--- title: Salesforce Integration with AWS description: Salesforce + AWS in 2026: Agentforce 2.0 with Lambda, Data Cloud Zero-Copy with S3 Tables and Iceberg, Einstein Trust Layer, and Amazon Connect CTI. url: https://www.factualminds.com/integrations/salesforce-aws/ category: crm updated: 2026-04-29 --- # Salesforce Integration with AWS > Extend Salesforce with Amazon Bedrock, Lambda, S3 Tables, Data Cloud Zero-Copy, and Amazon Connect — and keep customer data in one governed place. ## Salesforce + AWS in 2026 Salesforce owns the CRM record — pipeline, cases, accounts, marketing journeys, service agent seats. AWS owns the data platform, custom applications, ML, and large-scale compute. The 2026 pattern we deploy keeps Salesforce Data Cloud and Amazon S3 Tables / Apache Iceberg as a single governed dataset (no duplicated rows), extends Salesforce workflows with Amazon Bedrock and Lambda via **Agentforce 2.0**, and fronts the whole thing with Salesforce's **Einstein Trust Layer** plus AWS guardrails and audit. ## What's new for Salesforce + AWS in 2026 - **Agentforce 2.0** — autonomous Salesforce agents that reason, retrieve, and take actions; extend with Lambda "external actions" for AWS-side business logic. - **Data Cloud Zero-Copy expansion** — federate directly to Amazon S3 Tables and Apache Iceberg tables on S3; one dataset, two consumers (Salesforce reports + AWS analytics). - **Einstein Trust Layer** — grounding in Data Cloud, PII masking, toxicity detection, zero-retention prompts, prompt/response audit. Compatible with Bedrock-hosted models. - **MuleSoft AI Chain** — LLM orchestration inside Anypoint flows; plug Bedrock into enterprise integration pipelines. - **Amazon Connect deep integration** — Contact Lens real-time transcripts into Service Cloud, Amazon Q in Connect for agent assist, and Einstein Service Intelligence on top of Connect events. - **Data Cloud + Amazon DataZone / SageMaker Lakehouse** — shared governance across Salesforce and AWS analytical consumers. - **AWS PrivateLink for AppFlow and Data Cloud** — private connectivity for regulated data flows. ## Why integrate Salesforce with AWS - **One customer record, many workloads** — Salesforce stays the source of truth for CRM; AWS powers transactions, analytics, ML, and custom apps, all reading or writing through governed pipes. - **Agentic workflows** — Agentforce agents trigger AWS Lambda, SNS, SES, Step Functions, or Bedrock directly from the CRM. - **Zero-Copy analytics** — Data Cloud + S3 Tables cuts duplicate storage and removes ETL-induced staleness. - **Event-driven responsiveness** — Salesforce Platform Events and Change Data Capture push to EventBridge in low-second latency. ## Integration patterns ### 1. Zero-Copy federation (recommended default) - Salesforce Data Cloud federates to S3 Tables / Iceberg tables. - One dataset; Salesforce reports and AWS Glue / Athena / Redshift / EMR read the same rows. - Governance via Salesforce Data Cloud + Amazon DataZone. - Ideal for enterprise analytics, customer 360, and AI training corpora. ### 2. Event-driven (real-time business workflows) - Salesforce Platform Events or Change Data Capture → EventBridge → Lambda → target store. - Latency in low seconds. - Ideal for "order closed → fulfillment", "case escalated → PagerDuty", "opportunity updated → finance system". ### 3. Batch ETL via AWS AppFlow (reporting pipelines) - No-code scheduled Salesforce → S3 → Glue → Redshift / Athena. - Bidirectional with write-back support. - Ideal for reporting workloads tolerant to minutes or hours of lag. ### 4. Agentforce + AWS Lambda external actions (agentic) - Agentforce agent reasons about a Salesforce record; calls Lambda via API Gateway with a JWT authorizer validating the Connected App token. - Lambda runs AWS-side logic (Bedrock call, DynamoDB lookup, Step Functions orchestration) and returns structured data. - Agent continues with the result and writes outcomes back to Salesforce. ### 5. MuleSoft Anypoint / AI Chain (enterprise orchestration) - Multi-system flows that include Salesforce, AWS, SAP, Workday, NetSuite. - AI Chain inserts Bedrock or other LLM stages inside the orchestration. - Premium pricing; justified at enterprise scope. ## Agentforce 2.0 + Lambda reference ``` Salesforce user / Einstein Copilot ↓ Agentforce agent (topic + actions + prompt templates) ↓ External Action (HTTP) API Gateway (JWT authorizer ← Connected App OAuth token) ↓ AWS Lambda ├── DynamoDB / RDS / Aurora ├── Amazon Bedrock (Claude Sonnet 4 / Amazon Nova) ├── Step Functions / SES / SNS / EventBridge └── Response (structured JSON) ↓ Agentforce continues reasoning and writes outcome to Salesforce ``` Einstein Trust Layer masks PII before prompts hit the LLM; Bedrock Guardrails is the AWS-side equivalent. Run both where regulated data is in scope. ## Data Cloud Zero-Copy on Amazon S3 Tables - Data Cloud reads Iceberg tables on S3 Tables without duplicating rows. - Write-back publishes unified profiles back to S3 for activation in AWS pipelines. - Query the same dataset from Athena, Glue, EMR, Redshift (via Spectrum / Lake Formation), or SageMaker Lakehouse. - Pair with DataZone for federated governance: Salesforce as one domain, AWS analytics as another, one catalog. ## Amazon Connect + Service Cloud (contact centre) - CTI Adapter for Salesforce Lightning: screen pops, click-to-call, call recording attached to cases. - Contact Lens real-time transcripts stream into Service Cloud for agent assist. - Amazon Q in Connect proposes responses based on KB articles and case history. - Einstein Service Intelligence layered on Connect events. - Often replaces Genesys / Avaya / Five9 for mid-market contact centres. ## Security and trust - **Salesforce Connected App + OAuth 2.0 JWT bearer flow** — no passwords, rotate cert annually. - **Dedicated integration user** with minimum-permission profile. - **AWS Secrets Manager** stores Salesforce private key; KMS CMK for encryption. - **API Gateway JWT authorizer** in front of every Lambda external action. - **AWS PrivateLink / VPC endpoints** for regulated data flows. - **Einstein Trust Layer + Bedrock Guardrails** — two independent policy layers for LLM interactions. - **Salesforce Event Monitoring + CloudTrail → Security Hub / Amazon Security Lake (OCSF)** — unified timeline for incident response and compliance evidence. ## Integration pattern decision matrix | Need | Pattern | Latency | Cost | When to pick | | ----------------------------------------------------- | ----------------------------------- | ---------- | ------------ | -------------------------------------------------------- | | Single governed analytical dataset | Zero-Copy + Iceberg on S3 Tables | Query time | Storage only | Default for new analytics workloads in 2026 | | Real-time order/case workflow | Platform Events → EventBridge | < 5s | Low | "When X happens in CRM, do Y in AWS" | | Scheduled bidirectional sync, low ops surface | AWS AppFlow | Mins–hours | Per-record | Reporting that tolerates lag, no-code preferred | | Agent-driven AWS-side actions from inside Salesforce | Agentforce + Lambda external action | Sub-second | Per-call | Autonomous flows, governed by Einstein Trust Layer | | Multi-system enterprise orchestration with governance | MuleSoft Anypoint + AI Chain | Varies | Premium | SAP / Workday / NetSuite in scope; enterprise governance | | Mass export for ML / analytics | Bulk API 2.0 → S3 | Mins | Per-batch | Initial loads, periodic full refreshes | Default to Zero-Copy first; layer event-driven for real-time; layer agent for AI-mediated actions. Reserve MuleSoft for genuinely multi-system enterprise scope. ## Implementation: API Gateway JWT authorizer for Connected App ```yaml SalesforceJwtAuthorizer: Type: AWS::ApiGatewayV2::Authorizer Properties: ApiId: !Ref AgentforceApi AuthorizerType: JWT IdentitySource: - $request.header.Authorization JwtConfiguration: Audience: - https://acme.my.salesforce.com Issuer: https://acme.my.salesforce.com Name: salesforce-connected-app-jwt ``` Salesforce-issued tokens carry `iss` (your My Domain), `sub` (integration user ID), and `scope`. API Gateway validates signature against Salesforce's JWKS and rejects expired or wrong-audience tokens before invoking Lambda. ## Implementation: AppFlow failure → Step Functions retry ```yaml AppFlowFailureRule: Type: AWS::Events::Rule Properties: EventBusName: default EventPattern: source: ['aws.appflow'] detail-type: ['AppFlow End Flow Run Report'] detail: status: ['Execution Failed'] Targets: - Arn: !GetAtt AppFlowRetryStateMachine.Arn RoleArn: !GetAtt EventBridgeRole.Arn AppFlowRetryAlarm: Type: AWS::CloudWatch::Alarm Properties: MetricName: FlowExecutionsFailed Namespace: AWS/AppFlow Dimensions: - Name: FlowName Value: salesforce-orders-to-s3 Statistic: Sum Period: 300 EvaluationPeriods: 1 Threshold: 1 ComparisonOperator: GreaterThanOrEqualToThreshold TreatMissingData: notBreaching AlarmActions: - !Ref OncallTopic ``` ## Failure modes & resilience **1. 24-hour Salesforce API request limit.** Per-org daily limits (e.g., ~15,000 + 1,000 per Enterprise license). Hitting the limit blocks ALL API traffic — including the Connected App flow that powers your AWS integration. Mitigation: monitor via `/services/data/v60.0/limits` polled hourly; budget 20% headroom; use Bulk API 2.0 (counts as 1 request per batch, not per record) for large operations; archive cold reads via Data Cloud Zero-Copy so analytics doesn't burn CRM API quota. **2. Bulk API 2.0 batch retries.** Bulk jobs split into chunks; a single chunk failure doesn't fail the job. Mitigation: poll job status, surface per-chunk failures, replay only failed chunks. Step Functions DistributedMap is the natural orchestrator. **3. Platform Event delivery guarantees.** At-least-once delivery; replay window is 72 hours via the Replay ID. Subscribers must idempotently handle duplicates. Mitigation: persist `replayId` per consumer; deduplicate on `(eventType, recordId, eventTimestamp)` in DynamoDB. **4. AppFlow run failures with partial commit.** A flow that writes to S3 mid-run can leave partial files. Mitigation: write to a staging prefix; on flow success, atomically copy to the canonical prefix; for Iceberg targets, use snapshot isolation so consumers never see partial commits. **5. Agentforce action timeout.** External actions (Lambda calls) have a Salesforce-side timeout (typically ~15s for Agentforce). Long-running fulfillment must be async: Lambda enqueues to SQS / Step Functions, returns immediately with a job ID, and Agentforce polls or receives a Platform Event when complete. **6. Connected App cert rollover.** The cert backing your JWT bearer flow expires. Symptom: every integration call returns `invalid_grant`. Mitigation: dual-cert window — generate the new cert, upload to the Connected App alongside the old, switch the AWS Secrets Manager value, validate, then remove the old cert. **7. Salesforce API version drift.** API versions deprecate on a published cadence. Hard-coding `v60.0` works until it doesn't. Mitigation: pin per-deployment, audit yearly, test against the `vNext` API in a sandbox. ## Observability runbook **CloudWatch + Salesforce Event Monitoring alarms:** | Alarm | Threshold | First action | | ----------------------------------- | ------------------------ | -------------------------------------------------------------------------- | | Salesforce daily API usage | `> 80%` of limit | Identify caller via Event Monitoring; throttle or move to Bulk / Zero-Copy | | AppFlow `FlowExecutionsFailed` | `>= 1` per 5 min | EventBridge → Step Functions retry; investigate source/destination errors | | Lambda (Agentforce action) `Errors` | `> 0` per 5 min | CloudWatch Logs → trace ID → review request payload | | API Gateway `4XXError` rate | `> 5%` | JWT validation failure? Cert rollover in progress? | | Platform Event subscriber lag | `> 5 min` | Subscriber down or rate-limited; confirm replayId checkpointing | | Bulk API 2.0 job failure rate | `> 10%` | Per-chunk diagnostics; data quality issue or schema drift | | AppFlow data freshness | last successful run > 1d | Schedule failure; trigger manual run; alert downstream consumers | **Debug path: "Agentforce action returns 500":** 1. CloudWatch Logs → `/aws/lambda/agentforce-action` → grep request ID; capture full stack trace. 2. API Gateway access logs → confirm JWT was accepted (no 401); look for 5xx vs 4xx upstream. 3. If JWT failed: validate `iss` matches My Domain, `aud` matches Connected App audience, `exp` not in past, signature validates against current JWKS. 4. Salesforce side: Setup → Apps → Connected Apps → OAuth Usage → check for the failing user/IP. 5. Test in isolation: replay the same JWT against the Lambda directly (skip API Gateway) to isolate authorization vs business logic failures. **Polling Salesforce API limits (CloudWatch custom metric):** Run a small Lambda hourly that calls `/services/data/v60.0/limits` and emits `DailyApiRequests.Used` and `.Max` to CloudWatch: ```bash curl -H "Authorization: Bearer $TOKEN" \ https://acme.my.salesforce.com/services/data/v60.0/limits | \ jq '.DailyApiRequests' # {"Max":15000,"Remaining":12834} ``` Alarm on `Used / Max > 0.8` with sustained breaches; on call gets paged before the org-wide block hits. ## When this integration is NOT the right call - Small team, Salesforce Starter edition, and reporting needs met by Salesforce reports or Tableau CRM — AWS-side analytics is premature. - You are evaluating HubSpot/Zoho/Dynamics instead of Salesforce — most of these patterns apply in spirit but the specific APIs differ. - Regulated workload with a hard data-residency rule that neither Salesforce Hyperforce nor your AWS region satisfies — architect differently (on-prem + limited cloud surface). ## Cost considerations - Salesforce: $25-$330 per user/month by edition; Data Cloud on credit consumption. - AWS AppFlow: ~$0.001/record (per-flow minimum applies). - Lambda: ~$0.20 per 1M invocations; compute time billed in ms. - S3 Tables / S3 Standard: ~$0.023/GB/month; S3 Tables adds a small management fee for automatic compaction and snapshot management. - Athena: ~$5 per TB scanned — partition and use Iceberg to minimise. - Amazon Connect: ~$0.018/minute voice; Contact Lens and Q in Connect priced separately. - Bedrock: per-token for the chosen model; consider Amazon Bedrock Prompt Caching for Agentforce grounding traffic. - Typical mid-market landing zone: $100-$800/month on AWS before Bedrock tokens. Always verify current pricing at [aws.amazon.com/pricing](https://aws.amazon.com/pricing) and [salesforce.com/pricing](https://www.salesforce.com/pricing). ## Best practices - **Single source of truth** — Salesforce for CRM; AWS for transactions and analytics. Avoid bidirectional sync loops. - **Zero-Copy first** — federate via Data Cloud + S3 Tables before designing a new ETL pipeline. - **Event-driven second** — Platform Events / CDC → EventBridge for real-time workflows. - **Error handling** — CloudWatch Alarms on AppFlow failures, SQS DLQ on event Lambdas, alert within 15 minutes; stale CRM erodes trust faster than a failed report. - **Rate limits** — respect Salesforce API daily limits; use Bulk API 2.0 for large exports and cache reference data in ElastiCache. - **Agentforce hygiene** — narrowly scoped action catalogs, Bedrock Guardrails on every Lambda response, and structured-output schemas to minimise prompt-injection surface. ## Related reading - [`Amazon Bedrock AgentCore in production`](/blog/amazon-bedrock-agentcore-production/) - [`AWS Bedrock AI agents + agentic workflows`](/blog/aws-bedrock-ai-agents-agentic-workflows/) - [`Amazon DataZone for enterprise governance`](/blog/amazon-datazone-enterprise-governance/) ## Related services - [Generative AI on AWS](/services/generative-ai-on-aws/) - [AWS Data Analytics](/services/aws-data-analytics/) - [AWS Application Modernization](/services/aws-application-modernization/) ## FAQ ### How do I sync Salesforce data to AWS in 2026? Four patterns to pick from. (1) **Zero-Copy via Salesforce Data Cloud** (the 2026 default) — Data Cloud federates directly to Amazon S3 Tables / Apache Iceberg without duplicating records, so Salesforce reports and AWS analytics read from one governed dataset. (2) **Real-time events** — Salesforce Platform Events or Change Data Capture → EventBridge → Lambda → target store; latency in low seconds. (3) **Batch via AWS AppFlow** — no-code scheduled Salesforce ↔ S3 / Redshift for reporting pipelines that can tolerate minutes or hours of lag. (4) **MuleSoft Anypoint** for complex orchestration and API management across enterprise systems. Use Zero-Copy first; fall back to event-driven or batch only where Zero-Copy does not fit. ### What is Agentforce 2.0 and how does it call AWS? Agentforce 2.0 (announced Dreamforce 2024, shipping through 2025) lets you define autonomous agents that operate inside Salesforce workflows — reasoning, retrieving, and taking actions using a defined library of tools. You extend Agentforce with AWS Lambda "external actions": an agent can invoke a Lambda function to run AWS-side business logic (fulfillment, payments, inventory lookup, Bedrock-powered summarization) while staying in the Salesforce audit and Einstein Trust Layer. Authentication uses Salesforce Connected App OAuth 2.0 JWT bearer flow; the Lambda is deployed behind API Gateway with a JWT authorizer validating Salesforce-issued tokens. ### What is Einstein Trust Layer and why does it matter on AWS? Einstein Trust Layer is Salesforce's grounding and safety layer for Einstein and Agentforce: dynamic grounding with Data Cloud context, toxicity/PII detection, zero-retention prompt policies with major LLMs, and an audit trail of every prompt and response. For AWS customers, it means you can route Agentforce grounding to Amazon Bedrock models (Claude Sonnet 4, Amazon Nova) while keeping the same audit and PII masking contract. Pair with Amazon Bedrock Guardrails for a second independent policy layer, and CloudTrail / Security Lake for unified evidence. ### How does Salesforce Data Cloud Zero-Copy with S3 Tables work? Data Cloud Zero-Copy (GA 2024, expanded with S3 Tables support through 2025) lets Data Cloud query data sitting in Amazon S3 — typically as Apache Iceberg tables on S3 Tables — without duplicating rows into Data Cloud storage. The same Iceberg dataset can be read by AWS Glue, Amazon Athena, Amazon EMR, and Amazon Redshift, so Salesforce reports and AWS analytics operate on one governed copy. For the reverse direction, Data Cloud publishes unified customer profiles back to S3 for activation in AWS pipelines. Compared to the older AppFlow ETL pattern: fewer copies, fewer race conditions, lower storage cost, and a single governance seam via Data Cloud + Amazon DataZone. ### What is MuleSoft AI Chain and when should we use it? MuleSoft AI Chain (2024) brings LLM orchestration into Anypoint — chain prompts, retrieval, and Salesforce/AWS actions as part of a larger integration flow. Use it when AI is one stage inside a bigger multi-system workflow (e.g., take an incoming support ticket from Salesforce, summarize it via Bedrock, enrich it from SAP, open an AWS ticket in Jira) and you need enterprise governance over that whole pipeline. For simpler Salesforce-only or Salesforce-plus-one-AWS-service integrations, direct Agentforce → Lambda is lighter weight. ### How do I secure the Salesforce ↔ AWS trust relationship? Six controls we apply by default. (1) Salesforce Connected App with OAuth 2.0 JWT bearer flow — no passwords or permanent secrets. (2) Dedicated integration user in Salesforce with a minimum-permission profile. (3) Salesforce private key stored in AWS Secrets Manager; rotate the certificate annually. (4) AWS API Gateway in front of any Lambda Agentforce calls, with a JWT authorizer that validates the issuer, audience, and subject. (5) VPC endpoints for S3 / Secrets Manager / KMS to keep traffic off the public internet. (6) Salesforce Event Monitoring and CloudTrail correlated in Security Hub or Amazon Security Lake (OCSF) so every cross-system action has a single auditable timeline. ### What about Amazon Connect with Salesforce Service Cloud? Amazon Connect (AWS contact centre) ships a production-ready Service Cloud integration — Connect CTI Adapter for Salesforce Lightning. Screen pops on incoming calls, call recordings and transcripts attached to cases, real-time Contact Lens transcripts streamed to Service Cloud for agent assist, and Amazon Q in Connect to propose responses. Many mid-market contact centres now run entirely on Connect + Service Cloud without a Genesys/Avaya/Five9 layer, cutting both licence and integration cost. ### How much does the integration cost? Salesforce license: $25-$330/user/month by edition; Data Cloud is sold by credit consumption. AWS side: AWS AppFlow ~$0.001 per record with a minimum per flow run, Lambda ~$0.20 per million invocations, S3 from ~$0.023/GB/month, Amazon Athena ~$5 per TB scanned, and Amazon Connect from $0.018 per minute for voice. Most mid-market Salesforce+AWS integrations land at $100-$800/month on the AWS side, before any Bedrock token spend for Agentforce grounding. Always verify current pricing at aws.amazon.com/pricing and salesforce.com/pricing. --- *Source: https://www.factualminds.com/integrations/salesforce-aws/*