This pattern demonstrate AWS Lambda's tenant isolation feature in Multi-tenant application. It uses single SQS for multi-tenant applucation and isolating messages using messagegroupid and invoking isolated lambda enviornments.
- Tenant isolation at infrastructure level (no custom routing logic)
- Execution environments never shared between tenants
- Asynchronous invocation pattern
- Automatic tenant context propagation
Learn more about this pattern at Serverless Land Patterns
Important: this application uses various AWS services and there are costs associated with these services after the Free Tier usage - please see the AWS Pricing page for details. You are responsible for any AWS costs incurred. No warranty is implied in this example.
- Create an AWS account if you do not already have one and log in. The IAM user that you use must have sufficient permissions to make necessary AWS service calls and manage AWS resources.
- AWS CLI installed and configured
- Git Installed
- AWS Serverless Application Model (AWS SAM) installed
- Triggered by SQS queue messages
- Extracts
customer-idfrom message payload - Invokes tenant-isolated Lambda asynchronously with
TenantIdparameter
- Configured with tenant isolation mode enabled
- Processes requests in isolated execution environments per tenant
- Accesses tenant ID via
context.identity.tenant_id
{
"data": "your payload here"
}sam build
sam deploy --guidedSQS Queue → SQS Processor Lambda → Tenant-Isolated Lambda
(reads customer-id) (processes with tenant isolation)
Send a message to the SQS queue:
aws sqs send-message \
--queue-url <QUEUE_URL> \
--message-body '{"data": "test payload"}'After dropping the message, review cloudwatch log for Tenant-Isolated Lambda. Different log streams should be created for each tenant.