Amazon Cognito Multi-Tenant Best Approach

Question

I'm working on a multi-tenant application on AWS. I am struggling to implement multi-tenant on cognito. My first approach was to use one Cognito User Pool and an Identity Pool for the whole application.

For the moment we have two kinds of user per tenant (administrators and regular users) so I want to assign them different IAM Roles.

The idea was to create a Cognito Group for each user role and to associate them with respective IAM Roles. It works ok. When using groups for roles assignment, I configured the identity pool authenticated role selection to 'Choose role from token'.

However, with 20 tenants, 40 groups will be needed, and the limits for Cognito Groups are 25 for each User Pool.

Using a Cognito User Pool per tenant has the same inconvenient since limits for Cognito User Pool is 50 (and we expect more than 25 tenants).

These are soft limits, so I know that it is possible to ask for increase it. In fact, I requested to increase Cognito Groups Limit but the answer is taking too long.

As an alternative to Cognito Group I could configure the identity pool authenticated role selection to 'Choose role with rules'.

In this way I added a Cognito User Pool custom attribute (custom:role) and configured Identity Pool Cognito Authenticate Provider with rules like the following:

if custom:role equals 'tenant1_admin' then assign TENANT_1_ADMIN_IAM_ROLE

if custom:role equals 'tenant1_regular' then assign TENANT_1_REGULAR_IAM_ROLE

...

if custom:role equals 'tenant20_admin' then assign TENANT_20_ADMIN_IAM_ROLE

if custom:role equals 'tenant20_regular' then assign TENANT_20_REGULAR_IAM_ROLE

Is this a correct way to implement multi-tenant on Cognito? As far as I know, there are no limits to Identity Pool Authenticate Providers rules number.

Answer 1

As you mentioned before, you can contact AWS support to ask for increasing your groups limit. Clearly state your use case will make the limit increase easier. Are you using saml or cognito login for your userpool?

Answer 2

I know the question has already been answered and is a bit old, but thought this might be useful for other people who come across this question. AWS have actually produced a White Paper and Quick Start guide for creating Multi-Tenant SaaS applications on AWS available https://aws-quickstart.s3.amazonaws.com/saas-identity-cognito/doc/saas-identity-and-isolation-with-cognito-on-the-aws-cloud.pdf

It's got a basic Web front-end (AngularJS on S3), Cognito (with one pool per tenant), logic to handle user-tenant lookup and ECS config for hosting services. Pretty detailed and should help answer a bunch of questions for people starting out or wondering about these types of questions.