A fast-fashion retailer — the kind that drops a new collection every week and runs a flash sale the moment an influencer posts — has a checkout problem that is quietly costing it millions. At peak, an order touches four systems before it ships: the payment gateway authorizes the card, the inventory service reserves the last size-medium of a viral hoodie, a loyalty ledger burns points, and the shipping service books a courier slot. When all four succeed, life is good. When the third one fails — the courier API times out at 2pm on launch day — the company has already charged the customer and decremented stock for an order that will never ship. The support queue fills with “you took my money and the item is gone” tickets, the finance team reconciles refunds by hand for a week, and the brand takes the reputational hit. The ask from the VP of Engineering is blunt: “Make order processing never leave a customer charged for something we can’t fulfill, and make it survive a 50× traffic spike.” This article is the reference architecture for building that on AWS, using the saga pattern to guarantee that a partial failure unwinds cleanly instead of stranding money and stock.
The pressures are the ones every commerce platform hits at scale. Consistency is the hard one: there is no distributed transaction across a third-party payment API, a DynamoDB inventory table, and a courier’s REST endpoint — you cannot wrap a BEGIN…COMMIT around the open internet. Spikiness means the system sits near-idle between drops and then takes 50× load in ninety seconds, which kills anything you have to pre-provision. Latency means a shopper watching a spinner will abandon the cart in seconds. And auditability means finance needs to prove, for every order, exactly which steps ran and which were compensated. The saga pattern answers the consistency problem head-on: instead of one atomic transaction, you model the order as a sequence of local transactions, each with a defined compensating action that semantically undoes it, and an orchestrator that drives the sequence forward — or, on failure, drives the compensations backward.
Why not the obvious approaches
The naive designs each fail in a way someone on the team will have lived through, so naming them matters.
A single synchronous request that calls payment, then inventory, then shipping in-line is the version most teams start with. It works in the demo and dies in production: if shipping throws after payment succeeded, you are now writing rollback logic by hand inside a catch block, across network calls that can themselves fail mid-rollback, with no durable record of where you got to. One Lambda timeout and the order is in an unknown state forever.
A two-phase commit (2PC) is the textbook “correct” answer and the wrong one here. 2PC needs every participant to support a prepare/commit protocol and hold locks until the coordinator decides — but a third-party payment gateway and a courier API expose no such protocol, and holding an inventory lock across a slow external call destroys throughput on launch day. Distributed locks plus external services plus a spike is a deadlock waiting to happen.
A pile of choreographed events with no orchestrator — payment publishes an event, inventory reacts, shipping reacts — scales beautifully and becomes unobservable. With compensations in the mix, the failure logic is smeared across five services and no single place tells you what state an order is in or why it rolled back. Choreography is excellent for loose coupling and miserable for a workflow finance has to audit.
The orchestrated saga threads the needle. A central state machine owns the sequence, calls each service, and on any failure walks the already-completed steps in reverse, invoking each one’s compensating transaction — refund the payment, release the inventory reservation, restore the loyalty points. The orchestration is durable, every transition is logged, and “what happened to order 8842?” has a single, queryable answer.
Architecture overview
The system has two halves that share infrastructure but run on different clocks: a synchronous intake path that accepts an order and returns fast, and the asynchronous saga execution that does the real work of coordinating payment, inventory, and shipping. Holding those apart is the first step to operating this well — the shopper should never wait on a courier API.
The defining property of the topology is that the saga is durable and explicit, not implicit in a chain of in-flight HTTP calls. A dedicated state machine holds the source of truth for “where is this order,” each step is an idempotent local transaction, and every step has a named compensator. Nothing about the happy path or the rollback lives in a Lambda’s ephemeral memory.
Intake path, following the control flow:
- A shopper checks out from the storefront. Traffic hits Akamai at the edge for TLS termination, global anycast, and WAF/bot mitigation — critical when a flash sale draws bot-driven sneaker-style buying — before it reaches AWS. Customer identity is federated through Okta as the consumer IdP (with the internal ops console federating staff identity through Microsoft Entra ID), so the order request carries a verified identity claim.
- The request lands on Amazon API Gateway, which validates the JWT via a Lambda/JWT authorizer, applies per-client rate limiting and usage plans, and forwards a clean
CreateOrdercommand. - An intake Lambda does the minimum synchronous work: validate the cart, write an
OrderRecordto DynamoDB inPENDINGstate with a generatedorderIdand an idempotency key derived from the client request, and publish anOrderSubmittedevent to Amazon EventBridge. It returns202 Acceptedwith theorderIdimmediately — the shopper sees “order received” in well under a second, while the heavy lifting happens behind the event. - An EventBridge rule matches
OrderSubmittedand starts an execution of the AWS Step Functions saga state machine, passing the order payload. EventBridge is the seam that decouples intake from execution, lets other consumers (analytics, fraud, the data lake via Firehose) subscribe to the same event, and absorbs bursts.
Saga execution path, driven entirely by Step Functions as the orchestrator:
- The state machine runs the forward sequence as a series of task states, each invoking a single-purpose Lambda that performs one local transaction against its service:
AuthorizePayment(charge the card via the payment gateway),ReserveInventory(a conditional DynamoDB update that decrements stock only if available),BurnLoyaltyPoints(debit the loyalty ledger), andBookShipment(reserve a courier slot). Each task writes its outcome back to the order’s DynamoDB record so the item history is complete. - Between steps, the state machine evaluates the result. On success it advances; on a caught error it transitions into the compensation branch — a reverse sequence of
Catchhandlers that invoke the compensators for exactly the steps that completed:RefundPayment,ReleaseInventory,RestoreLoyaltyPoints. The machine only compensates what actually ran, which is why each forward task records its completion. - On full success the machine writes the order to
CONFIRMEDand emits anOrderConfirmedevent back to EventBridge (fulfillment, email, the customer’s order history all react). On a compensated failure it writesCANCELLED_COMPENSATEDand emitsOrderFailed, so the shopper is told honestly and the card was never left charged. - Any Lambda invocation that exhausts its retries is routed to a per-step Amazon SQS dead-letter queue (DLQ). The order parks in a
NEEDS_REVIEWstate rather than silently failing, a CloudWatch alarm fires, and an operator picks it up — manual remediation is a designed outcome, not an accident.
Component breakdown
| Component | Service / tool | Role in the system | Key configuration choices |
|---|---|---|---|
| Edge | Akamai | TLS, anycast, WAF, bot mitigation at the perimeter | Bot-manager rules for flash-sale scalping; rate caps at the edge |
| Identity | Okta + Microsoft Entra ID | Consumer SSO (Okta); staff/ops SSO (Entra) | OIDC; JWT claims consumed by API Gateway authorizer |
| API | Amazon API Gateway | AuthZ, throttling, usage plans, command intake | JWT/Lambda authorizer; per-key usage plans; request validation |
| Intake | AWS Lambda | Validate, persist PENDING, publish OrderSubmitted |
Idempotency key; reserved concurrency to protect downstream |
| Event bus | Amazon EventBridge | Decouples intake from saga; fan-out to consumers | Rule on OrderSubmitted; archive + replay enabled |
| Orchestrator | AWS Step Functions | Owns the saga: forward steps + compensation branches | Standard workflow; Catch/Retry per state; exec history retained |
| Step workers | AWS Lambda | One local transaction per task (pay/reserve/ship) | Idempotent; short timeouts; least-privilege role each |
| State | Amazon DynamoDB | Order record, idempotency, inventory counts | On-demand capacity; conditional writes; streams to fulfillment |
| Failure capture | Amazon SQS (DLQ) | Catch poison messages / exhausted retries per step | Redrive policy; maxReceiveCount; alarm on ApproximateNumberOfMessages |
| Secrets | HashiCorp Vault | Payment/courier API keys, signing secrets | Dynamic leases; AWS IAM auth method; short TTL |
| CSPM / IaC scan | Wiz + Wiz Code | Cloud posture + IaC scanning of the Terraform | Agentless account scan; Wiz Code gate in the PR pipeline |
| Runtime security | CrowdStrike Falcon | Runtime threat detection on container/EC2 workers | Sensor on ECS/EC2; detections to the SOC |
| Observability | Datadog | Distributed tracing across the saga, metrics, alarms | APM trace per execution; saga-state dashboard; monitors on DLQ |
| ITSM | ServiceNow | Incidents for stuck/parked orders, change approvals | Auto-incident on DLQ alarm; change gate for state-machine edits |
| CI/CD + IaC | GitHub Actions + Argo CD + Terraform + Ansible | Build/test/deploy; infra as code; worker config | OIDC to AWS (no static keys); Argo CD syncs workers; Terraform owns the saga |
A few choices deserve the why, because they are the ones teams get wrong.
Why Step Functions as the orchestrator, not application code. You could write the saga loop in a Lambda and store progress in DynamoDB yourself. Teams that do end up re-implementing retries, timeouts, error catching, and an execution history — badly — and then cannot answer “show me the exact path order 8842 took.” Step Functions gives you durable state, declarative per-state Retry/Catch, visual execution history for every order, and built-in compensation flow. The orchestration logic becomes a reviewable artifact in version control instead of branching buried in a function.
Why every step must be idempotent. Retries are not optional in a distributed system — EventBridge delivers at-least-once, Lambda retries, and Step Functions retries — so any step can run twice. AuthorizePayment keys on the order’s idempotency token and asks the gateway for an idempotent charge so a double-invoke does not double-charge. ReserveInventory uses a DynamoDB conditional write so re-running it does not decrement stock twice. Idempotency is what makes at-least-once delivery safe; without it, the retries that give you reliability also give you double charges.
Why a DLQ per step, not one global one. When a worker exhausts retries, you want to know which step failed and to remediate it with the right context — a payment failure and a shipping failure are different operational tickets. Per-step DLQs preserve that, drive a specific alarm, and let an operator redrive just the affected messages once the downstream service recovers, rather than replaying an undifferentiated pile.
The saga, concretely
The whole design lives or dies on getting the compensations right. Every forward step needs a semantic inverse — not a literal undo, because you cannot un-send an email, but a business action that neutralizes it.
| Forward (local transaction) | Compensating transaction | Note |
|---|---|---|
AuthorizePayment — charge the card |
RefundPayment — reverse/void the charge |
Void if not yet captured; refund if captured |
ReserveInventory — conditional decrement |
ReleaseInventory — atomic increment back |
Conditional write makes both idempotent |
BurnLoyaltyPoints — debit ledger |
RestoreLoyaltyPoints — credit ledger |
Ledger keeps an audit trail of both |
BookShipment — reserve courier slot |
CancelShipment — release the slot |
Last forward step; rarely needs compensating itself |
The order of compensation matters: you unwind in reverse, releasing inventory and refunding payment so the customer is made whole first. The Step Functions definition expresses this as a Catch on each task that routes to a compensation state which itself chains the relevant compensators. A trimmed Amazon States Language snippet shows the shape — note the per-state retry-then-catch:
"ReserveInventory": {
"Type": "Task",
"Resource": "arn:aws:lambda:...:function:ReserveInventory",
"Retry": [
{ "ErrorEquals": ["States.TaskFailed"], "IntervalSeconds": 2,
"MaxAttempts": 3, "BackoffRate": 2.0 }
],
"Catch": [
{ "ErrorEquals": ["InventoryUnavailable"], "Next": "RefundPayment" },
{ "ErrorEquals": ["States.ALL"], "Next": "RefundPayment" }
],
"Next": "BurnLoyaltyPoints"
}
RefundPayment runs because payment already succeeded; inventory never decremented, so it needs no release. That selective unwind is the entire point — and it is why each forward task stamps its completion onto the DynamoDB order record before the next begins.
Implementation guidance
Provision with Terraform; treat IAM and the state machine as the first deliverables. The state machine, the EventBridge rules, the DynamoDB tables, the SQS DLQs, and the per-Lambda least-privilege roles are all Terraform. Lay them down in dependency order — tables and queues first, worker functions and their scoped roles next, then the Step Functions definition that references them, then the EventBridge rule that starts it. A minimal DynamoDB shape communicates the intent — on-demand for spiky load, a stream for fulfillment, point-in-time recovery on:
resource "aws_dynamodb_table" "orders" {
name = "orders-prod"
billing_mode = "PAY_PER_REQUEST" # absorbs 50x spikes, no pre-provisioning
hash_key = "orderId"
stream_enabled = true
stream_view_type = "NEW_AND_OLD_IMAGES" # fulfillment + audit react to changes
attribute { name = "orderId" type = "S" }
point_in_time_recovery { enabled = true }
}
Pipeline and config. The infrastructure pipeline runs in GitHub Actions, authenticating to AWS via OIDC federation so there is no static access key to leak — a lesson the platform team intends never to repeat. Argo CD then handles GitOps deployment of the worker services (run on ECS/EKS where a long-lived container suits, or as Lambda where event-driven suits), continuously syncing the desired state from the repo. Terraform owns the saga and AWS primitives; Ansible handles host-level configuration and agent rollout on any EC2/ECS worker fleet. Wiz Code runs in the PR as an IaC scanner so a misconfigured S3 bucket, an over-broad IAM policy, or a public resource is caught before merge, with Wiz doing continuous CSPM on the live account as the backstop.
Identity and secrets: federate the humans, lease the keys. Customers authenticate through Okta; the internal operations console — where staff redrive DLQs and inspect stuck orders — federates through Microsoft Entra ID, and API Gateway’s authorizer validates those tokens so only authorized operators touch order state. The worker Lambdas assume scoped IAM roles via the AWS provider, but the secrets they cannot get from IAM — the payment gateway API key, the courier API credentials, webhook-signing secrets — come from HashiCorp Vault using the AWS IAM auth method with short-lived dynamic leases, so a payment credential is never baked into an environment variable or a Lambda layer.
Enterprise considerations
Failure modes, and what each one looks like. Name them before they page you.
- The double-charge on retry — EventBridge re-delivers or Lambda retries
AuthorizePaymentand the card is charged twice. Mitigation: idempotency keys end-to-end and an idempotent charge call to the gateway; the order’s idempotency token is the dedup anchor. - The orphaned reservation — inventory decremented, then shipping fails, and without compensation the last hoodie is locked to a dead order. Mitigation: the
ReleaseInventorycompensator fires in the rollback branch; conditional writes make it safe to re-run. - The poison message — a malformed event or a permanently failing downstream loops on retries. Mitigation: bounded
Retrywith backoff, then the per-step SQS DLQ parks it inNEEDS_REVIEW; an operator redrives once the dependency heals. - The stuck saga — a downstream hangs and the execution waits indefinitely. Mitigation: per-task
TimeoutSecondsandHeartbeatSecondsso a hung step fails into compensation rather than pinning an execution open. - The non-compensatable step — a confirmation email or a physical pick-and-pack already went out. Mitigation: order compensatable steps first and irreversible steps last, and make truly irreversible actions a separate post-
CONFIRMEDstage. - Region outage — see DR below.
Scalability. Each tier scales independently and natively, which is the entire reason for the event-driven shape. EventBridge and Step Functions are serverless and absorb bursts with no capacity to pre-provision; DynamoDB on-demand rides the 50× spike without a scaling lag; Lambda workers scale on concurrency — with reserved concurrency on the steps that hit fragile downstreams (the payment gateway, the courier API) so a spike does not stampede a partner into rate-limiting. The natural ceiling is the slowest external dependency, which is precisely why those calls sit behind retries, DLQs, and concurrency caps rather than in a synchronous request.
Cost optimization. The architecture is largely pay-per-use, which suits bursty commerce far better than a provisioned fleet sitting idle between drops.
| Lever | Mechanism | Typical effect |
|---|---|---|
| Standard vs Express workflows | Express for high-volume/short sagas; Standard where full history is needed | Express is far cheaper per execution at high volume |
| DynamoDB on-demand | Pay per request instead of provisioning for peak | No idle spend between flash sales |
| Lambda right-sizing | Tune memory to the cost/latency knee per worker | Cuts both duration cost and tail latency |
| EventBridge fan-out | One event, many consumers, no duplicate intake compute | Avoids re-deriving the same work per subscriber |
| DLQ-driven manual path | Park-and-review instead of infinite retries | Stops runaway retry cost on a dead dependency |
The honest tradeoff: Standard workflows cost more per state transition but retain the full visual execution history finance wants for audit; Express is dramatically cheaper at flash-sale volume but keeps less history. Many teams run the saga as Standard for auditability and accept the cost, or split — Express for the hot path, Standard where a regulator might ask.
Security and Zero Trust. Every Lambda gets its own least-privilege IAM role — the payment worker cannot touch the inventory table, the inventory worker cannot call the payment gateway — so a compromised function has a tiny blast radius. Vault holds the third-party credentials with short leases; Akamai absorbs bot and DDoS pressure at the edge before it reaches API Gateway; Wiz runs continuous CSPM and Wiz Code gates the IaC so a public bucket or an over-broad policy never ships; CrowdStrike Falcon sensors on the container/EC2 worker fleet provide runtime threat detection feeding the SOC. A DLQ alarm or a security detection auto-raises a ServiceNow incident, so operations and security work a ticket, not a log line.
Observability. A saga is only as good as your ability to see it. Instrument Datadog APM so a single distributed trace spans the whole execution — intake → EventBridge → each saga step → compensation — with the order id as a tag, so “what happened to order 8842” is one search. Emit the metrics the business actually feels: saga success rate, compensation rate (a rising rate means a downstream is degrading), per-step latency and error rate, DLQ depth per step, and time-from-submit-to-confirmed. CloudWatch alarms on DLQ depth and on Step Functions ExecutionsFailed page on-call and open the ServiceNow incident; Datadog dashboards give the launch-day war room a live view of where orders are piling up.
Reliability and DR (RTO/RPO). Decide the numbers per tier. DynamoDB global tables give multi-region replication for order and inventory state with near-zero RPO and seconds RTO. The saga itself is regional, so DR means a warm standby of the Step Functions definition, EventBridge rules, and workers in a paired region (all Terraform, so it is the same code), with EventBridge archive and replay as the recovery lever — you can replay missed events into the standby region after a failover. A pragmatic target here: RTO 15 minutes, RPO near-zero for order state via global tables, with in-flight sagas at the moment of failover reconciled from the durable DynamoDB record and the EventBridge archive. Akamai health checks drive edge failover for ingress.
Governance. The Step Functions definition is the saga’s contract — keep it in version control, require review on every change (a change to compensation logic is a change to how customers get refunded), and gate edits through a ServiceNow change approval. Pin worker runtimes and dependency versions so behavior does not drift. Log every state transition and every compensation for finance’s audit trail, and retain it under the same data-retention policy that governs payment records.
Explicit tradeoffs
Accept these or do not build it. The saga buys you consistency without distributed locks, and the price is real complexity: you must design a correct compensating transaction for every forward step, reason about ordering so irreversible actions come last, and make every step idempotent because retries are guaranteed. The system is eventually consistent, not atomic — there is a window where payment has succeeded and shipping has not, and the UX must tell the shopper “order received, confirming…” rather than promising fulfillment up front. Debugging spans services and an execution history rather than a single stack trace. And the event-driven indirection that gives you elastic scale also means a flow you cannot step through in a debugger — you read it from the Step Functions history and the Datadog trace instead.
The alternatives, and when they win. If your “distributed transaction” is actually all inside one database, use a real ACID transaction — do not reach for a saga to solve a problem a single COMMIT solves. If your services are genuinely loosely coupled and you do not need a central audit of the workflow, pure EventBridge choreography is simpler and looser than an orchestrator — graduate to Step Functions when compensations and “what state is this order in” make orchestration worth it. If your steps are short and your volume is enormous, Express workflows trade execution history for cost. And if you need a true prepare/commit across systems that all support it (rare across third-party APIs), 2PC is the consistency-strict answer — at a throughput cost that a flash sale cannot pay.
The shape of the win
For the retailer, the payoff is not “a new workflow engine.” It is that on the next launch day, when the courier API times out at 2pm, order 8842 does not strand a charged customer next to a locked-up hoodie — the saga catches the failure, refunds the card, releases the inventory back to the next shopper, marks the order CANCELLED_COMPENSATED, and tells the customer honestly, all in seconds and all logged. Finance stops reconciling refunds by hand; support stops fielding “you took my money” tickets; and the platform rides a 50× spike on serverless primitives that cost almost nothing between drops. Everything upstream — the idempotent steps, the per-step DLQs, the Vault-held payment keys, the Wiz-gated IaC, the Datadog saga trace — exists to make that one outcome boringly reliable. The architecture here is the destination; start with a single happy-path flow if you must, but a commerce platform that must never leave a customer charged for something it cannot ship has to land here.