Backup destinations
AWS S3
Connect a bucket on Amazon S3 as a Tusk destination. Create a dedicated IAM user with the minimum permissions Tusk needs.
AWS S3 is the original object store. Setup involves creating a bucket, a dedicated IAM user for Tusk, an access key for that user, and an inline policy granting only the actions Tusk needs. None of it is hard, but the AWS console has a lot of surface area, so this page walks through it.
If you already have a working IAM access key with s3:PutObject, s3:GetObject, and s3:ListBucket on your target bucket, jump to the Connect Tusk section near the bottom.
Create a bucket
1
Open the S3 console
Sign in to the AWS console, then go to S3.
2
Create a new bucket
Click Create bucket. Pick a unique bucket name (lowercase, no spaces, e.g. tusk-backups-yourname) and a region close to you for upload speed. Leave the rest of the settings at defaults: block public access on, versioning off (Tusk doesn't need it), encryption on with the default SSE-S3 key.
3
Note your bucket name and region
You'll need both for the Tusk form. The endpoint URL for your bucket is s3.<region>.amazonaws.com (e.g. s3.us-east-1.amazonaws.com).
Create an IAM user for Tusk
Don't use your AWS root account's access keys. Create a dedicated IAM user that only has access to your Tusk bucket. If something ever leaks, the blast radius is limited to the bucket.
1
Open the IAM console
Go to IAM in the AWS console.
2
Create a user
Under Users, click Create user. Name it tusk-backup(or anything you'll recognize). Skip the “Provide user access to the AWS Management Console” option. Click Next.
3
Attach an inline policy
On the permissions step, choose Attach policies directly, then click Create inline policy. Switch to the JSON editor and paste:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TuskBackupAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::YOUR-BUCKET-NAME",
"arn:aws:s3:::YOUR-BUCKET-NAME/*"
]
}
]
}Replace YOUR-BUCKET-NAME with the bucket you created above. Save the policy as TuskBackup, then create the user.
Why DeleteObject?
DeleteObject to clean up after itself (failed transfers, deleting from everywhere actions). If you want a strictly read-only backup that Tusk cannot delete from, omit s3:DeleteObject. The bucket will become write-only from Tusk's perspective and the Delete from everywhere action will fail for objects in this bucket.Generate an access key
1
Open the IAM user
From the IAM users list, click your tusk-backup user.
2
Create access key
Switch to the Security credentials tab and click Create access key. Pick the Application running outside AWS use case. Confirm.
3
Save the keys somewhere safe immediately
AWS only shows the secret access key once. Copy both the Access key ID and the Secret access key into your password manager before you close the page. If you lose them, generate a new pair.
Connect Tusk
1
Add an S3 destination in Tusk
From the destination picker, choose S3-compatible. If you're creating a new credential, fill in:
- Endpoint URL:
s3.<your-region>.amazonaws.com - Bucket: your bucket name
- Folder: a subfolder for this project (e.g.
projects/wedding-2026-04-15) - Access key ID and Secret access key from the previous step
2
Test the connection
Click Test connection. Tusk does a real PUT and GET against the bucket to verify both work.
3
Save and confirm Keychain access
Click Add destination. macOS may prompt for your login password to authorize Keychain access. The credentials are then encrypted and stored locally; nothing is sent to Tusk's servers.
Screenshot
S3 destination form in Tusk. Show endpoint set to 's3.us-east-1.amazonaws.com', a bucket name, a folder path, and a credential picker with one saved credential. Include the 'Test connection' and 'Add destination' buttons.
alt: The S3 destination form with AWS endpoint and bucket filled in
Related
Next
Backblaze B2 →