Norcube
DashboardWebsite

Storage destinations

Where backup files live – Norcube-managed S3 or your own AWS bucket.

Verified today

A storage destination is the S3 bucket where a backup job's output is stored. Each policy picks one destination when you create the policy; every backup run under that policy lands in that destination.

Two kinds:

  • Managed destinations – Norcube provisions and manages the S3 bucket. Zero config, billed as part of Backup's per-GB storage rate.
  • Bring-your-own (BYO) destinations – you point Backup at an S3 bucket in your own AWS account. Backup writes directly to it; you pay AWS for storage.

Manage destinations in app.norcube.comBackupDestinations.

Managed destinations

Norcube provisions one managed bucket per region per organization on demand. You don't see or configure the bucket directly. When you pick "managed" while creating a policy, Backup ensures the destination exists for your chosen region and uses it.

Managed buckets are:

  • Encrypted at rest with AWS KMS, using a key scoped to your organization.
  • Versioned, so an accidental deletion is recoverable for a short window.
  • Private. No public read; no list-objects from outside the Norcube control plane.

Bring-your-own (BYO) destinations

If you want your backups to live in your own AWS account – for in-house auditing, cross-region replication, or downstream pipelines (Glacier transitions, lambda triggers, etc.) – set up a BYO destination.

What you need

  • An S3 bucket in your AWS account.
  • An IAM role with permissions for Backup to assume and write to that bucket.
  • The AWS region the bucket lives in.

Create

  1. In Destinations, click New destination.
  2. Fill in:
    • Name – a label.
    • Bucket – your S3 bucket name.
    • Region – where the bucket lives.
    • IAM role ARN – the role Backup assumes to write to your bucket.
    • KMS key ARN (optional) – if you want backups encrypted under a specific customer-managed KMS key.
  3. Click Verify and save. Backup tries an end-to-end write/delete round-trip against the bucket using the supplied IAM role. The destination only saves if verification succeeds; otherwise you get a specific error describing what went wrong.

Use

Pick the BYO destination as the Destination field when you create a policy. Every backup under that policy lands in your bucket.

Downloads from BYO destinations use presigned URLs scoped to a short lifetime – the same UX as managed destinations.

Edit and delete

Edits re-verify against the bucket. Deletion is allowed only when no active policy references the destination (detach or migrate first).

Behaviour and edge cases

  • Region is per-destination. A data source can write to a destination in a different region than the data source's own region – this is allowed but introduces transfer time and possibly cross-region transfer cost on your side.
  • Cross-region replication isn't a Backup feature. Set it up on your own BYO bucket with S3 replication rules if you want copies across regions.
  • Storage destinations don't have their own retention. Retention is set on the policy; the destination is purely a "where" decision.
  • A policy's destination is fixed for the policy's lifetime. To switch destinations, create a new policy pointing at the new destination, attach it, and detach the old one. Existing backup files stay where they were; new jobs land in the new destination.

Browse backup history

Audit what ran, when, how long it took, and how big the result was – plus download, delete, and manual run-now.

Encryption and security

How Backup protects your database credentials and backup files.

On this page

Managed destinationsBring-your-own (BYO) destinationsWhat you needCreateUseEdit and deleteBehaviour and edge casesRelated
Edit on GitHub