diff --git a/.env.sample b/.env.sample
index fa066a5..f2157ea 100644
--- a/.env.sample
+++ b/.env.sample
@@ -61,7 +61,7 @@ REDIS_PORT=6379
 
 # ElasticSearch
 # --------------------------------------
-ES_ENABLED=true
+#COMPOSE_FILE="$COMPOSE_FILE:compose.elasticsearch.yml"
 ES_HOST=es
 ES_PORT=9200
 
@@ -77,6 +77,7 @@ SECRET_OTP_SECRET_VERSION=v1
 SECRET_VAPID_PRIVATE_KEY_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
 SECRET_SMTP_PASSWORD_VERSION=v1
+SECRET_AWS_SECRET_ACCESS_KEY_VERSION=v1
 
 # Web Push
 # ========
@@ -118,7 +119,7 @@ DEFAULT_LOCALE=en
 
 # S3 and AWS
 # ----------
-# S3_ENABLED=
+#COMPOSE_FILE="$COMPOSE_FILE:compose.s3.yml"
 # S3_BUCKET=
 # AWS_ACCESS_KEY_ID=
 # AWS_SECRET_ACCESS_KEY=
diff --git a/compose.elasticsearch.yml b/compose.elasticsearch.yml
new file mode 100644
index 0000000..b9c019d
--- /dev/null
+++ b/compose.elasticsearch.yml
@@ -0,0 +1,15 @@
+---
+version: "3.8"
+
+services:
+  app:
+    environment: &es-env
+      - ES_ENABLED=true
+      - ES_HOST
+      - ES_PORT
+
+  streaming:
+    environment: *es-env
+
+  sidekiq:
+    environment: *es-env
diff --git a/compose.s3.yml b/compose.s3.yml
new file mode 100644
index 0000000..67b2143
--- /dev/null
+++ b/compose.s3.yml
@@ -0,0 +1,33 @@
+---
+version: "3.8"
+
+services:
+  app:
+    environment: &s3-env
+      - S3_ENABLED=true
+      - AWS_ACCESS_KEY_ID
+      - AWS_SECRET_ACCESS_KEY_FILE=/run/secrets/aws_secret_access_key
+      - S3_BUCKET
+      - S3_REGION
+      - S3_PROTOCOL
+      - S3_HOSTNAME
+      - S3_ENDPOINT
+      - S3_SIGNATURE_VERSION
+      - S3_OVERRIDE_PATH_STYLE
+      - S3_OPEN_TIMEOUT
+      - S3_READ_TIMEOUT
+    secrets: &s3-secrets
+      - aws_secret_access_key
+
+  streaming:
+    environment: *s3-env
+    secrets: *s3-secrets
+
+  sidekiq:
+    environment: *s3-env
+    secrets: *s3-secrets
+
+secrets:
+  aws_secret_access_key:
+    name: ${STACK_NAME}_aws_secret_access_key_${SECRET_AWS_SECRET_ACCESS_KEY_VERSION}
+    external: true
diff --git a/compose.yml b/compose.yml
index 784d961..af59160 100644
--- a/compose.yml
+++ b/compose.yml
@@ -48,9 +48,6 @@ services:
       - DEFAULT_LOCALE
       - EMAIL_DOMAIN_ALLOWLIST
       - EMAIL_DOMAIN_DENYLIST
-      - ES_ENABLED
-      - ES_HOST
-      - ES_PORT
       - LDAP_BASE
       - LDAP_BIND_DN
       - LDAP_ENABLED
diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
index 57b8ff0..9d354ac 100644
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@@ -28,6 +28,9 @@ export DB_PASS=$(cat /run/secrets/db_password)
 # for sidekiq service bundle exec env var threading
 file_env "OTP_SECRET"
 file_env "SECRET_KEY_BASE"
+file_env "SMTP_PASSWORD"
+file_env "VAPID_PRIVATE_KEY"
+file_env "AWS_SECRET_ACCESS_KEY"
 
 {{ if eq (env "OIDC_ENABLED") "true" }}
 file_env "OIDC_CLIENT_SECRET"