Setting up AWS for IceBox

A friendly walkthrough for people who’ve never touched AWS. About 10 minutes, one time only — you’ll never have to do this again.

What you’re about to do

IceBox stores your archived photos and folders in your own AWS account. That’s a one-time setup — once it’s done, IceBox just works, and you keep full control of the data (it lives in your bucket, billed to your card, in your name).

You’ll go through five short steps:

Create a free AWS account (~5 min — needs an email, password, and a credit card).
Set up a $5/month billing alert (~1 min — your safety net against any surprise).
Pick the region your data lives in (~30 sec — just remember which one).
Run a one-click IceBox setup script (~2 min — creates the storage bucket and the credentials IceBox will use).
Paste four values into IceBox (~30 sec — and you’re done).

At the end you’ll have:

An AWS bucket only IceBox can read or write to.
A scoped access key that can do nothing else in your account.
IceBox connected and ready to archive folders.

Take a breath — none of this is scary, and none of it costs anything until you actually upload data.

What it’ll cost

Real numbers, no hand-waving:

What you store in Deep Archive	What AWS charges per month
10 GB	~$0.01
100 GB	~$0.10
500 GB	~$0.50
1 TB	~$1.00
5 TB	~$5.00

Important: AWS won’t charge you anything until you actually upload data. Creating the account, deploying the bucket, and just having IceBox connected = $0.

The only times you’d see a bill of substance:

Storing a lot of data (a year of 5 TB = ~$60).
Restoring data — pulling files back out costs about $0.09 per GB plus a small retrieval fee. Restoring 500 GB ≈ $45. This is the deal: cheap to keep, slightly painful to retrieve. Perfect for “stuff I’ll almost never need back.”

In Step 2 below, you’ll set up a budget alert that emails you the moment you ever approach $5/month, so there are no surprises.

Step 1 — Create an AWS account

Open aws.amazon.com and click “Create an AWS Account” (top-right).
Root user email address. Use a real, working email you control. This is your top-level AWS login — keep it safe. Pro tip: use the +aws alias trick, e.g. [email protected], to easily filter AWS emails later.
AWS account name. Anything — Kyle's Photos is fine. Just a label.
Click Verify email address. AWS sends you a 6-digit code. Type it back into the form.
Root user password. Pick a strong, unique one. Save it to your password manager. You’ll rarely use this — but losing it is painful, so save it now.
Account type: choose Personal (unless this is for a business).
Contact information: your name, address, phone. Standard stuff.
Payment information: credit or debit card. AWS uses this for billing only — they won’t charge it for creating an account or running the empty setup.
Confirm your identity: AWS sends a code by SMS or voice call. Enter it.
Support plan: choose Basic — Free. (The paid plans are for businesses needing help from AWS engineers.)
AWS takes a few minutes to set up your account. You’ll get an email when it’s ready. Click Go to the AWS Management Console and sign in with the email + password from steps 2–5.

You’re now in the AWS Console — a busy dashboard with hundreds of services. Don’t worry, IceBox only needs one of them.

⚠️ About the root user: the email/password you just made is the root user — AWS’s master key. Treat it like the deed to your house. Don’t log in with it day-to-day; in step 2 below we’ll set up multi-factor authentication on it.

Step 2 — Set up a $5/month billing alert (recommended, ~2 min)

This is the single most reassuring thing you can do. AWS will email you the second your spending ever approaches $5/month — so even in the unlikely worst case (a runaway upload, a misconfig), you’d find out in hours, not months.

In the AWS Console’s search bar at the top, type Budgets and click the AWS Budgets result.
Click Create budget.
Choose Use a template (simplified) → Monthly cost budget.
Budget name: IceBox cost alarm (or anything).
Enter your budgeted amount: 5 (USD).
Email recipients: your email.
Click Create budget.

You’re done. You’ll get an email if you ever cross $4 (the default alert at 80% of the budget). You can raise the budget later if your storage needs grow.

Also recommended: turn on MFA for your root user (~3 min)

This makes your AWS root user dramatically harder to compromise. Skip if you want to come back to it later — but do it eventually.

Top-right of the console, click your account name → Security credentials.
Under Multi-factor authentication (MFA), click Assign MFA device.
Pick Authenticator app (recommended — Google Authenticator, 1Password, Authy, Apple Passwords, etc.).
Scan the QR code with your authenticator app.
Enter two consecutive 6-digit codes from the app.
Done.

From now on, root logins require both the password and a code from your phone.

Step 3 — Pick the region your data lives in

AWS runs in regions — physical datacenters in different parts of the world. Your IceBox bucket lives in one. Pick the one closest to you — that’s where your archives physically sit.

In the AWS Console, look at the top-right of the page. Next to your account name there’s a region selector (often shows N. Virginia or Ohio by default).
Click it and pick the region nearest you. Common choices:

If you’re in…	Pick
US East Coast	US East (N. Virginia) — us-east-1
US Midwest	US East (Ohio) — us-east-2
US West Coast	US West (Oregon) — us-west-2
Canada	Canada (Central) — ca-central-1
UK / Ireland	EU (Ireland) — eu-west-1
Continental Europe	EU (Frankfurt) — eu-central-1
Australia	Asia Pacific (Sydney) — ap-southeast-2
Japan / Korea	Asia Pacific (Tokyo) — ap-northeast-1

Remember which one you picked — you’ll re-confirm it in IceBox at the end. This choice matters: an S3 bucket can never be moved between regions. (If you ever pick the wrong one, fix is easy before you upload anything: delete the setup and redo it. After uploads, fixing means re-uploading.)

Step 4 — Run IceBox’s one-click setup script

This is the part that automates everything. AWS calls these scripts CloudFormation templates — think of them like a recipe AWS follows to set up exactly what you need, with nothing extra. IceBox provides a 90-line recipe that creates:

A private bucket to hold your archives.
A scoped access key that can only read/write that one bucket (and nothing else in your account).
An email subscription that pings you the instant a restore is ready (optional).

The actual steps:

In the AWS Console search bar at the top, type CloudFormation and open it.
Click Create stack → With new resources (standard).
Prepare template: choose Choose an existing template → Upload a template file.
Click Choose file and select the IceBox template that came with the app — icebox-setup.yaml. (If you don’t have it: download from [link to the file], or ask whoever sent you IceBox.)
Click Next.
Stack name: type IceBox.
NotificationEmail (optional): if you want an email the moment a Glacier restore completes, type your email here. Otherwise leave it blank.
Click Next.
Stack options: leave everything as the default. Click Next.
On the Review page, scroll to the bottom and tick the box that says “I acknowledge that AWS CloudFormation might create IAM resources.” This is just AWS confirming you’re OK with the script creating the scoped access key.
Click Submit.

Wait about 30–60 seconds. The status will go from CREATE_IN_PROGRESS to CREATE_COMPLETE (green). Hit the refresh icon if needed.

💡 If you provided an email in step 7, check your inbox. You’ll find an “AWS Notification — Subscription Confirmation” message. Click Confirm subscription in it — that’s what enables future restore-ready emails. You’ll also see a one-time “TestEvent” email from AWS verifying the wiring; harmless, ignore.

Step 5 — Connect IceBox

You now have everything IceBox needs. Time to copy four values into the app.

In CloudFormation, with the IceBox stack selected, click the Outputs tab. You’ll see four rows:
- IceBoxAccessKeyId — a 20-character string starting with AKIA….
- IceBoxSecretAccessKey — a 40-character string of random letters/numbers/symbols. Treat this like a password — don’t share it.
- ArchiveBucketName — something like icebox-archivebucket-abc123….
- BucketRegion — us-east-2 or whatever you picked in step 3.
Open IceBox on your Mac. The first-run Welcome screen appears.
Click through Get Started → I’ve created the stack.
Paste each of the four values into the matching field. For the region, use the dropdown.
Click Connect.

IceBox tests the connection (a one-second check that your credentials work and the bucket is reachable), saves the credentials to your Mac’s Keychain (not to disk, not to the cloud — just locally and securely), and drops you into the main window.

You’re done. No more AWS. From here on it’s just IceBox.

You’re done. Now what?

Try it with a small folder first — somewhere with a hundred MBs at most.

In IceBox, on the Archive tab, click Choose a Folder to Archive.
Pick a small test folder (maybe a single shoot, an old “to sort” folder, anything safe).
IceBox scans it, shows you the file count + size + monthly cost, and offers an Archive to Glacier Deep Archive button.
Click it. Watch it package, upload, write the manifest. A few minutes for hundreds of MB.
Go to the Library tab. Your archive is there.
(Optional) Hit Verify — IceBox confirms with AWS that the upload is bit-exact. The badge turns “Verified ✓.”
(Optional, but the whole point) Hit Archive in place… — your folder moves to the Trash, IceBox leaves a small bookmark file where it was. You’ve now freed up the local disk while keeping the archive safe in your AWS account.

Repeat for any folder you want to keep but don’t need on your laptop.

Troubleshooting

“I can’t log in to AWS after creating the account.” Check your email for the activation message; AWS sometimes takes 10–15 minutes for new accounts to fully activate. If it’s been more than half an hour, try the Forgot your password? link from the AWS sign-in page.

“AWS asked me to verify my tax information / business address.” Skip / decline. Personal AWS use of Deep Archive doesn’t need this.

“The AWS Console looks different from this guide.” AWS reshuffles their UI occasionally. The words to look for stay the same — search for “CloudFormation,” “Budgets,” etc. in the top-bar search.

“The CloudFormation stack failed.” Click the Events tab on the stack — the topmost red row tells you what went wrong. Most common cause: you skipped picking a region (step 3) and ended up somewhere you didn’t expect. Easy fix: in CloudFormation, Delete stack, change region, redo. No data is uploaded yet so deletion is harmless.

“IceBox says ‘Couldn’t connect’ when I paste the four values.” The most common cause is mis-pasted whitespace at the start or end of one of the keys. Re-copy from the AWS Outputs tab — click the small clipboard icon next to each value rather than dragging to select.

“I get a ‘subscription confirmation’ email from AWS but the link doesn’t work.” The confirmation links expire after a few days. Re-run CloudFormation → Update stack with the same email, and AWS sends a fresh confirmation.

“I made a typo in the email address.” Update the stack with the corrected email — AWS will send a new confirmation and remove the old subscription automatically.

Cost & security FAQ

”Will I get a surprise bill?”

Not with the $5 budget alert set up. AWS Deep Archive at typical sizes is pennies to dollars per month. You’d have to deliberately upload many TBs and forget about it to see a real bill — and the alert email would warn you days before that happens.

”What if IceBox gets hacked / stolen?”

Your AWS credentials live in your Mac’s Keychain, not in IceBox’s source code and not on any IceBox server. The access key IceBox uses is scoped to one bucket — it physically can’t see, touch, or bill anything else in your AWS account. Worst case scenario: someone with your Mac could upload garbage to your bucket. They couldn’t delete other AWS things or rack up unrelated charges.

If you ever want to revoke IceBox’s access entirely: in AWS, go to IAM → Users → find the IceBox user → click Security credentials → make the access key inactive. IceBox is locked out immediately. Your archives stay safe in the bucket.

”Why a credit card if it’s free to set up?”

AWS requires one for sign-up to verify identity (and to charge you if you ever use enough services to incur a bill). No charges happen for setting up an empty bucket or having IceBox connected — only when you actually upload data, and even then it’s pennies/month for typical use.

”What if AWS goes down?”

S3 Deep Archive is designed for eleven nines of durability (99.999999999%) — your data is automatically replicated across multiple physical datacenters. AWS S3 has never lost a customer file in its 18-year history at scale. If anything, your AWS bucket is safer than the original on your laptop.

”Can I cancel?”

Anytime. In AWS, CloudFormation → IceBox → Delete stack removes IceBox’s access key. The bucket itself is set to Retain — it stays, with all your archives, so you don’t lose anything by accident. If you also want the bucket gone, empty it and delete it manually in the S3 console.

”What if I want to move to a different tool later?”

Your archives are stored as ordinary .tar files in standard S3 Deep Archive. Any tool that speaks S3 can read them. You’re not locked in. Even if IceBox vanishes tomorrow, your data is in your bucket, restorable with the AWS CLI or any S3 client.

Stuck?

If anything in this guide doesn’t match what you’re seeing, or you hit something it doesn’t cover, reply to whoever sent you IceBox — they’ll help. (For the eventual public release: a support email + an FAQ on the website.)

Welcome to cheap, cold, in-your-own-hands cloud archival. The hardest part is over.