Serverless Observability on AWS: Single-Tenant SaaS Implementation

Introduction

Nogalis is a software company in the ERP archiving space. Their product allows enterprise customers to retire expensive ERP systems by migrating historical data into a read-only archive hosted on AWS. Instead of maintaining costly licenses for legacy ERPs, Nogalis customers pay for a simpler, cheaper alternative that preserves full access to their archived records.

What makes Nogalis architecturally unusual is their single-tenant SaaS model. Every customer gets a dedicated deployment in its own AWS account. With approximately 30 customers, that means 30 separate environments, each running its own set of AWS Lambda functions, DynamoDB tables, Athena queries, and S3 data lakes.

This model provides strong isolation and data security, but it comes with a cost: without centralized observability, the Nogalis team had almost no way to know what was happening across those 30 environments. When something broke, they found out late. When a customer experienced degraded performance, debugging took days. Nogalis came to Perfsys to fix that.

The Observability Challenge for Single-Tenant SaaS

Nogalis faced a set of questions that every SaaS business owner eventually encounters: Is production running correctly? Are customers experiencing failures? If so, where? And when a problem surfaces, how quickly can the team identify and resolve it?

The challenge was amplified by the single-tenant deployment model. With each customer isolated in its own AWS account, there was no single pane of glass to monitor health, usage, or errors. The team had some basic CloudWatch alarms in individual accounts, but those were neither centralized nor actionable.

The specific problems included:

• No cross-account visibility into system health or Lambda invocation patterns
• No way to distinguish real user invocations from warmup (keep-alive) Lambda calls
• No custom business attributes in telemetry (report names, user metadata, customer identifiers)
• Incident response measured in days, not hours
• A previous attempt with Datadog had been abandoned due to its complexity for the team size

We had no good information about what was going on with all those customers. We had no idea whether the system was running properly, how it was being used, or where failures were happening. — Eugene, Perfsys Engineering Lead, describing the client's situation

Solution Strategy: Vendor Selection and Integration Planning

Perfsys structured the engagement in two phases: first, evaluate and select the right observability platform; second, integrate it across Nogalis's deployment pipeline. The total timeline was approximately three weeks.

Phase 1: Observability Vendor Evaluation (Week 1)

Perfsys evaluated two platforms: Lumigo and Dash0 . The selection criteria were driven by Nogalis's specific constraints: a serverless-first architecture on AWS, a small team with limited time for tooling overhead, and a need for per-customer visibility mapped to individual AWS accounts.

Lumigo won the selection based on two decisive factors: its trace map for serverless invocation chains and its ease of use for a small team. Nogalis had already tried Datadog and found it too complex. Dash0, while more capable in multi-cloud and container scenarios, presented a similar risk of underutilization.

Perfsys identified one clear tradeoff: Lumigo could not provide a single unified dashboard across all 30 customer accounts. This was validated through an MVP test during the evaluation phase. Both Perfsys and Nogalis agreed to accept this limitation in exchange for faster adoption and higher day-to-day usability.

Phase 2: Integration and Deployment Automation (Weeks 2–3)

With Lumigo selected, Perfsys moved into integration. The goal was to embed observability directly into Nogalis's existing deployment pipeline so that every new customer environment would be monitored automatically, without manual setup.

What Perfsys Delivered

1. Evaluating Observability Platforms for Serverless on AWS

Perfsys conducted an independent evaluation of Lumigo and Dash0, producing a detailed comparison document with pros, cons, and a clear recommendation. The evaluation focused on how each platform handled serverless-specific telemetry, per-account project mapping, and the operational burden on a five-person team. The evaluation included a proof-of-concept to test whether Lumigo could support a cross-account aggregated view. When this proved infeasible, Perfsys documented the limitation and presented it to Nogalis as a conscious tradeoff, not a hidden gap.

2. Automating Per-Customer Observability With Lumigo Projects

Each Nogalis customer maps to a dedicated AWS account. Perfsys configured a one-to-one mapping between customer accounts and Lumigo projects. This gave the Nogalis team a per-customer view where they could inspect invocation patterns, trace failures, and review performance for any individual customer without cross-contamination from other accounts. The mapping was designed to be automatic — whenever Nogalis deployed a new customer environment, the corresponding Lumigo project was created and configured as part of the deployment process, requiring no manual steps.

3. Enabling Auto-Tracing Across All Lambda Functions

Nogalis's platform is heavily serverless, relying on AWS Lambda for most application logic. Perfsys enabled Lumigo's auto-tracing and auto-discovery features so that every Lambda function deployed within a customer account was automatically instrumented. This captured invocation counts, durations, error rates, and full execution traces without requiring code changes in the application layer. Critically, the configuration included logic to separate warmup invocations from real user-triggered calls — essential for accurate usage reporting and for identifying genuine issues without noise from synthetic keep-alive traffic.

4. Securing Cross-Account Access With IAM Roles

For Lumigo to pull resource data and traces from each customer's AWS account, it needs appropriately scoped access. Perfsys created a dedicated IAM role for Lumigo in each customer account, following the principle of least privilege. The role grants Lumigo read access to the resources it needs to monitor, while preventing any write operations or access to customer data. This IAM configuration was integrated into the Infrastructure as Code templates used during customer deployments, ensuring access controls are consistent, auditable, and impossible to skip.

5. Embedding Observability Into the Deployment Pipeline

The most important architectural decision was making observability a built-in part of the deployment process rather than a bolt-on. Perfsys modified Nogalis's CI/CD pipeline so that deploying a new customer account automatically provisions the Lumigo project, assigns the IAM role, and enables auto-tracing for all Lambda functions. The deployment templates were built using AWS SAM , ensuring consistent and repeatable infrastructure across all customer environments. For an organization with five people managing 30 customer environments, this kind of automation is not a convenience — it is a requirement for operational sustainability.

Security and Reliability

Given that Nogalis manages archived enterprise data on behalf of its customers, security was a non-negotiable constraint throughout the implementation. Least-privilege IAM roles ensure Lumigo has only the minimum access needed to collect traces and metrics from each AWS account. Customer account isolation is preserved throughout the observability setup — each Lumigo project maps to exactly one AWS account, with no cross-account data leakage. All IAM role configurations are version-controlled and deployed through Infrastructure as Code, providing full audit trails. The integration was designed to align with the SOC 2 compliance posture Nogalis was already pursuing across its AWS Organization, managed through AWS Control Tower.

Results and Business Impact

Before this engagement, Nogalis operated 30 customer deployments with minimal insight into system health, usage patterns, or failure rates. After three weeks of work with Perfsys, the team has per-customer observability, automated tracing across all Lambda functions, and the ability to identify and respond to incidents roughly 10 times faster than before. For a five-person company managing enterprise-grade data archiving, this is the difference between reactive firefighting and proactive operations.

Approximately 100,000 Lambda invocations are now tracked per month — providing real-time visibility into how customers use the platform, where errors occur, and which deployments need attention. All 30 customer deployments are covered: 5 large accounts were fully connected at launch, with the remaining environments instrumented for automated onboarding. Zero manual setup is required for new customers: observability is embedded in the deployment pipeline, eliminating configuration drift and human error. The failed Datadog implementation was replaced with a platform the team actually uses daily.

Running a SaaS product without clear observability across your customer environments?

We help SaaS companies and startups design and implement serverless observability solutions that fit their architecture, team size, and budget. Whether you run single-tenant deployments, multi-account setups, or serverless workloads on AWS, Perfsys can help you move from guessing to knowing.

Book a Discovery Call

Explore Observability Services

Conclusion and Next Steps

In three weeks, Perfsys took Nogalis from fragmented CloudWatch alarms to a fully automated, per-customer observability platform integrated into their deployment pipeline. The Nogalis team now has the visibility to make informed operational and business decisions across all 30 customer environments.

Planned next steps include migrating from Lumigo to Dash0 when the product consolidation is complete (expected mid-2026), extending observability coverage with custom business metrics and usage-based dashboards, implementing cross-account aggregated alerting, and continuing SOC 2 compliance alignment with observability data supporting audit and incident response documentation.

Eugene Orlovsky

CEO & Founder | Serverless architect with 10+ years of hands-on experience designing cloud-native architectures on AWS, backed by multiple AWS certifications. He is writing bridges deep technical expertise with real-world business strategy, covering topics from AWS best practices to scaling tech-driven organizations.