AWS S3 Multi-Tenancy

Data Partitioning

Bucket per Tenant

Amazon S3 has a default quota of 100 buckets and the hard quota of 1,000 buckets per AWS account.

“Folders” - Object Key Prefix-Per-Tenant Model

Database-Mapped Tenant Objects

Tenant Isolation

Isolating SaaS Tenants with Dynamically Generated IAM Policies: AWS

Securing Tenant Objects with Encryption Keys

Here, the focus is on how we can provide each tenant with a key that protects their data. In these scenarios, Amazon S3 can be used with the AWS Key Management Service (AWS KMS) to provide server-side encryption of S3 objects.

You can have up to 10,000 customer-managed keys in each region of your AWS account.

Amazon S3 bucket keys can reduce AWS KMS request costs by up to 99% when using AWS Key Management Service for server-side encryption (SSE-KMS). This S3 bucket key is used for a time-limited period within S3, which will only share an S3 bucket key for objects encrypted by the same AWS KMS key. This helps stay below KMS API request quotas.

Endpoint-Based Partitioning and Isolation

There is a default quota of 1,000 access points you can have in an account.

Related Notes