I’ve not found anything similar that solves storing customer data securely (like oauth tokens, PII etc) - anything else I should be looking at?

what about using KMS to encrypt secret keys and store that in db?

Yeah that was a backup plan, I liked the idea of separating stuff out by customer and locking down which lambdas could access which secrets. I think that could be done with different keys in KMS, but then it seems like I’m not being lazy enough if I build all that (serverless motto! 😛)