Close Menu
    DevStackTipsDevStackTips
    • Home
    • News & Updates
      1. Tech & Work
      2. View All

      Full-Stack Techies vs Toptal: Which Is Better for React.js Outsourcing?

      July 3, 2025

      The AI productivity paradox in software engineering: Balancing efficiency and human skill retention

      July 2, 2025

      The impact of gray work on software development

      July 2, 2025

      CSS Intelligence: Speculating On The Future Of A Smarter Language

      July 2, 2025

      Your Roku has secret menus and screens – here’s how to unlock them

      July 3, 2025

      Add Paramount+, STARZ, and more to your Prime Video account for $0.99 a month – here’s how

      July 3, 2025

      My new favorite keychain accessory gives me 2TB of SSD storage instantly

      July 3, 2025

      HP’s latest OmniBook finally sold me on the 2-in-1 form factor (and it’s on sale)

      July 3, 2025
    • Development
      1. Algorithms & Data Structures
      2. Artificial Intelligence
      3. Back-End Development
      4. Databases
      5. Front-End Development
      6. Libraries & Frameworks
      7. Machine Learning
      8. Security
      9. Software Engineering
      10. Tools & IDEs
      11. Web Design
      12. Web Development
      13. Web Security
      14. Programming Languages
        • PHP
        • JavaScript
      Featured

      Simplifying Stream Handling with Laravel’s resource Method

      July 3, 2025
      Recent

      Simplifying Stream Handling with Laravel’s resource Method

      July 3, 2025

      Intelligent Parsing and Formatting of Names in PHP Applications

      July 3, 2025

      This Week in Laravel: Cursor Rules, Nightwatch Review, and Race Conditions

      July 3, 2025
    • Operating Systems
      1. Windows
      2. Linux
      3. macOS
      Featured

      Microsoft confirms Windows 11 KB5060829 issues, but you can safely ignore it

      July 3, 2025
      Recent

      Microsoft confirms Windows 11 KB5060829 issues, but you can safely ignore it

      July 3, 2025

      Hash Calculator – calculates around 50 cryptographic hashes of strings and files

      July 3, 2025

      Rilasciato Thunderbird 140 ESR: Un’attenzione alle esigenze aziendali

      July 3, 2025
    • Learning Resources
      • Books
      • Cheatsheets
      • Tutorials & Guides
    Home»Development»Databases»Amazon DynamoDB data modeling for Multi-tenancy – Part 3

    Amazon DynamoDB data modeling for Multi-tenancy – Part 3

    May 17, 2025

    This is the third post in a series where we walk through the process of creating an Amazon DynamoDB data model for an example multi-tenant issue tracking application.

    In Part 1, we defined our access patterns. We then selected a partition key design and created our data schema in Part 2.

    In this last part of the series, we explore how to validate the chosen data model from both a performance and a security perspective. Additionally, we cover how to extend the data model as new access patterns and requirements arise.

    Validating your data model

    Your application depends on your data model being performant and secure. You want to observe the scaling patterns of your data model as it reacts to load while maintaining tenant isolation.

    You will need tooling to perform your validation. A distributed load testing approach lets you simultaneously issue requests against your DynamoDB table using parallel test clients. For more details, see Distributed Load Testing on AWS.

    Start by introducing a baseline scenario with many active tenants in your application. You then introduce noisy neighbor scenarios to see how your data model reacts. Are you able to scale effectively without affecting the tenant service experience?

    Introduce scenarios in series and parallel, and observe your data model. They will represent your operations, such as

    • Tenant onboarding and offboarding.
    • Backup and restore. Is it possible to restore a single XXL tenant within an SLA?
    • Tenant portability between service tiers. Bulk export and import of tenant data.
    • Noisy neighbor tenants. Can heavy usage tenants affect others?

    Monitoring your data model

    Metrics are key to data model validation. You want to validate that the provisioned DynamoDB capacity sustains an unpredictable usage pattern.

    Data validation monitoring forms the basis of your operational monitoring. The validation provides data to build a set of alarms which indicate impact to tenant performance. If throttling occurs, that shows insufficient capacity or potentially inefficient data access patterns that need revisiting. Your operations team will want to be aware of these events.

    You should enable Amazon CloudWatch Contributor Insights on the DynamoDB table to capture detailed tenant-level operational metrics. Other tools include Amazon CloudWatch, and AWS X-Ray.

    The following are key metrics to watch for any anomalies:

    • Most accessed keys
    • Most throttled keys

    For example, consider the following Contributor Insights dashboard.

    Contributor Insights

    Tenant#3 is creating a large volume of requests compared to other tenants. This can have a negative performance impact for other tenants by causing table or partition-level throttling. A DynamoDB partition sustains 3,000 reads and 1,000 writes per second. When visualized in CloudWatch this metric is aggregated per minute. To detect outliers using Contributor Insights, you can create alarms at defined thresholds using the MaxContributorValue metric.

    When you turn on Contributor Insights, several rules are automatically created. Alarms can be created on these rules. An example is shown below that sends a notification when a single partition key receives more than 2000 requests per second. The same logic can be used to detect when a key has any throttled requests:

    aws cloudwatch put-metric-alarm --alarm-name TenantNoisyNeighborAlarm 
    --alarm-description "Alarm when a single tenant exceeds 2000 RPS" 
    --evaluation-periods 1 
    --datapoints-to-alarm 1 
    --threshold 2000 
    --comparison-operator 'GreaterThanThreshold' 
    --treat-missing-data 'missing' 
    --metrics '[{"Id":"e0","Label":"DynamoDBContributorInsights-PKC-SupportTicket-1730474921779 MaxContributorValue","ReturnData":true,"Expression":"INSIGHT_RULE_METRIC('''DynamoDBContributorInsights-PKC-SupportTicket-1730474921779''', '''MaxContributorValue''')","Period":60}]' 
    --alarm-actions arn:aws:sns:us-east-1:123456789012:NoisyNeighborAlert

    Where hot partition key values are encountered, this can be mitigated by artificially write sharding Tenant#3 or by moving them to their own silo table to isolate them from affecting other tenant performance.

    The throttled keys show where both the table-level and partition-level throttling limits are exceeded. If the partition-level limits are exceeded, consider caching frequently requested items.

    Testing tenant isolation

    Tenant isolation is not optional. Your validation will test that tenant isolation works across all your access patterns.

    One technique is to create test tenants and issue requests with different AWS Identity and Access Management (IAM) credentials mapped to those tenants. You want to block attempts to access data outside the assigned tenant context and result in access denied errors.

    The following are test cases to consider:

    • Querying the table with a tenant ID not matching the authenticated context
    • Performing scans without tenant ID filters
    • Creating, updating, deleting items across tenant boundaries
    • Varying combinations of resource ARNs and condition keys in policies

    It’s important to test for both success and failure scenarios across each access pattern. The system should robustly prevent unauthorized cross-tenant access attempts.

    Extensibility

    As you continue through the application lifecycle, you may find new requirements coming from your tenant usage patterns. Although you try to fully document your requirements ahead of time, invariably there will be unexpected developments.

    There are 3 core patterns you can adopt to extend the data model for new access patterns:

    1. Overload existing GSIs.
    2. Create additional GSIs.
    3. Add new tables for new entities. DynamoDB provides a quota of up to 2,000 tables per account by default, adjustable up to 10,000.

    You can use existing Global Secondary Indexes in new ways by designing your sort keys to support additional access patterns. For instance, if you need to add ticket feedback ratings to your system, you could use the existing GSI1 by structuring the index sort key to include both resolver and feedback information. This method is cost-effective since it doesn’t require new indexes, but it can make your sort key patterns more complex. An example is shown in the table below:

    GSI example

    When new access patterns emerge that can’t be satisfied by existing indexes or table structures, adding new GSIs is a viable solution. For example, if you need to support time-based reporting or agent performance tracking, you could add new GSIs specifically designed for these purposes. While this approach provides optimal query performance for new access patterns, it does increase costs and write capacity requirements.

    When new features require significantly different data structures or access patterns, creating new tables might be the best solution. For example, if you want to add a knowledge base feature to your support ticket system, you could create a separate KnowledgeBase table while maintaining the same tenant isolation principles. This approach provides clear separation of concerns and independent scaling, though it does increase management overhead.

    Cost Considerations

    • Table per tenant vs. shared table: While a single table simplifies management, it can lead to noisy neighbor issues. Conversely, separate tables per tenant increase operational overhead and deployment complexity, but allow simpler isolation approaches.
    • GSI proliferation costs: Each GSI increases the write costs since writes to the base table are replicated to indexes. Consider this when adding indexes for tenant-specific access patterns.
    • On-demand vs. provisioned capacity: For multi-tenant applications with unpredictable workloads across tenants, on-demand capacity mode often provides better efficiency, as it prevents over-provisioning for peak utilization.
    • Storage optimization: Consider how to store large attribute values and implementing TTL for temporary data to minimize storage costs.

    Conclusion

    In this three-part series, we covered the full process for developing a scalable, secure, and extensible DynamoDB data model for multi-tenancy.

    We arrived at the best data model by working backwards from our access patterns. This was validated through load testing while enforcing tenant isolation. Finally, we explored options for extending the model to accommodate new features. The result is a flexible database architecture that scales with growth, while maintaining tenant isolation.

    DynamoDB offers many advantages to customers building multi-tenant applications as a primary persistence layer and creating a data model is just the first step. Having a robust tenant isolation mechanism is the next consideration. We recommend the AWS SaaS Operations workshop as a hands-on example of how to implement, test, and audit tenant isolation using DynamoDB in a multi-tenant application.


    About the Authors

    A much younger DaveDave Roberts is a Senior Solutions Architect in the AWS SaaS Factory team where he helps software vendors to build SaaS and modernize their software delivery. Outside of SaaS, he loves to listen to the guitar of Duane Allman and spends too much time troubleshooting why his self-made guitar pedals don’t work as expected.

    Josh "Hitman" HartJosh Hart is a Principal Solutions Architect at Amazon Web Services. He works with ISV customers in the UK to help them build and modernize their SaaS applications on AWS.

    Samaneh UtterSamaneh Utter is an Amazon DynamoDB Specialist Solutions Architect based in Göteborg, Sweden.

    Source: Read More

    Facebook Twitter Reddit Email Copy Link
    Previous ArticleAffordable cybersecurity for SMBs in the midwest
    Next Article Amazon DynamoDB data modeling for Multi-Tenancy – Part 2

    Related Posts

    Common Vulnerabilities and Exposures (CVEs)

    CVE-2025-23968 – WPCenter AiBud WP Unrestricted File Upload RCE

    July 3, 2025
    Common Vulnerabilities and Exposures (CVEs)

    CVE-2025-45809 – BerriAI litellm SQL Injection Vulnerability

    July 3, 2025
    Leave A Reply Cancel Reply

    For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

    Continue Reading

    CVE-2024-13322 – WordPress Ads Pro Plugin SQL Injection Vulnerability

    Common Vulnerabilities and Exposures (CVEs)

    How Emotional Triggers Ignite Sales for First-Time Founders

    Web Development

    Custom Web Design Increase Conversion

    Web Development

    American Airlines to offer free in-flight Wi-Fi – here’s how to access it

    News & Updates

    Highlights

    CVE-2025-4996 – Intelbras RF 301K Cross-Site Scripting Vulnerability

    May 20, 2025

    CVE ID : CVE-2025-4996

    Published : May 20, 2025, 7:15 p.m. | 1 hour, 22 minutes ago

    Description : A vulnerability, which was classified as problematic, has been found in Intelbras RF 301K 1.1.5. This issue affects some unknown processing of the component Add Static IP. The manipulation of the argument Description leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure.

    Severity: 2.4 | LOW

    Visit the link for more details, such as CVSS details, affected products, timeline, and more…

    6 Open Source Website Builders You Need to Know About

    April 4, 2025

    CVE-2023-41591 – ONOS ARP Spoofing Vulnerability

    May 29, 2025

    Cybercrime Losses Jump 33% in 2024, FBI Report Shows

    April 24, 2025
    © DevStackTips 2025. All rights reserved.
    • Contact
    • Privacy Policy

    Type above and press Enter to search. Press Esc to cancel.