Compute-level Isolation
Compute-level isolation is another critical aspect of ensuring data security and integrity in a multi-tenant environment. Unlike database-level isolation, which focuses on the segregation of data at rest, compute-level isolation is concerned with isolating the computational resources that process this data. This involves leveraging various AWS services and features to ensure that each tenant’s computational activities are isolated from one another. AWS offers multiple services for achieving compute-level isolation, including Amazon EC2 instances, managed containers, and AWS Lambda functions. Each of these services has its unique characteristics and capabilities for ensuring resource isolation at different levels.
EC2 instances
EC2 instances are launched within a VPC, providing a foundation for network-level isolation. Beyond that, further security can be applied through IAM roles that the instances can assume. This dual-layered approach serves to restrict not only which AWS services the instances can interact with but also the specific actions they are permitted to perform.
EC2 instances can function as silos, with each instance being dedicated to a specific tenant. This setup ensures a clear separation, confining each tenant’s computational resources to their designated boundaries.
Alternatively, EC2 instances can be shared among multiple tenants. However, this approach offers limited segregation. All invocations from different tenants share the same runtime environment. This could potentially lead to unintended data access or leakage between tenants, especially if there are vulnerabilities in the application stack.
Containers
Containers offer a lightweight and portable solution for application deployment and are supported by AWS services such as Amazon ECS and Amazon EKS. Containers can run either on EC2 instances or AWS Fargate and allow for the separation of runtime environments within a shared virtual machine.
Isolation can be achieved at multiple levels, including at the task-definition level in ECS or the pod level in EKS. IAM roles can be assigned to individual tasks or pods, providing fine-grained control over AWS resources.
Network isolation can also be implemented at the container level. This can be implemented in ECS using the awsvpc network mode where each task is allocated its own elastic network interface (ENI) and IP address, enabling you to assign security groups and isolate container network traffic.
Lambda functions
Lambda offers a serverless compute environment, eliminating the need for server provisioning. Each function runs in its own isolated environment, defined via IAM permissions, ensuring robust security and isolation.
Lambda manages and scales concurrent function invocations across multiple runtime environments, which are like individual instances of a function. In some cases, these runtime environments may be reused to optimize performance, introducing the risk of data leakage or unintended access between tenants. To mitigate this, functions should be designed to be stateless and idempotent. Data should be stored in temporary local variables to prevent exposure to subsequent invocations. Initialization code should be designed to handle both reused and freshly started environments.
Lambda also supports VPC integration, adding an extra layer of network-level isolation, which is especially useful when separate functions are implemented for each tenant.