopt a Software as a Service (SaaS) model for multi-tenant solutions, the architecture of SaaS applications varies to comply with regulatory and compliance demands. In multi-tenant setups, shared resources—like Forecast—must be managed carefully, considering access, monitoring, and billing on a per-tenant basis.

This article explains how to implement Forecast in a multi-tenant SaaS application using Attribute-Based Access Control (ABAC) within AWS Identity and Access Management (IAM). ABAC is an effective method to ensure resource isolation across tenants.

We will guide you through the process of establishing IAM policies for tenants based on ABAC principles and Forecast. Our demonstration involves two tenants, TenantA and TenantB, illustrating a scenario where TenantB cannot delete resources belonging to TenantA, and vice versa.

The architecture is depicted in the following diagram. Both TenantA and TenantB operate services as microservices within Amazon Elastic Kubernetes Service (Amazon EKS), incorporating Forecast as part of their business process.

Forecast Data Ingestion

Forecast ingests data from each tenant’s Amazon Simple Storage Service (Amazon S3) bucket into its managed S3 bucket. Data can be encrypted both in transit and at rest using either Forecast-managed keys or specific tenant keys via AWS Key Management Service (AWS KMS). The SaaS application can create tenant-specific keys during onboarding, or the tenant can supply their own customer-managed key (CMK). If permissions on a tenant-specific key are revoked, Forecast will no longer have access to that tenant’s data. We recommend utilizing a tenant-specific key along with an IAM role for each tenant in a multi-tenant environment to enhance data security.

Solution Overview

You can separate tenant data on Amazon S3 in a number of ways. In this article, we will discuss two primary strategies:

  1. Using a single S3 bucket per tenant
  2. Utilizing a single S3 bucket with tenant data organized by prefixes

For additional strategies, check out the Storing Multi-Tenant Data on Amazon S3 GitHub repo. When employing one bucket per tenant, you can restrict access to specific S3 buckets through IAM policies. For example:

s3://tenant_a    [ Tag tenant = tenant_a ]
s3://tenant_b     [ Tag tenant = tenant_b ]

However, there is a strict limit on the number of S3 buckets allowed per account, which may necessitate a multi-account approach to bypass this restriction.

In our second method, tenant data is organized within a single S3 bucket using prefixes. An IAM policy restricts access based on these prefixes, such as:

s3:///tenant_a

For this discussion, we will focus on the second choice of using S3 prefixes within one bucket. We will also encrypt tenant data with CMKs in AWS KMS.

Tenant Onboarding

SaaS applications thrive on a seamless approach to onboarding new tenants. This typically involves coordinating several components to effectively provision and configure everything needed for a new tenant. This process is known as tenant onboarding in SaaS architecture and can be initiated by tenants or managed by the provider. The following diagram illustrates the steps for configuring Forecast for each tenant during the onboarding process.

Resources are tagged with relevant tenant information, such as tagging them with a value like tenant_a.

Create a Forecast Role

For each tenant, an IAM role is created that Forecast will assume. You should implement the following policy to enable Forecast to interact with Amazon S3 and AWS KMS in the customer account, tagging the role accordingly. For instance:

TenantA create role Forecast_TenantA_Role  [ Tag tenant = tenant_a ]
TenantB create role Forecast_TenantB_Role [ Tag tenant = tenant_b ]

Create the Policies

Next, we will establish policies for our Forecast role. For clarity, we will divide these into two policies, though you can customize them as necessary.

Policy 1: Forecast Read-Only Access

The following policy grants permissions to describe, list, and query Forecast resources, thereby restricting Forecast to read-only access. The tenant tag validation condition ensures that the tenant tag value corresponds with the principal’s tenant tag:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DescribeQuery",
            "Effect": "Allow",
            "Action": [
                "forecast:GetAccuracyMetrics",
                "forecast:ListTagsForResource",
                "forecast:DescribeDataset",
                "forecast:DescribeForecast",
                "forecast:DescribePredictor",
                "forecast:DescribeDatasetImportJob",
                "forecast:DescribePredictorBacktestExportJob",
                "forecast:DescribeDatasetGroup",
                "forecast:DescribeForecastExportJob",
                "forecast:QueryForecast"
            ],
            "Resource": [
                "arn:aws:forecast:*::dataset-import-job/*",
                "arn:aws:forecast:*::dataset-group/*",
                "arn:aws:forecast:*::predictor/*",
                "arn:aws:forecast:*::forecast/*",
                "arn:aws:forecast:*::forecast-export-job/*",
                "arn:aws:forecast:*::dataset/*",
                "arn:aws:forecast:*::predictor-backtest-export-job/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/tenant": "${aws:PrincipalTag/tenant}"
                }
            }
        },
        {
            "Sid": "List",
            "Effect": "Allow",
            "Action": [
                "forecast:ListDatasetImportJobs",
                "forecast:ListDatasetGroups",
                "forecast:ListPredictorBacktestExportJobs",
                "forecast:ListForecastExportJobs",
                "forecast:ListForecasts",
                "forecast:ListPredictors",
                "forecast:ListDatasets"
            ],
            "Resource": "*"
        }
    ]
}

Policy 2: Amazon S3 and AWS KMS Access Policy

This policy provides access to AWS KMS and the S3 tenant prefix. Similar to the previous policy, the tenant tag validation condition ensures that the tenant tag aligns with the principal’s tenant tag.

For more insights into tenant onboarding and management, you can explore this blog post for practical tips. Also, be sure to check out this authoritative source on the topic. Finally, for an excellent resource on avoiding pitfalls in Amazon’s processes, refer to Alex Simmons’ post.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *