Protect your first database
From dashboard sign-in to first scheduled backup. The happy path.
Prerequisites
Complete these before starting:
- An AWS S3 bucket and IAM role configured per BYO AWS S3. The bucket must have Object Lock GOVERNANCE enabled. The role must trust walwarden's AWS account.
- A Postgres DSN for the database you want to protect. The database user must have
SELECTprivileges on all tables you want to include in the backup. Superuser is not required. - A walwarden account. Sign in at app.walwarden.com.
Step 1: Sign in via WorkOS
Walwarden uses WorkOS for authentication. Click "Sign in" and enter your email. You will receive a magic link. Click it to complete sign-in.
On first sign-in, walwarden creates a team for your account. The team is the unit of billing and access control.
Step 2: Add a destination
A destination is the S3 bucket and IAM role that walwarden writes backup artifacts to.
- In the dashboard sidebar, click Destinations.
- Click Add destination.
- Enter:
- Bucket name — the name of your S3 bucket (not the ARN)
- Region — the AWS region of the bucket (for example,
us-east-1) - Role ARN — the ARN of the IAM role walwarden will assume
- External ID — the external ID walwarden issued during destination setup (copy it from the dashboard, not from the IAM console)
- Click Save. Walwarden runs preflight verification immediately. All checks must pass before backups can run. See Preflight verification if any check fails.
If you have not created the bucket and role yet, do that first: BYO AWS S3.
Step 3: Add a protected database
- In the sidebar, click Protected databases.
- Click Add database.
- Enter:
- Name — a label for your reference (for example,
production-app-db) - DSN — the connection string for the source database, including the password. The connection is used only by the backup worker; it is stored encrypted and never returned to the browser.
- Destination — select the destination you created in step 2
- Name — a label for your reference (for example,
- Click Save.
Walwarden validates that it can reach the database and that the backup role has the necessary permissions.
Step 4: Set the backup schedule
After creating the protected database, the detail page shows a Schedule section. The default is no schedule; the database does not back up until you configure one.
Enter a cron expression for how often you want backups. Common choices:
| Schedule | Cron |
|---|---|
| Every hour | 0 * * * * |
| Every 6 hours | 0 */6 * * * |
| Daily at 02:00 UTC | 0 2 * * * |
Click Save schedule. The first backup will run at the next scheduled tick. You can also trigger an immediate backup via Ad-hoc backup.
Step 5: Confirm the first backup
The dashboard shows a Backup history table on the database detail page. After the first scheduled (or ad-hoc) backup completes, you will see:
- State:
completed - Completed timestamp
- Artifact size in bytes
- Manifest SHA256 hash (truncated; click to copy the full hash)
- A "Restore from this backup" button
This means your data is in your S3 bucket, signed, and ready to restore.
Next: verify you can restore
A backup you have never restored from is a backup you have not yet proven works. Run the restore walkthrough now against a non-production target: