Top 10 Questions for Designing Your SaaS Application on AWS

AllCloud Blog:
Cloud Insights and Innovation

Are you a SaaS provider running on or planning to use Amazon Web Services? If so what are the most important questions you should ask when building the foundations for your cloud-based applications?

In this paper, we’ve compiled a top 10 list of questions and answers to help you focus your efforts on building a cloud infrastructure that’s aligned with your SaaS business requirements. Our answers will help you understand which practices and AWS products you should use to provide your users with a secure, healthy and robust service.

So here goes.

 1. How can we maintain customers’ data privacy on AWS?

First you need to recognize that Amazon has its own strict rules to keep your customers’ data private. Amazon uses the 256-bit Advanced Encryption Standard (AES). However, under Amazon’s Shared Responsibility Model you share security responsibility with AWS and need to do your part by ensuring privacy and protection of data at rest and in transit. You can check out the AWS list of privacy FAQs to learn more.

Also for dealing with your customers’ data encryption, AWS offers a number of encryption key management services such as KMS and CloudHSM. In addition, you’ll need to issue, deploy and renew SSL/TLS certificates on all appropriate web resources. To help you provision and manage your certificates Amazon provides an in-house service, AWS Certificate Manager (ACM), which also offers a way to import existing third-party certificates for deployment to Amazon’s load balancers or CDN.

Finally, make sure you keep track of all changes affecting security and governance of your AWS resources by using logging tools such as AWS Config. Likewise you should also use API call-monitoring service CloudTrail and implement processes such as File Integrity, which validates log files delivered by CloudTrailso you can check to ensure no-one has tampered with them.

2.  How do we protect applications and customer data to maintain business continuity?

Amazon facilitates redundancy and disaster recovery through its network of regions and Availability Zones (AZs) spread across the globe. Each region is completely independent and made up of a number of Availability Zones.

Building secondary sites and distributing your workloads across AZs and regions goes a long way towards eliminating single points of failure (SPOFs). On top of that you’ll need to put measures in place to automatically perform consistent instance and volume backups. Based on your SLA you’ll need to define your backup and recovery policies, utilizing basic Amazon building blocks such as EBS volume snapshots, and plan data archiving and retrieval using Amazon S3 and Glacier. This will help ensure your entire stack and all services continue running in the event a server or even a whole AWS region goes down.

3. What tools do we need to maintain our AWS network security?

Using Amazon VPC in conjunction with EC2 Security Groups give you a variety of options for a secure connection to your AWS resources. Before you configure your virtual private network (VPN), thoroughly research your network requirements, taking into account multi-tier applications, secure storage, shared resources, public-facing websites and disaster recovery.

Amazon’s built-in Web Application Firewall, AWS WAF, helps protect against web exploits and cyber attacks aimed at tampering with your web applications. In an enterprise IT environment, a high level of intrusion protection is strictly necessary. There are many third-party intrusion detection system (IDS) and intrusion prevention system (IPS) tools that integrate with AWS, the latter of which automatically identifies and blocks common attacks. An alternative solution would be to implement a cloud-based unified threat management (UTM) system in which you can manage these functions and other security tasks through a single console. AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that defends against the most common, frequently occurring network and transport layer DDoS attacks that target your website and applications. AWS’s built-in security tools like WAF and Shield help hosted SaaS providers obtain the security services they require although it’s not part of their responsibility.

4. What measures should we use to restrict access to our AWS deployments, in particular to our database tiers?

Use IAM roles for Amazon EC2 and remember to avoid using hard-coded credentials within various application components. And make sure you implement a single sign-on (SSO) system. This will solve many of your security and compliance headaches by helping standardize user IDs and policies, simplify user administration and minimize redundant or incorrect identities. You can find a number of third-party cloud-based identity management solutions on the AWS Marketplace, such as Okta and OneLogin.

5. Can AWS support our specific regulatory and compliance obligations? How?

AWS meets a variety of compliance standards (adhering to compliance regulations is shared between AWS and the customer in accordance with the Shared Responsibility Model) that satisfy both US and global regulations. In many cases, such as PCI DSS and HIPAA, this comes in the form of an assurance program. In order to meet and obtain specific certification standards you should consider questions such as:

  •  What type of information will be stored?
  •  Where should it be stored?
  •  What data should you keep on premise?
  •  Who should have right of entry to your system?
  •  What can they access?

To answer these and implement the controls and standards required you should consider leveraging the AWS ecosystem of certified Premier Consulting Partners. These should have experience with the specific certification you need and will help you quickly close the gaps in your knowledge, accelerating your time to market.

6. How can we leverage AWS to scale our application to serve a million users?

First identify which parts of your system (for example your web servers tier) are able to benefit from Amazon’s Auto Scaling service, which dynamically scales your underlying resources, as per load. One very particular challenge is scaling your database operations so they maintain a high level of performance as your data grows. As with all your resources, your two main options are vertical scaling and horizontal scaling.

However, each option has its advantages and disadvantages in terms of cost, management overhead and complexity. In some cases, scaling your database may not be feasible at all. That’s why we strongly recommend using AWS DBaaS (database-as-a-service) options such as RDS and Aurora for your SQL databases and DynamoDB for your NoSQL use cases. These scalable services simplify the task of setting up and managing your databases, eliminating the need for costly database administration.

What’s more, if you’ve just started developing your service, you should take the opportunity to adopt a more modern and efficient approach to application architecture by looking at microservices and stateless designs. These can be easier to manage and independently scale. Products such as Amazon’s EC2 container service ECS and serverless compute platform Lambda are designed with this type of architecture in mind.

7. What is Amazon’s SLA? And how can we govern our systems 24×7?

Ech AWS service carries its own service level agreement (SLA). For example, EC2 comes with a Monthly Uptime Percentage of at least 99.95%. If the vendor fails to deliver on its SLA in any one month, it offers a credit of between 10% and 30% of your EC2 bill for that month against future EC2 charges. You can find full details on the Amazon EC2 Service Level Agreement page.

But remember you are still responsible for ensuring your own services are running smoothly and therefore need to make sure they’re tightly monitored. Moreover, logging and monitoring are especially important in complex cloud-based infrastructure, where it can be difficult to pinpoint performance issues and make sense of large amounts of data.

AWS supports a number of cloud logging services. System and application monitoring services include Amazon CloudWatch and third-party offerings such as DataDog and New Relic. CloudWatch also includes a logging facility, or you can use a 3rd party service such at, which is an ELK service (Elasticsearch, Logstash and Kibana) and includes support for all builtin AWS metrics.  Also make use of AWS Trusted Advisor, which provides recommendations to further optimize your AWS deployments.

Finally, make sure any internal or external support teams you use have the AWS skills required to troubleshoot infrastructure issues. You don’t want to wake up your cloud architects in the middle of the night to look at your environment’s performance.

8. What services does AWS provide to facilitate delivery processes such as system upgrades and continuous integration and delivery?

Amazon’s strong DevOps capabilities are among the vendor’s major selling points, offering a raft of tools and services designed to simplify code deployment and infrastructure management.

First, define a release management process that will help provide frequent, production-quality updates to your applications. AWS Elastic BeanstalkAWS CodeCommitAWS CodePipeline and AWS CodeDeployare among the many in-house tools that can help with this aspect of your deployment.

You should also leverage third-party continuous integration (CI) and continuous delivery (CD) solutions, such as Jenkins orchestration engine and Docker containers, which allow your operations team to create a delivery pipeline to facilitate automated testing and integration of your developers’ code. These tools are designed to speed up the software delivery cycle and help improve product quality.

9. How much will it cost us to run our applications on AWS? How can we control these ongoing costs?

You should start by running and testing a pilot system that’s representative of the final production environment. This will help you qualify performance, estimate resource sizing and the ongoing costs of your cloud footprint. You should also compare the projected costs of running your application with those of running it in your on-premise data center, taking into account factors such as the upfront investment in equipment, floor space, staffing and energy costs. Although this can be a major undertaking, requiring specialized tools and expertise, you can use Amazon’s Total Cost of Ownership (TCO) Calculator, which will provide you with a starting figure.

SaaS application stacks should be continually updated to meet user expectations and retain customers with better service. Unlike legacy applications, which are rarely changed or upgraded, this is the very nature of SaaS. And this requires regular testing in order to determine how your system and infrastructure behave as your software evolves. Besides the impact on your system’s security and performance, tightly monitoring your infrastructure capacity will also allow you to control your cloud costs. Using Amazon’s native cost and billing management service and its Cost Explorer tool can help you manage costs by settingbudgets, creating alerts on cost limits and tracking cost trends by a variety of filters.

10. Should we use any third-party services, partners or solutions? What about licensing issues?

Over the last decade Amazon has built a highly mature and feature-rich cloud platform, allowing startups to get off the ground without the risk of investing millions in physical infrastructure. As with every cloud vendor, it recognized the need for a strong ecosystem of partners that could provide specialist knowledge and capabilities to support those AWS customers with very specific requirements.

In addition to the AWS Partner Network (APN), the AWS Marketplace has an online self-service portal providing access to third-party, off-the-shelf solutions such as Sophos UTM and Fortinet web firewalls. These give AWS users a way to try out solutions by quickly deploying ready-made machine images for trial usage, allowing you to qualify potential new services quickly and efficiently.

Moreover, when looking for an AWS consulting partner, make sure they have the right level of certificationwith practical experience in deploying multi-tenant applications on top of AWS, giving due consideration to scale and security in particular. These consultants can not only help you build your cloud environment but also guide your R&D team, to make sure your SaaS business is performing optimally.

New Challenges and Responsibilities

Your journey from traditional on-premise to modern SaaS applications presents an opportunity to adopt more agile and efficient methods of software development and drive new revenue streams to your business. But it also presents new challenges and responsibilities.

Fundamental to the contemporary SaaS approach is the multi-tenant application, where the same instance of software serves any number of company users or external customers. So it’s essential you take measures to guard against external threats and prevent privacy breaches between application users. Fulfilling your security responsibilities requires a good understanding of your new cloud environment’s capabilities and the tools available. So do your homework thoroughly and choose your cloud partners wisely.

Still have questions?  The perfect place to start your cloud journey is with a Cloud Architecture Workshop.

Lahav Savir

Founder and CTO, Cloud Platforms

Read more posts by Lahav Savir