Salesforce Integration with AWS

## Salesforce + AWS in 2026

Salesforce owns the CRM record — pipeline, cases, accounts, marketing journeys, service agent seats. AWS owns the data platform, custom applications, ML, and large-scale compute. The 2026 pattern we deploy keeps Salesforce Data Cloud and Amazon S3 Tables / Apache Iceberg as a single governed dataset (no duplicated rows), extends Salesforce workflows with Amazon Bedrock and Lambda via **Agentforce 2.0**, and fronts the whole thing with Salesforce's **Einstein Trust Layer** plus AWS guardrails and audit.

## What's new for Salesforce + AWS in 2026

- **Agentforce 2.0** — autonomous Salesforce agents that reason, retrieve, and take actions; extend with Lambda "external actions" for AWS-side business logic.
- **Data Cloud Zero-Copy expansion** — federate directly to Amazon S3 Tables and Apache Iceberg tables on S3; one dataset, two consumers (Salesforce reports + AWS analytics).
- **Einstein Trust Layer** — grounding in Data Cloud, PII masking, toxicity detection, zero-retention prompts, prompt/response audit. Compatible with Bedrock-hosted models.
- **MuleSoft AI Chain** — LLM orchestration inside Anypoint flows; plug Bedrock into enterprise integration pipelines.
- **Amazon Connect deep integration** — Contact Lens real-time transcripts into Service Cloud, Amazon Q in Connect for agent assist, and Einstein Service Intelligence on top of Connect events.
- **Data Cloud + Amazon DataZone / SageMaker Lakehouse** — shared governance across Salesforce and AWS analytical consumers.
- **AWS PrivateLink for AppFlow and Data Cloud** — private connectivity for regulated data flows.

## Why integrate Salesforce with AWS

- **One customer record, many workloads** — Salesforce stays the source of truth for CRM; AWS powers transactions, analytics, ML, and custom apps, all reading or writing through governed pipes.
- **Agentic workflows** — Agentforce agents trigger AWS Lambda, SNS, SES, Step Functions, or Bedrock directly from the CRM.
- **Zero-Copy analytics** — Data Cloud + S3 Tables cuts duplicate storage and removes ETL-induced staleness.
- **Event-driven responsiveness** — Salesforce Platform Events and Change Data Capture push to EventBridge in low-second latency.

## Integration patterns

### 1. Zero-Copy federation (recommended default)

- Salesforce Data Cloud federates to S3 Tables / Iceberg tables.
- One dataset; Salesforce reports and AWS Glue / Athena / Redshift / EMR read the same rows.
- Governance via Salesforce Data Cloud + Amazon DataZone.
- Ideal for enterprise analytics, customer 360, and AI training corpora.

### 2. Event-driven (real-time business workflows)

- Salesforce Platform Events or Change Data Capture → EventBridge → Lambda → target store.
- Latency in low seconds.
- Ideal for "order closed → fulfillment", "case escalated → PagerDuty", "opportunity updated → finance system".

### 3. Batch ETL via AWS AppFlow (reporting pipelines)

- No-code scheduled Salesforce → S3 → Glue → Redshift / Athena.
- Bidirectional with write-back support.
- Ideal for reporting workloads tolerant to minutes or hours of lag.

### 4. Agentforce + AWS Lambda external actions (agentic)

- Agentforce agent reasons about a Salesforce record; calls Lambda via API Gateway with a JWT authorizer validating the Connected App token.
- Lambda runs AWS-side logic (Bedrock call, DynamoDB lookup, Step Functions orchestration) and returns structured data.
- Agent continues with the result and writes outcomes back to Salesforce.

### 5. MuleSoft Anypoint / AI Chain (enterprise orchestration)

- Multi-system flows that include Salesforce, AWS, SAP, Workday, NetSuite.
- AI Chain inserts Bedrock or other LLM stages inside the orchestration.
- Premium pricing; justified at enterprise scope.

## Agentforce 2.0 + Lambda reference

```
Salesforce user / Einstein Copilot
  ↓
Agentforce agent (topic + actions + prompt templates)
  ↓  External Action (HTTP)
API Gateway (JWT authorizer ← Connected App OAuth token)
  ↓
AWS Lambda
  ├── DynamoDB / RDS / Aurora
  ├── Amazon Bedrock (Claude Sonnet 4 / Amazon Nova)
  ├── Step Functions / SES / SNS / EventBridge
  └── Response (structured JSON)
  ↓
Agentforce continues reasoning and writes outcome to Salesforce
```

Einstein Trust Layer masks PII before prompts hit the LLM; Bedrock Guardrails is the AWS-side equivalent. Run both where regulated data is in scope.

## Data Cloud Zero-Copy on Amazon S3 Tables

- Data Cloud reads Iceberg tables on S3 Tables without duplicating rows.
- Write-back publishes unified profiles back to S3 for activation in AWS pipelines.
- Query the same dataset from Athena, Glue, EMR, Redshift (via Spectrum / Lake Formation), or SageMaker Lakehouse.
- Pair with DataZone for federated governance: Salesforce as one domain, AWS analytics as another, one catalog.

## Amazon Connect + Service Cloud (contact centre)

- CTI Adapter for Salesforce Lightning: screen pops, click-to-call, call recording attached to cases.
- Contact Lens real-time transcripts stream into Service Cloud for agent assist.
- Amazon Q in Connect proposes responses based on KB articles and case history.
- Einstein Service Intelligence layered on Connect events.
- Often replaces Genesys / Avaya / Five9 for mid-market contact centres.

## Security and trust

- **Salesforce Connected App + OAuth 2.0 JWT bearer flow** — no passwords, rotate cert annually.
- **Dedicated integration user** with minimum-permission profile.
- **AWS Secrets Manager** stores Salesforce private key; KMS CMK for encryption.
- **API Gateway JWT authorizer** in front of every Lambda external action.
- **AWS PrivateLink / VPC endpoints** for regulated data flows.
- **Einstein Trust Layer + Bedrock Guardrails** — two independent policy layers for LLM interactions.
- **Salesforce Event Monitoring + CloudTrail → Security Hub / Amazon Security Lake (OCSF)** — unified timeline for incident response and compliance evidence.

## Integration pattern decision matrix

| Need                                                  | Pattern                             | Latency    | Cost         | When to pick                                             |
| ----------------------------------------------------- | ----------------------------------- | ---------- | ------------ | -------------------------------------------------------- |
| Single governed analytical dataset                    | Zero-Copy + Iceberg on S3 Tables    | Query time | Storage only | Default for new analytics workloads in 2026              |
| Real-time order/case workflow                         | Platform Events → EventBridge       | < 5s       | Low          | "When X happens in CRM, do Y in AWS"                     |
| Scheduled bidirectional sync, low ops surface         | AWS AppFlow                         | Mins–hours | Per-record   | Reporting that tolerates lag, no-code preferred          |
| Agent-driven AWS-side actions from inside Salesforce  | Agentforce + Lambda external action | Sub-second | Per-call     | Autonomous flows, governed by Einstein Trust Layer       |
| Multi-system enterprise orchestration with governance | MuleSoft Anypoint + AI Chain        | Varies     | Premium      | SAP / Workday / NetSuite in scope; enterprise governance |
| Mass export for ML / analytics                        | Bulk API 2.0 → S3                   | Mins       | Per-batch    | Initial loads, periodic full refreshes                   |

Default to Zero-Copy first; layer event-driven for real-time; layer agent for AI-mediated actions. Reserve MuleSoft for genuinely multi-system enterprise scope.

## Implementation: API Gateway JWT authorizer for Connected App

```yaml
SalesforceJwtAuthorizer:
  Type: AWS::ApiGatewayV2::Authorizer
  Properties:
    ApiId: !Ref AgentforceApi
    AuthorizerType: JWT
    IdentitySource:
      - $request.header.Authorization
    JwtConfiguration:
      Audience:
        - https://acme.my.salesforce.com
      Issuer: https://acme.my.salesforce.com
    Name: salesforce-connected-app-jwt
```

Salesforce-issued tokens carry `iss` (your My Domain), `sub` (integration user ID), and `scope`. API Gateway validates signature against Salesforce's JWKS and rejects expired or wrong-audience tokens before invoking Lambda.

## Implementation: AppFlow failure → Step Functions retry

```yaml
AppFlowFailureRule:
  Type: AWS::Events::Rule
  Properties:
    EventBusName: default
    EventPattern:
      source: ['aws.appflow']
      detail-type: ['AppFlow End Flow Run Report']
      detail:
        status: ['Execution Failed']
    Targets:
      - Arn: !GetAtt AppFlowRetryStateMachine.Arn
        RoleArn: !GetAtt EventBridgeRole.Arn

AppFlowRetryAlarm:
  Type: AWS::CloudWatch::Alarm
  Properties:
    MetricName: FlowExecutionsFailed
    Namespace: AWS/AppFlow
    Dimensions:
      - Name: FlowName
        Value: salesforce-orders-to-s3
    Statistic: Sum
    Period: 300
    EvaluationPeriods: 1
    Threshold: 1
    ComparisonOperator: GreaterThanOrEqualToThreshold
    TreatMissingData: notBreaching
    AlarmActions:
      - !Ref OncallTopic
```

## Failure modes & resilience

**1. 24-hour Salesforce API request limit.** Per-org daily limits (e.g., ~15,000 + 1,000 per Enterprise license). Hitting the limit blocks ALL API traffic — including the Connected App flow that powers your AWS integration. Mitigation: monitor via `/services/data/v60.0/limits` polled hourly; budget 20% headroom; use Bulk API 2.0 (counts as 1 request per batch, not per record) for large operations; archive cold reads via Data Cloud Zero-Copy so analytics doesn't burn CRM API quota.

**2. Bulk API 2.0 batch retries.** Bulk jobs split into chunks; a single chunk failure doesn't fail the job. Mitigation: poll job status, surface per-chunk failures, replay only failed chunks. Step Functions DistributedMap is the natural orchestrator.

**3. Platform Event delivery guarantees.** At-least-once delivery; replay window is 72 hours via the Replay ID. Subscribers must idempotently handle duplicates. Mitigation: persist `replayId` per consumer; deduplicate on `(eventType, recordId, eventTimestamp)` in DynamoDB.

**4. AppFlow run failures with partial commit.** A flow that writes to S3 mid-run can leave partial files. Mitigation: write to a staging prefix; on flow success, atomically copy to the canonical prefix; for Iceberg targets, use snapshot isolation so consumers never see partial commits.

**5. Agentforce action timeout.** External actions (Lambda calls) have a Salesforce-side timeout (typically ~15s for Agentforce). Long-running fulfillment must be async: Lambda enqueues to SQS / Step Functions, returns immediately with a job ID, and Agentforce polls or receives a Platform Event when complete.

**6. Connected App cert rollover.** The cert backing your JWT bearer flow expires. Symptom: every integration call returns `invalid_grant`. Mitigation: dual-cert window — generate the new cert, upload to the Connected App alongside the old, switch the AWS Secrets Manager value, validate, then remove the old cert.

**7. Salesforce API version drift.** API versions deprecate on a published cadence. Hard-coding `v60.0` works until it doesn't. Mitigation: pin per-deployment, audit yearly, test against the `vNext` API in a sandbox.

## Observability runbook

**CloudWatch + Salesforce Event Monitoring alarms:**

| Alarm                               | Threshold                | First action                                                               |
| ----------------------------------- | ------------------------ | -------------------------------------------------------------------------- |
| Salesforce daily API usage          | `> 80%` of limit         | Identify caller via Event Monitoring; throttle or move to Bulk / Zero-Copy |
| AppFlow `FlowExecutionsFailed`      | `>= 1` per 5 min         | EventBridge → Step Functions retry; investigate source/destination errors  |
| Lambda (Agentforce action) `Errors` | `> 0` per 5 min          | CloudWatch Logs → trace ID → review request payload                        |
| API Gateway `4XXError` rate         | `> 5%`                   | JWT validation failure? Cert rollover in progress?                         |
| Platform Event subscriber lag       | `> 5 min`                | Subscriber down or rate-limited; confirm replayId checkpointing            |
| Bulk API 2.0 job failure rate       | `> 10%`                  | Per-chunk diagnostics; data quality issue or schema drift                  |
| AppFlow data freshness              | last successful run > 1d | Schedule failure; trigger manual run; alert downstream consumers           |

**Debug path: "Agentforce action returns 500":**

1. CloudWatch Logs → `/aws/lambda/agentforce-action` → grep request ID; capture full stack trace.
2. API Gateway access logs → confirm JWT was accepted (no 401); look for 5xx vs 4xx upstream.
3. If JWT failed: validate `iss` matches My Domain, `aud` matches Connected App audience, `exp` not in past, signature validates against current JWKS.
4. Salesforce side: Setup → Apps → Connected Apps → OAuth Usage → check for the failing user/IP.
5. Test in isolation: replay the same JWT against the Lambda directly (skip API Gateway) to isolate authorization vs business logic failures.

**Polling Salesforce API limits (CloudWatch custom metric):**

Run a small Lambda hourly that calls `/services/data/v60.0/limits` and emits `DailyApiRequests.Used` and `.Max` to CloudWatch:

```bash
curl -H "Authorization: Bearer $TOKEN" \
  https://acme.my.salesforce.com/services/data/v60.0/limits | \
  jq '.DailyApiRequests'
# {"Max":15000,"Remaining":12834}
```

Alarm on `Used / Max > 0.8` with sustained breaches; on call gets paged before the org-wide block hits.

## When this integration is NOT the right call

- Small team, Salesforce Starter edition, and reporting needs met by Salesforce reports or Tableau CRM — AWS-side analytics is premature.
- You are evaluating HubSpot/Zoho/Dynamics instead of Salesforce — most of these patterns apply in spirit but the specific APIs differ.
- Regulated workload with a hard data-residency rule that neither Salesforce Hyperforce nor your AWS region satisfies — architect differently (on-prem + limited cloud surface).

## Cost considerations

- Salesforce: $25-$330 per user/month by edition; Data Cloud on credit consumption.
- AWS AppFlow: ~$0.001/record (per-flow minimum applies).
- Lambda: ~$0.20 per 1M invocations; compute time billed in ms.
- S3 Tables / S3 Standard: ~$0.023/GB/month; S3 Tables adds a small management fee for automatic compaction and snapshot management.
- Athena: ~$5 per TB scanned — partition and use Iceberg to minimise.
- Amazon Connect: ~$0.018/minute voice; Contact Lens and Q in Connect priced separately.
- Bedrock: per-token for the chosen model; consider Amazon Bedrock Prompt Caching for Agentforce grounding traffic.
- Typical mid-market landing zone: $100-$800/month on AWS before Bedrock tokens.

Always verify current pricing at [aws.amazon.com/pricing](https://aws.amazon.com/pricing) and [salesforce.com/pricing](https://www.salesforce.com/pricing).

## Best practices

- **Single source of truth** — Salesforce for CRM; AWS for transactions and analytics. Avoid bidirectional sync loops.
- **Zero-Copy first** — federate via Data Cloud + S3 Tables before designing a new ETL pipeline.
- **Event-driven second** — Platform Events / CDC → EventBridge for real-time workflows.
- **Error handling** — CloudWatch Alarms on AppFlow failures, SQS DLQ on event Lambdas, alert within 15 minutes; stale CRM erodes trust faster than a failed report.
- **Rate limits** — respect Salesforce API daily limits; use Bulk API 2.0 for large exports and cache reference data in ElastiCache.
- **Agentforce hygiene** — narrowly scoped action catalogs, Bedrock Guardrails on every Lambda response, and structured-output schemas to minimise prompt-injection surface.

## Related reading

- [`Amazon Bedrock AgentCore in production`](/blog/amazon-bedrock-agentcore-production/)
- [`AWS Bedrock AI agents + agentic workflows`](/blog/aws-bedrock-ai-agents-agentic-workflows/)
- [`Amazon DataZone for enterprise governance`](/blog/amazon-datazone-enterprise-governance/)

## Related services

- [Generative AI on AWS](/services/generative-ai-on-aws/)
- [AWS Data Analytics](/services/aws-data-analytics/)
- [AWS Application Modernization](/services/aws-application-modernization/)

Salesforce user / Einstein Copilot
  ↓
Agentforce agent (topic + actions + prompt templates)
  ↓  External Action (HTTP)
API Gateway (JWT authorizer ← Connected App OAuth token)
  ↓
AWS Lambda
  ├── DynamoDB / RDS / Aurora
  ├── Amazon Bedrock (Claude Sonnet 4 / Amazon Nova)
  ├── Step Functions / SES / SNS / EventBridge
  └── Response (structured JSON)
  ↓
Agentforce continues reasoning and writes outcome to Salesforce

SalesforceJwtAuthorizer:
  Type: AWS::ApiGatewayV2::Authorizer
  Properties:
    ApiId: !Ref AgentforceApi
    AuthorizerType: JWT
    IdentitySource:
      - $request.header.Authorization
    JwtConfiguration:
      Audience:
        - https://acme.my.salesforce.com
      Issuer: https://acme.my.salesforce.com
    Name: salesforce-connected-app-jwt

AppFlowFailureRule:
  Type: AWS::Events::Rule
  Properties:
    EventBusName: default
    EventPattern:
      source: ['aws.appflow']
      detail-type: ['AppFlow End Flow Run Report']
      detail:
        status: ['Execution Failed']
    Targets:
      - Arn: !GetAtt AppFlowRetryStateMachine.Arn
        RoleArn: !GetAtt EventBridgeRole.Arn

AppFlowRetryAlarm:
  Type: AWS::CloudWatch::Alarm
  Properties:
    MetricName: FlowExecutionsFailed
    Namespace: AWS/AppFlow
    Dimensions:
      - Name: FlowName
        Value: salesforce-orders-to-s3
    Statistic: Sum
    Period: 300
    EvaluationPeriods: 1
    Threshold: 1
    ComparisonOperator: GreaterThanOrEqualToThreshold
    TreatMissingData: notBreaching
    AlarmActions:
      - !Ref OncallTopic

curl -H "Authorization: Bearer $TOKEN" \
  https://acme.my.salesforce.com/services/data/v60.0/limits | \
  jq '.DailyApiRequests'
# {"Max":15000,"Remaining":12834}