Over the past 2 years I have helped about a dozen SaaS startups with their AWS infrastructure and DevOps processes, a service I have come to call #awsforstartups.
If you worked with SaaS companies, you will be aware that pretty much any startup nowadays works with a multi-tenanted data model. This means, data from multiple customers is stored in the same database and file structure model. Apart from common security concerns, the main concern of a multi-tenanted web application is protecting data between customers. Naturally, if your customers can see information of other customers – even by accident – they will realise that the other customers and possible competitors can do the same. Your trust is gone.
With this in mind, let me introduce the most underutilized AWS service for SaaS startups:
Cloudfront
Cloudfront is AWS’ Content delivery Network (CDN). What a CDN does is store information in hundreds of servers around the world, close to most (or all) commercial centres. One of the immediate benefits of a CDN is that data for customers doesn’t have to travel to far and therefore is loaded much quicker.
How you use a CDN
One of the most common method of using a CDN is to load all your public images and files onto it and reference them directly from the CDN. This method is used by many Content Management Systems, such as WordPress to speed up the page load time. A nice side effect is that the requests for these files no longer hit your web server infrastructure in the majority of cases, that is they only get requested once and when they need to be refreshed.
This second benefit is much more important than you may think and I want to illustrate this by looking at how you are charged for this. A 10MB PDF downloaded by a customer is going to cost you US $0.00085 in traffic charges going to North America. It doesn’t matter if it comes from your EC2 server or Cloudfront. However, if you deliver it from Cloudfront, it doesn’t cost you any CPU cycles, nor any other additional cost. You can “re-use” these “saved” CPU cycles therefore to serve additional customers.
How to use a CDN to secure your multi-tenanted files
When we build SaaS infrastructure on AWS, you want this to be set up in a scalable, self-healing way. Most SaaS systems also hold files for people, even if it is only profile pictures or marketing material in a secured marketplace.
In most cases the best way is to store these files on S3, the file storage service from AWS. It is very cost efficient, accessible by multiple auto-scaled servers and as lots of built in features for versioning, archival, cost optimisation and other automations.
While files on S3 can be made available on the Internet (but god forbid, DO NOT do that), they can also be delivered through Cloudfront. Again, you are paying the same traffic charges, but now you have eliminated paying for CPU cycles for your file delivery completely. Files on Cloudfront can also be secured through a feature called “signed URLs”.
What happens here is that every link to a file is now encrypted with a private-public key pair and can be accessed in a time limited fashion through this link. After the time has passed, access is denied by Cloudfront. AWS documentation has sample code for this and I have spend no more than an hour per PHP development team to implement this solution with them. BY creating a unique link for every file/ image linked, every time the page with the links is viewed, you can achieve bullet proof security, so that your files are not accessible by 3rd parties nor by other users of your SaaS product.
Even better, watch movies you bought for a limited time – only on your IP address or country
We researched an even more compelling use case for Cloudfront signed URLs when we worked with an Australian film maker that wanted to sell a film on his own website.
Cloudfront allows you to “package up” additional information on your user into the security model. Imagine selling a movie for $9.99 for 48 hours of viewing. It would not be that great if your movie went viral (great!), only for everyone on Reddit to watch the movie for free in those 48 hours.
With a simple configuration item, Cloudfront allows you to stream that movie file for a fixed time period to only a specific IP address, essentially securing your download from unauthorised copying.
Even better, implementing this type of security in a web application would be much more expensive than doing it with the Cloudfront configuration statement.
Summary
So there you go: Cloudfront is in my view the most underutilized AWS service for SaaS startups, PHP based MVPs and similar platforms.
