diff --git a/clusters/cl01tl/platform/vault/templates/external-secret.yaml b/clusters/cl01tl/platform/vault/templates/external-secret.yaml
index 465a3d6e0..deb7f7e39 100644
--- a/clusters/cl01tl/platform/vault/templates/external-secret.yaml
+++ b/clusters/cl01tl/platform/vault/templates/external-secret.yaml
@@ -60,6 +60,13 @@ spec:
         key: /digital-ocean/home-infra/vault-backup
         metadataPolicy: None
         property: AWS_SECRET_ACCESS_KEY
+    - secretKey: S3_REPOSITORY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/vault-backup
+        metadataPolicy: None
+        property: AWS_SECRET_ACCESS_KEY
 
 ---
 apiVersion: external-secrets.io/v1beta1
diff --git a/clusters/cl01tl/platform/vault/values.yaml b/clusters/cl01tl/platform/vault/values.yaml
index cc6584c41..f8eb2cb69 100644
--- a/clusters/cl01tl/platform/vault/values.yaml
+++ b/clusters/cl01tl/platform/vault/values.yaml
@@ -193,7 +193,7 @@ snapshot:
               cpu: 10m
               memory: 64Mi
       containers:
-        backup:
+        s3-backup:
           image:
             repository: d3fk/s3cmd
             tag: latest@sha256:19792558807828017ca8d40a814b2e6850c2e46828e67ac32b6c28612ca4adfe
@@ -203,15 +203,39 @@ snapshot:
           args:
             - -ec
             - |
-              s3cmd put --no-check-md5 --no-check-certificate /opt/backup/vault-snapshot-s3.snap s3://vault-backups-bcc1e1433e0ce4be526561cb/cl01tl/cl01tl-vault-snapshots/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
+              s3cmd put --no-check-md5 --no-check-certificate -v /opt/backup/vault-snapshot-s3.snap ${S3_REPOSITORY}/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
               rm -f /opt/backup/vault-snapshot-s3.snap;
           envFrom:
             - secretRef:
                 name: vault-snapshot-s3
           resources:
             requests:
-              cpu: 10m
-              memory: 64Mi
+              cpu: 100m
+              memory: 128Mi
+        s3-prune:
+          image:
+            repository: d3fk/s3cmd
+            tag: latest@sha256:19792558807828017ca8d40a814b2e6850c2e46828e67ac32b6c28612ca4adfe
+            pullPolicy: IfNotPresent
+          command:
+            - /bin/sh
+          args:
+            - -ec
+            - |
+              export MONTH_AGO=$(date -d @$(( $(date +%s) - 2592000 )) +%Y-%m-%d\ %H:%M:%S);
+
+              s3cmd ls -v $S3_REPOSITORY |
+                awk -v month_ago="$MONTH_AGO" '$1 < month_ago {print $4}' |
+                while read file;
+                  do s3cmd del -v "$file";
+                done;
+          envFrom:
+            - secretRef:
+                name: vault-snapshot-s3
+          resources:
+            requests:
+              cpu: 100m
+              memory: 128Mi
   serviceAccount:
     create: true
   persistence:
@@ -222,7 +246,7 @@ snapshot:
           snapshot:
             - path: /opt/backup
               readOnly: false
-          backup:
+          s3-backup:
             - path: /opt/backup
               readOnly: false
     s3cmd-config:
@@ -231,7 +255,12 @@ snapshot:
       name: vault-s3cmd-config
       advancedMounts:
         snapshot:
-          backup:
+          s3-backup:
+            - path: /root/.s3cfg
+              readOnly: true
+              mountPropagation: None
+              subPath: .s3cfg
+          s3-prune:
             - path: /root/.s3cfg
               readOnly: true
               mountPropagation: None