Lots of great questions!

There might be better ways to do this, but what comes to my mind is to have a tenant table that tracks your tenants. Include foreign key on all your other data tables pointed to the primary key of the tenant table. Then when writing stored procedures be sure to always include the tenant id in your where clause. This doesn't guarantee data isolation because if you forget the WHERE clause you get everything.

We used Okta for our authN provider. It's only used to validate the JWT and provide us back with the user sub (id).

For fine grained access control that is more detailed than an endpoint level, we handle authZ inside of the Lambda function or Step Function workflow itself. Operations that need actual logic should not be handled in an authorizer.

Unfortunately the software I work on is all private and not visible to the public. But I do have a Postman collection that illustrates the tenancy concepts if you deploy the reference architecture to your AWS account.

Thanks for reaching out!