diff --git a/clusters/cl01tl/platform/vault/templates/external-secret.yaml b/clusters/cl01tl/platform/vault/templates/external-secret.yaml
index bfb14aab3..0d887f3ea 100644
--- a/clusters/cl01tl/platform/vault/templates/external-secret.yaml
+++ b/clusters/cl01tl/platform/vault/templates/external-secret.yaml
@@ -60,34 +60,31 @@ spec:
         key: /digital-ocean/home-infra/vault-backup
         metadataPolicy: None
         property: AWS_DEFAULT_REGION
-    - secretKey: AWS_ENDPOINT_URL
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: vault-s3cmd-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: vault-snapshot-s3
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: snapshot
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: .s3cfg
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
         key: /digital-ocean/home-infra/vault-backup
         metadataPolicy: None
-        property: AWS_ENDPOINT_URL
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/vault-backup
-        metadataPolicy: None
-        property: AWS_SECRET_ACCESS_KEY
-    - secretKey: AWS_RESPONSE_CHECKSUM_VALIDATION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/vault-backup
-        metadataPolicy: None
-        property: AWS_RESPONSE_CHECKSUM_VALIDATION
-    - secretKey: AWS_REQUEST_CHECKSUM_CALCULATION
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /digital-ocean/home-infra/vault-backup
-        metadataPolicy: None
-        property: AWS_REQUEST_CHECKSUM_CALCULATION
+        property: s3cfg
 
 ---
 apiVersion: external-secrets.io/v1beta1
diff --git a/clusters/cl01tl/platform/vault/values.yaml b/clusters/cl01tl/platform/vault/values.yaml
index 3573bf46f..ff5eced07 100644
--- a/clusters/cl01tl/platform/vault/values.yaml
+++ b/clusters/cl01tl/platform/vault/values.yaml
@@ -207,8 +207,8 @@ snapshot:
               memory: 64Mi
         backup:
           image:
-            repository: amazon/aws-cli
-            tag: 2.24.5
+            repository: d3fk/s3cmd
+            tag: latest@sha256:ae12ef40440ee069dac63d98a3590da0e02acc56ea4f60e9e4c5353d585a9140
             pullPolicy: IfNotPresent
           command:
             - /bin/sh
@@ -216,7 +216,7 @@ snapshot:
             - -ec
             - |
               until [ -f /opt/backup/vault-snapshot-s3.snap ]; do sleep 5; done;
-              aws s3 cp /opt/backup/vault-snapshot-s3.snap s3://cl01tl/cl01tl-vault-snapshots/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
+              s3cmd put /opt/backup/vault-snapshot-s3.snap s3://cl01tl/cl01tl-vault-snapshots/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
               rm /opt/backup/vault-snapshot-s3.snap;
           envFrom:
             - secretRef:
@@ -238,6 +238,17 @@ snapshot:
           backup:
             - path: /opt/backup
               readOnly: false
+    s3cmd-config:
+      enabled: true
+      type: secret
+      name: vault-s3cmd-config
+      advancedMounts:
+        snapshot:
+          backup:
+            - path: /root/.s3cfg
+              readOnly: true
+              mountPropagation: None
+              subPath: .s3cfg
 unseal:
   global:
     fullnameOverride: vault-unseal