AWS Multi-Tenant FileService

Backend Engineer · lead · 2025

.NET 8 · ASP.NET Core · Entity Framework Core · PostgreSQL · Amazon S3 · Keycloak

Context

The service was designed to handle file uploads and downloads in a multi-tenant environment while maintaining strict isolation between tenants. All file bytes are transferred directly between client and S3 using presigned URLs. The API stores and manages metadata only.

Responsibilities

I designed the multi-tenant storage model, defined the S3 key structure, implemented the presign workflow, and enforced tenant-scoped authorization policies using JWT claims and role checks.

Approach

The architecture separates storage from metadata management. Files are stored in a private S3 bucket with server-side encryption. The API generates short-lived presigned PUT/GET URLs and verifies object existence before finalizing uploads.

Tenant-first key conventions and owner guards ensure isolation at both storage and application levels. Metadata is stored in PostgreSQL with jsonb support for extensibility and indexed for efficient search and listing.

Results

The resulting system provides secure, scalable file handling without backend streaming overhead. It demonstrates clean separation of concerns, explicit tenant boundaries, and infrastructure-aware backend design suitable for regulated or multi-tenant environments.