Local cPanel backups are convenient — until the hard drive fails, the server gets compromised, or a runaway backup job fills your disk and takes down the server. For web hosting companies managing dozens or hundreds of cPanel accounts, offsite backups to Amazon S3 aren't just a best practice: they're a business continuity requirement.
This guide covers the complete cPanel backup to S3 configuration process through WHM, including S3 bucket setup, IAM permissions, backup scheduling, cost control via lifecycle rules, and how to restore from S3 when disaster strikes.
Why cPanel Sysadmins Should Backup to Amazon S3
Before diving into configuration, it's worth understanding why S3 specifically outperforms other remote backup destinations for cPanel servers:
- Durability — Amazon S3 provides 99.999999999% (11 nines) durability through redundant storage across multiple availability zones
- Cost efficiency — S3 Standard storage costs approximately $0.023/GB per month, compared to dedicated backup servers or NAS devices
- Compliance — S3 supports server-side encryption, versioning, and access logging — requirements for PCI DSS, HIPAA, and SOC 2 compliance
- Scalability — No pre-provisioned capacity; storage scales automatically as your hosting business grows
- Speed — S3 Transfer Acceleration can significantly speed up backup uploads for servers distant from AWS regions
WHM's built-in backup system supports S3 (and S3-compatible providers like Backblaze B2, Wasabi, and MinIO) natively, making configuration straightforward once your AWS account is set up correctly.
💡 None of these worked? Skip the guesswork.
Get Expert Help →Step 1: Setting Up Your AWS S3 Bucket and IAM Credentials
Never use your AWS root account credentials for cPanel backups. Instead, create a dedicated IAM user with the minimum permissions required.
Log into the AWS Console, navigate to S3, and create a new bucket. Configure it with:
- Region — choose the region closest to your server to minimize upload latency and data transfer costs
- Block Public Access — enable all four public access block settings (backups should never be publicly accessible)
- Versioning — optional but recommended; allows recovery from accidental deletion or overwrite
- Server-side encryption — enable SSE-S3 (AES-256) or SSE-KMS for encrypted backups at rest
Navigate to IAM → Users → Create User. Attach a custom inline policy with only the permissions WHM needs:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::YOUR-BUCKET-NAME",
"arn:aws:s3:::YOUR-BUCKET-NAME/*"
]
}
]
}Replace YOUR-BUCKET-NAME with your actual bucket name. This policy grants WHM exactly what it needs to upload, list, and delete backups — nothing more.
Under the IAM user's Security Credentials tab, create an Access Key for "Application running outside AWS." Save the Access Key ID and Secret Access Key — the secret is only shown once.
Log into WHM and navigate to Backup → Backup Configuration. Enable the global backup switch by setting Backup Status to Enabled.
Under Scheduling and Retention, configure how often backups run and how many copies to keep:
- Daily backups — recommended for active hosting servers; retain 7 days minimum
- Weekly backups — retain 4 weeks minimum for monthly rollback capability
- Monthly backups — retain 12 months for compliance and disaster recovery
Scroll to Additional Destinations and click Create new destination. Select Amazon S3 as the destination type and fill in:
- Destination Name — a descriptive label (e.g., "AWS S3 Production Backups")
- Bucket — your S3 bucket name
- Access Key ID — from your IAM user
- Secret Access Key — from your IAM user
- Path — optional subdirectory prefix within the bucket (e.g.,
cpanel-backups/) - Timeout — increase to 300+ seconds for large accounts
Click Save and Validate Destination — WHM will test the connection and verify write access. Fix any permission errors before proceeding.
Under Files, enable:
- Home Directory — backs up website files and emails
- Databases — backs up MySQL/MariaDB databases
- Configuration Files — backs up WHM/cPanel configuration
Step 3: Automate Backup Rotation and Control S3 Costs
Without lifecycle rules, S3 backup costs grow unbounded as old backups accumulate. Configure S3 Lifecycle Rules to automatically expire old backups.
In the S3 Console, navigate to your bucket → Management → Lifecycle Rules → Create lifecycle rule:
Rule 1: Expire daily backups after 7 days
Prefix: cpanel-backups/daily/
Action: Expire current versions after 7 daysRule 2: Transition weekly backups to cheaper storage tier
Prefix: cpanel-backups/weekly/
Action: Transition to S3 Glacier Instant Retrieval after 30 days
Expire after 180 daysRule 3: Archive monthly backups long-term
Prefix: cpanel-backups/monthly/
Action: Transition to S3 Glacier Deep Archive after 90 days
Expire after 365 daysS3 Glacier Deep Archive costs approximately $0.00099/GB per month — about 95% cheaper than S3 Standard, with a 12-hour retrieval time. For monthly backups you rarely need to access, this is a significant cost saving.
Estimate your monthly S3 cost:
For a server with 100 cPanel accounts averaging 2GB each: 200GB × 7 daily copies × $0.023 = approximately $32/month before lifecycle rules reduce it.
Step 4: Verifying and Monitoring Your S3 Backups
Backup configuration is meaningless without verification. Run regular restore tests to confirm your backups are actually recoverable.
Check backup status in WHM
Navigate to Backup → Backup Logs to view recent backup job results. Look for:
- Any accounts that failed to back up
- Backup duration (increasing duration may indicate disk issues)
- Transfer errors to S3
Verify backup files exist in S3
From the command line, use the AWS CLI to verify uploads:
aws s3 ls s3://YOUR-BUCKET-NAME/cpanel-backups/ --recursive --human-readable | tail -20Set up S3 backup completion alerts with CloudWatch
Create a CloudWatch alarm on the S3 NumberOfObjects metric for your bucket. If the count stops increasing daily, you'll be alerted before a missed backup becomes a crisis.
Test a restore from S3
Monthly restore tests should be part of your backup process. In WHM, navigate to Restore → Restore a Full Backup/cpmove File and select the S3 destination to pull a backup for restore.
Troubleshooting Common cPanel S3 Backup Issues
Error: "AccessDenied" when validating destination
Check that your IAM policy includes s3:GetBucketLocation — WHM requires this to verify the bucket region. Also confirm the bucket name in WHM matches exactly (S3 bucket names are case-sensitive).
Error: "Connection timeout" for large accounts
Increase the WHM backup timeout value. Also check that your server's outbound bandwidth isn't saturated during backup windows — consider scheduling backups during off-peak hours (2–6 AM local time).
Backups complete but files aren't appearing in S3
Confirm the Path setting in WHM matches what you're looking for in S3. WHM may be writing to a subdirectory. Run aws s3 ls s3://YOUR-BUCKET --recursive to find the actual path.
Backup job stalls on specific accounts
Check /usr/local/cpanel/logs/cpbackup/ for per-account error logs. Common causes include: corrupted databases that fail MySQL dump, symlinks pointing to restricted paths, or accounts with quotas exceeded.
S3 costs higher than expected
Enable S3 Storage Lens and check for lifecycle rule gaps. Also verify WHM isn't uploading duplicate backups — check whether both local and S3 destinations are enabled and whether WHM is creating extra copies.
Configuring and maintaining reliable offsite backups is one of the most important — and most time-consuming — tasks in server management. If your team is spending hours troubleshooting backup failures instead of serving clients, CloudHouse's managed server service handles backup configuration, monitoring, and restoration testing as part of our ongoing server management — so you never discover a backup failure at the worst possible moment.