The Best AWS Services for a Serverless SaaS in 2026

AWS has hundreds of services; a SaaS needs maybe a dozen. The trick in 2026 is picking the ones that are serverless, scale to zero, and stay out of your way — so you pay for usage, not capacity, and run almost nothing yourself. Here’s the short list we actually build on, what each is for, and why it makes the cut.

What makes a service a good 2026 pick

Three filters decide it. Serverless — no instances to size or patch. Scales to zero — idle costs nothing, so environments are cheap to keep around. First-party and managed — AWS runs it, so reliability and updates aren’t your problem. Every service below clears all three (or is a thin, unavoidable piece like DNS). It’s also, not coincidentally, the exact stack the cdkbase template deploys.

Compute

• AWS Lambda — the workhorse. Every bit of your code that runs — the API, the server-rendered web app, webhook handlers, background jobs — is a function that executes on demand and costs nothing when idle. Pay per request, scale automatically, no servers. (Full detail: AWS Lambda explained.)

API and delivery

• API Gateway (HTTP API) — the front door to your Lambdas. The HTTP API flavor is the lean, cheaper, faster option (versus the older REST API); it handles routing, TLS, and request validation, billed per request.
• CloudFront — AWS’s CDN, sitting in front of everything. It caches static assets at the edge, terminates TLS for your custom domain, and shields your origins. The free tier covers the first terabyte out each month, so early traffic is effectively free.

Data

• Aurora DSQL — the primary database: serverless, Postgres-compatible, active-active, and it scales to zero. It’s the most compelling relational option in 2026 for exactly the “many cheap environments” pattern SaaS teams live in. (Deep dive: Aurora DSQL explained.)
• DynamoDB — the managed key-value store, used where a simple, infinitely scalable table beats a relational schema (in cdkbase, the waitlist). On-demand capacity means it, too, costs nothing at rest. Reach for it for high-scale key-value access patterns; keep relational data in DSQL.

Identity

• Amazon Cognito — managed user pools: sign-up, sign-in, email verification, password resets, and JWT issuance, with a generous free tier. cdkbase talks to it through the AWS SDK directly rather than a heavier wrapper — see template vs. framework for why.

DNS and TLS

• Route 53 — DNS for your domain, and the one service here with a small fixed cost (~$0.50/month per hosted zone). It’s the irreducible floor of running a custom-domain app, and basically the entire bill when you’re idle.
• AWS Certificate Manager (ACM) — free, auto-renewing TLS certificates for your domains. Provision once, validate via Route 53, and never think about certificate expiry again.

Storage

• Amazon S3 — object storage, here hosting the built static frontend assets that CloudFront serves. Pennies at low volume, effectively limitless, and the default home for any user uploads or files you add later.

Config, secrets, and permissions

• SSM Parameter Store — where secrets and config live (Stripe keys, a GitHub token), stored as encrypted SecureString parameters and read at runtime. A free, no-fuss alternative to Secrets Manager for most needs.
• IAM — not optional and not billed, but worth naming: every function gets a least-privilege role scoped to exactly the resources it touches. Getting IAM right is most of what “secure by default” means on AWS.

Infrastructure as code

• AWS CDK (on CloudFormation) — the glue that defines and deploys all of the above in TypeScript, in dependency order, with one command. It’s first-party, strongly typed, and leaves an auditable CloudFormation record of everything it created. (Why CDK over the alternatives: CDK vs Terraform vs SST.)

The services to avoid (in a serverless SaaS)

Just as important is what’s not on the list. The fastest way to wreck serverless economics is to add an always-on service that bills 24/7 whether or not it’s used:

• NAT gateways (~$32/month each) — the classic budget-killer. A serverless-first design keeps Lambdas out of a private VPC so you never need one.
• Provisioned RDS / Aurora instances — a fixed hourly floor; DSQL replaces them with scale-to-zero.
• ECS/Fargate tasks and load balancers (ALB/NLB) — always-on compute and networking. Lambda + API Gateway + CloudFront cover the same ground per-request.

Avoiding these is exactly why an idle environment costs about fifty cents — the full math is in what it costs to run a serverless SaaS.

The bottom line

A dozen well-chosen services — Lambda, API Gateway, CloudFront, Aurora DSQL, DynamoDB, Cognito, Route 53, ACM, S3, SSM, and IAM, all defined in CDK — is a complete, modern SaaS backend that scales from zero to real traffic and bills accordingly. You don’t need the other few hundred services to start; you need these wired together correctly, which is the whole point of starting from the stack.