Multi-tenant applications often require strict isolation when processing tenant-specific code or data. Examples include software-as-a-service (SaaS) platforms for workflow automation or code execution where customers need to ensure that execution environments used for individual tenants or end users remain completely separate from one another. Traditionally, developers have addressed these requirements by deploying separate Lambda functions for each tenant or implementing custom isolation logic within shared functions which increased architectural and operational complexity.
Today, AWS Lambda introduces a new tenant isolation mode that extends the existing isolation capabilities in Lambda. Lambda already provides isolation at the function level, and this new mode extends isolation to the individual tenant or end-user level within a single function. This built-in capability processes function invocations in separate execution environments for each tenant, enabling you to meet strict isolation requirements without additional implementation effort to manage tenant-specific resources within function code.
Here’s how you can enable tenant isolation mode in the AWS Lambda console:
When using the new tenant isolation capability, Lambda associates function execution environments with customer-specified tenant identifiers. This means that execution environments for a particular tenant aren’t used to serve invocation requests from other tenants invoking the same Lambda function.
The feature addresses strict security requirements for SaaS providers processing sensitive data or running untrusted tenant code. You maintain the pay-per-use and performance characteristics of AWS Lambda while gaining execution environment isolation. Additionally, this approach delivers the security benefits of per-tenant infrastructure without the operational overhead of managing dedicated Lambda functions for individual tenants, which can quickly grow as customers adopt your application.
Getting started with AWS Lambda tenant isolation
Let me walk you through how to configure and use tenant isolation for a multi-tenant application.
First, on the Create function page in the AWS Lambda console, I choose Author from scratch option.
Then, under Additional configurations, I select Enable under Tenant isolation mode. Note that, tenant isolation mode can only be set during function creation and can’t be modified for existing Lambda functions.
Next, I write Python code to demonstrate this capability. I can access the tenant identifier in my function code through the context object. Here’s the full Python code:
import json
import os
from datetime import datetime
def lambda_handler(event, context):
tenant_id = context.tenant_id
file_path = '/tmp/tenant_data.json'
# Read existing data or initialize
if os.path.exists(file_path):
with open(file_path, 'r') as f:
data = json.load(f)
else:
data = {
'tenant_id': tenant_id,
'request_count': 0,
'first_request': datetime.utcnow().isoformat(),
'requests': []
}
# Increment counter and add request info
data['request_count'] += 1
data['requests'].append({
'request_number': data['request_count'],
'timestamp': datetime.utcnow().isoformat()
})
# Write updated data back to file
with open(file_path, 'w') as f:
json.dump(data, f, indent=2)
# Return file contents to show isolation
return {
'statusCode': 200,
'body': json.dumps({
'message': f'File contents for {tenant_id} (isolated per tenant)',
'file_data': data
})
}
When I’m finished, I choose Deploy. Now, I need to test this capability by choosing Test. I can see on the Create new test event panel that there’s a new setting called Tenant ID.
If I try to invoke this function without a tenant ID, I’ll get the following error “Add a valid tenant ID in your request and try again.”
Let me try to test this function with a tenant ID called tenant-A.
I can see the function ran successfully and returned request_count: 1. I’ll invoke this function again to get request_count: 2.
Now, let me try to test this function with a tenant ID called tenant-B.
The last invocation returned request_count: 1 because I never invoked this function with tenant-B. Each tenant’s invocations will use separate execution environments, isolating the cached data, global variables, and any files stored in /tmp.
This capability transforms how I approach multi-tenant serverless architecture. Instead of wrestling with complex isolation patterns or managing hundreds of tenant-specific Lambda functions, I let AWS Lambda automatically handle the isolation. This keeps tenant data isolated across tenants, giving me confidence in the security and separation of my multi-tenant application.
Additional things to know
Here’s a list of additional things you need to know:
- Performance — Same-tenant invocations can still benefit from warm execution environment reuse for optimal performance.
- Pricing — You’re charged when Lambda creates a new tenant-aware execution environment, with the price depending on the amount of memory you allocate to your function and the CPU architecture you use. For more details, view AWS Lambda pricing.
- Availability — Available now in all commercial AWS Regions except Asia Pacific (New Zealand), AWS GovCloud (US), and China Regions.
This launch simplifies building multi-tenant applications on AWS Lambda, such as SaaS platforms for workflow automation or code execution. Learn more about how to configure tenant isolation for your next multi-tenant Lambda function in the AWS Lambda Developer Guide.
Happy building!
— Donnie