Cognito Users in Multi Tenant Webapp

Question

We want to realize a multi tenant application where we want to utilize:

• AWS Cognito as our user pool
• AWS DynamoDB for most of our data

As we are following a pooled approach, our DynamoDB data would have the tenantID as a primary key. Also all users are pooled in one cognito user pool.

Our application also needs to display our users within the application, therefore I need to query the users.

I would like to directly query the AWS Cognito pool and display the all users of a tenant. Therefore I would add an attribute to the cognito users custom:tenantID.

But there is a problem: Custom attributes are not searchable / filterable, so I cannot do a query based on the tenantID what I would have done with all other data tables.

I thought about "misusing" one of the searchable data fields like family name for the tenant, but that seems to be a bad idea.

I would like to avoid creating a dynamoDB table for the only purpose of linking a user to a tenant. What are the approaches to solving this?

Answer 1

When using AWS Cognito for a multi-tenant application, use Cognito only for the authentication.

You can create a user table with access control list(authorization) for each tenant stored in a DynamoDB table which you can also use to search for users & etc.

If you use a custom attribute called tenant or store tenant identifier in Cognito, in additional to the limitation of search, you will also limit a user to a single tenant.