diff --git a/aws-setup/index.ts b/aws-setup/index.ts
index 20d2fc71a2..d6bac38cb6 100644
--- a/aws-setup/index.ts
+++ b/aws-setup/index.ts
@@ -1,9 +1,117 @@
-import * as pulumi from '@pulumi/pulumi'
-import * as aws from '@pulumi/aws'
-import * as awsx from '@pulumi/awsx'
+import { AccessKey, Policy, User, UserPolicyAttachment } from '@pulumi/aws/iam'
+import { Bucket } from '@pulumi/aws/s3'
+import { Config } from '@pulumi/pulumi'
 
-// Create an AWS resource (S3 Bucket)
-const bucket = new aws.s3.Bucket('my-bucket')
+const config = new Config()
+const environment = config.require('env') || 'dev'
 
-// Export the name of the bucket
-export const bucketName = bucket.id
+const putObjectPolicy = new Policy('put-object', {
+  policy: {
+    Version: '2012-10-17',
+    Statement: [
+      {
+        Effect: 'Allow',
+        Action: 's3:PutObject',
+        Resource: '*',
+      },
+    ],
+  },
+})
+
+const putOnlyUser = new User(`ecamp3-${environment}-put-only-user`, {
+  name: `ecamp3-${environment}-put-only-user`,
+  permissionsBoundary: putObjectPolicy.arn,
+})
+
+const putOnlyUserAccessKey = new AccessKey(
+  `ecamp3-${environment}-put-only-user-access-key`,
+  {
+    user: putOnlyUser.name,
+  }
+)
+
+const downloadObjectPolicy = new Policy('download-object', {
+  policy: {
+    Version: '2012-10-17',
+    Statement: [
+      {
+        Effect: 'Allow',
+        Action: ['s3:GetObjectVersion', 's3:ListBucket', 's3:ListBucketVersions'],
+        Resource: '*',
+      },
+    ],
+  },
+})
+
+const downloadOnlyUser = new User(`ecamp3-${environment}-download-only-user`, {
+  name: `ecamp3-${environment}-download-only-user`,
+  permissionsBoundary: downloadObjectPolicy.arn,
+})
+
+const downloadOnlyAccessKey = new AccessKey(
+  `ecamp3-${environment}-download-only-user-access-key`,
+  {
+    user: downloadOnlyUser.name,
+  }
+)
+
+const retentionPolicies = {
+  transitions: [
+    {
+      days: 30,
+      storageClass: 'GLACIER',
+    },
+  ],
+  expiration: {
+    days: 365,
+  },
+}
+
+let objectLockRetentionDays = 365
+if (environment === 'dev') {
+  retentionPolicies.transitions[0].days = 1
+  retentionPolicies.expiration.days = 7
+  objectLockRetentionDays = 8
+}
+
+const backupBucket = new Bucket(`ecamp3-${environment}-bucket`, {
+  acl: 'private',
+  versioning: {
+    enabled: true,
+  },
+  lifecycleRules: [
+    {
+      enabled: true,
+      abortIncompleteMultipartUploadDays: 1,
+      ...retentionPolicies,
+    },
+  ],
+  objectLockConfiguration: {
+    objectLockEnabled: 'Enabled',
+    rule: {
+      defaultRetention: {
+        mode: 'GOVERNANCE',
+        days: objectLockRetentionDays,
+      },
+    },
+  },
+})
+
+new UserPolicyAttachment(`ecamp3-${environment}-put-only-policy-attachment`, {
+  user: putOnlyUser.name,
+  policyArn: putObjectPolicy.arn,
+})
+
+new UserPolicyAttachment(`ecamp3-${environment}-download-only-policy-attachment`, {
+  user: downloadOnlyUser.name,
+  policyArn: downloadObjectPolicy.arn,
+})
+
+export const bucketEndpoint = backupBucket.bucketDomainName
+export const bucketName = backupBucket.bucket
+
+export const putOnlyUserAccessKeyId = putOnlyUserAccessKey.id
+export const putOnlyUserSecretAccessKey = putOnlyUserAccessKey.secret
+
+export const downloadOnlyUserAccessKeyId = downloadOnlyAccessKey.id
+export const downloadOnlyUserSecretAccessKey = downloadOnlyAccessKey.secret