Architecture

Tenant Isolation

The set of architectural strategies for ensuring that multiple tenants (customers, business units, or environments) sharing an S3-based lakehouse cannot access each other's data, metadata, or compute resources.

8 connections 3 resources

Summary

What it is

The set of architectural strategies for ensuring that multiple tenants (customers, business units, or environments) sharing an S3-based lakehouse cannot access each other's data, metadata, or compute resources.

Where it fits

Tenant isolation is a cross-cutting concern in multi-tenant lakehouse designs. Strategies range from separate S3 buckets per tenant (strongest isolation, highest overhead) to shared tables with row-level security (weakest isolation, lowest overhead), with prefix-based IAM policies as a middle ground.

Misconceptions / Traps
  • S3 prefix-based IAM policies provide namespace isolation but not performance isolation. One tenant's heavy LIST or GET workload can cause throttling that affects co-tenants on the same prefix partition.
  • Row-level security for tenant isolation depends entirely on the query engine enforcing the filter. Any bypass (direct S3 access, misconfigured engine) breaks tenant boundaries.
  • Shared Iceberg catalogs across tenants mean that catalog metadata operations (commit, list tables) are shared. Catalog contention from one tenant can affect all tenants.
Key Connections
  • scoped_to Lakehouse, S3 — multi-tenancy in S3-based architectures
  • depends_on Row / Column Security — row-level filtering for shared-table tenancy
  • depends_on Encryption / KMS — per-tenant encryption keys for bucket-level isolation
  • constrains Request Amplification — per-tenant bucket designs multiply request volume

Definition

What it is

Architectural patterns for separating data belonging to different tenants in a shared S3-based lakehouse, ranging from separate buckets (hard isolation) to shared tables with row-level filtering (soft isolation).

Why it exists

Multi-tenant SaaS platforms store all tenant data on S3 but must guarantee that no tenant can access another's data. The isolation strategy affects cost, operational complexity, and the blast radius of misconfigurations.

Primary use cases

SaaS data platforms on S3, multi-tenant analytics lakehouses, data marketplace architectures.

Connections 8

Outbound 6
scoped_to2
S3Lakehouse
depends_on2
Row / Column SecurityEncryption / KMS
solves1
Policy Sprawl
constrained_by1
Data Residency
Inbound 2
enables1
Row / Column Security
solves1
Credential Vending

Resources 3

DocsHigh
docs.aws.amazon.com/whitepapers/latest/saas-tenant-isolation...

AWS whitepaper on SaaS tenant isolation strategies covering silo, pool, and bridge models for multi-tenant S3 architectures.

DocsHigh
docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket...

S3 bucket policy examples demonstrating prefix-based and tag-based tenant isolation patterns for multi-tenant data lakes.

DocsHigh
docs.databricks.com/aws/en/data-governance/unity-catalog/

Unity Catalog documentation covering fine-grained access control and workspace isolation for multi-tenant lakehouse deployments.