diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
index 260b76727..1e1e3b259 100644
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,11 +1,17 @@
 <!-- The title of this PR should complete the sentence: “Merging this PR will ...” -->
 
 ## :memo: Summary
-This PR closes/completes/contributes to issue #ANPL-...
-<!-- Adding the issue number above will automatically link it to our Jira board -->
+This PR resolves ...
+<!-- Adding the issue number above will automatically link the PR to the github issue,
+and will close the issue on merging. Note this will only happen if the correct keyword
+is used, such resolves/closes/fixes. See full list of keywords at
+https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword.
+If the issue belongs to the current repo, add the number prefixed with e.g #1234.
+If the issue belongs to another repo, add with Organization_name/Repository#... e.g.
+ministryofjustice/data-platform#1234 -->
 
 This PR ...
-<!-- Give a brief description here. 
+<!-- Give a brief description here.
 What changes have you made?
 Is it a version bump, bugfix, documentation, major change, something else? -->
 
@@ -27,4 +33,4 @@ Merging this PR will have the following side-effects:
 <!-- If documentation is left until later, you must explain why and create a ticket for it -->
 - [ ] No changes to the documentation are required
 - [ ] This PR includes all relevant documentation
-- [ ] Documentation will be added in the future because ... (see #ANPL-...)
+- [ ] Documentation will be added in the future because ... (see issue #...)
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index a59fb520b..eedbd2c4f 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -29,12 +29,3 @@ repos:
     - id: flake8
       name: flake8 format check
       entry: bash -c 'flake8 --config=.flake8 $(git diff --name-only --cached --diff-filter=ACMR | grep .py)'
-
-  - repo: local
-    hooks:
-    - id: jira-ticket
-      name: Check for Jira ticket
-      language: pygrep
-      entry: '\A(?!ANPL+-[0-9]+)'
-      args: [--multiline]
-      stages: [commit-msg]
diff --git a/Dockerfile b/Dockerfile
index e0851cc5a..42f6b1fb0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -29,6 +29,11 @@ RUN apt-get update \
     && apt-get install -y --no-install-recommends \
         postgresql-client \
         wget \
+        gcc \
+        libcurl4-gnutls-dev \
+        python3-dev \
+        libgnutls28-dev \
+        libssl-dev \
     && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /home/controlpanel
diff --git a/controlpanel/__init__.py b/controlpanel/__init__.py
index e69de29bb..15d7c5085 100644
--- a/controlpanel/__init__.py
+++ b/controlpanel/__init__.py
@@ -0,0 +1,5 @@
+# This will make sure the app is always imported when
+# Django starts so that shared_task will use this app.
+from .celery import app as celery_app
+
+__all__ = ('celery_app',)
diff --git a/controlpanel/api/admin.py b/controlpanel/api/admin.py
index c64022b71..22d6bcf05 100644
--- a/controlpanel/api/admin.py
+++ b/controlpanel/api/admin.py
@@ -24,8 +24,8 @@ class AppAdmin(admin.ModelAdmin):
 
 
 class S3Admin(admin.ModelAdmin):
-    list_display = ("name", "created_by", "created", "is_data_warehouse")
-    list_filter = ("created_by", "is_data_warehouse")
+    list_display = ("name", "created_by", "created", "is_data_warehouse", "is_deleted")
+    list_filter = ("created_by", "is_data_warehouse", "is_deleted")
     search_fields = ("name",)
 
 
diff --git a/controlpanel/api/auth0.py b/controlpanel/api/auth0.py
index 54c29e12d..25c16bd1d 100644
--- a/controlpanel/api/auth0.py
+++ b/controlpanel/api/auth0.py
@@ -47,6 +47,8 @@ class ExtendedAuth0(Auth0):
     DEFAULT_GRANT_TYPES = ["authorization_code", "client_credentials"]
     DEFAULT_APP_TYPE = "regular_web"
 
+    DEFAULT_CONNECTION_OPTION = 'email'
+
     def __init__(self, **kwargs):
         self.client_id = kwargs.get("client_id", settings.AUTH0["client_id"])
         self.client_secret = kwargs.get(
@@ -156,7 +158,7 @@ def setup_auth0_client(
                 }
         """
         if connections is None:
-            connections = {"email": {}}
+            connections = {self.DEFAULT_CONNECTION_OPTION: {}}
         new_connections = self._create_custom_connection(client_name, connections)
         app_url = "https://{}.{}".format(
             app_url_name or client_name, app_domain or self.app_domain)
@@ -178,7 +180,18 @@ def setup_auth0_client(
         )
         role = self.roles.create(dict(name="app-viewer", applicationId=client_id))
         self.roles.add_permission(role, view_app["_id"])
-        group = self.groups.create(dict(name=client_name))
+        try:
+            group = self.groups.create(dict(name=client_name))
+        except exceptions.Auth0Error as exc:
+            # celery fails to unpickle original exception, but not 100% sure why.
+            # Seems to be because __reduce__  method is incorrect? Possible bug.
+            # https://github.com/celery/celery/issues/6990#issuecomment-1433689294
+            # TODO what should happen if group already exists? Raise new error and
+            #  catch in the worker? e.g.:
+            # raise Auth0Error(detail=exc.message, code=exc.error_code)
+            # Or get the group ID and continue?
+            group = dict(_id=self.groups.get_group_id(client_name))
+
         self.groups.add_role(group["_id"], role["_id"])
 
         self._enable_connections_for_new_client(
@@ -277,7 +290,7 @@ def update_client_auth_connections(
         so we have to get all social connections, then check whether the client
         (client_id) is in the list of enabled_clients
         """
-        connections = {"email": {}} if new_conns is None else new_conns
+        connections = {self.DEFAULT_CONNECTION_OPTION: {}} if new_conns is None else new_conns
         new_connections = self._create_custom_connection(app_name, connections)
 
         # Get the list of  removed connections based on the existing connections
@@ -512,7 +525,12 @@ def create_custom_connection(self, connection_name: str, input_values: dict()):
             body = yaml.safe_load(yaml_rendered) or defaultdict(dict)
             body["options"]["scripts"] = scripts_rendered
 
-        self.create(body)
+        try:
+            self.create(body)
+        except exceptions.Auth0Error as error:
+            # Skip the exception when the connection name existed already
+            if error.status_code != 409:
+                raise Auth0Error(error.__str__(), code=error.status_code)
         return input_values["name"]
 
 
diff --git a/controlpanel/api/auth0_conns/auth0_nomis/fetchUserProfile.js b/controlpanel/api/auth0_conns/auth0_nomis/fetchUserProfile.js
index df80b7688..edd73a7ca 100644
--- a/controlpanel/api/auth0_conns/auth0_nomis/fetchUserProfile.js
+++ b/controlpanel/api/auth0_conns/auth0_nomis/fetchUserProfile.js
@@ -1,37 +1,14 @@
-function(accessToken, ctx, cb) {
-  var base_url = "{{gateway_url}}";
-  var user_endpoint = "/auth/api/user/me";
-  var user_profile_url = base_url + user_endpoint;
-
-  // call oauth2 API with the accesstoken and create the profile
-  request.get(
-    user_profile_url,
-    {
-      headers: {
-        Authorization: "Bearer " + accessToken
-      }
-    },
-    function(err, resp, body) {
-      if (err) {
-        cb(err);
-        return;
-      }
-      if (!/^2/.test("" + resp.statusCode)) {
-        cb(body);
-        return;
-      }
-      let parsedBody = JSON.parse(body);
-      let profile = {
-        user_id: parsedBody.staffId,
-        nickname: parsedBody.name,
-        name: parsedBody.name,
-        email: parsedBody.username + "+" + parsedBody.activeCaseLoadId + "@nomis",
-        username: parsedBody.username,
-        blocked: !parsedBody.active,
-        activeCaseLoadId: parsedBody.activeCaseLoadId,
-        _nomisAccessToken: accessToken
-      };
-      cb(null, profile);
-    }
-  );
+function fetchUserProfile(accessToken, context, callback) {
+  // The email is only for auth0 usage purpose, not the actual email of login user
+  const profile = {
+    sub: context.sub,
+    user_id: context.user_id,
+    auth_source: context.auth_source,
+    nickname: context.name,
+    name: context.name,
+    username: context.user_name,
+    _accessToken: accessToken,
+    email: context.user_name + "+" + context.user_id + "@" + context.auth_source,
+  };
+  callback(null, profile);
 }
diff --git a/controlpanel/api/aws.py b/controlpanel/api/aws.py
index 2b85e0188..8dedaa030 100644
--- a/controlpanel/api/aws.py
+++ b/controlpanel/api/aws.py
@@ -1,5 +1,6 @@
 # Standard library
 import base64
+import hashlib
 import json
 import re
 from copy import deepcopy
@@ -133,6 +134,7 @@ def iam_arn(resource, account=settings.AWS_DATA_ACCOUNT_ID):
 
 class S3AccessPolicy:
     """Provides a convenience wrapper around a RolePolicy object"""
+    SID_SUFFIX_LEN = 32
 
     def __init__(self, policy):
         self.policy = policy
@@ -156,6 +158,15 @@ def __init__(self, policy):
             if sid in self.base_s3_access_sids:
                 stmt.update(deepcopy(BASE_S3_ACCESS_STATEMENT[sid]))
                 self.statements[sid] = stmt
+                continue
+
+            # check for the SID without md5 suffix
+            if sid[:-self.SID_SUFFIX_LEN] in self.base_s3_access_sids:
+                stmt.update(
+                    deepcopy(BASE_S3_ACCESS_STATEMENT[sid[:-self.SID_SUFFIX_LEN]])
+                )
+                stmt["Sid"] = sid
+                self.statements[sid] = stmt
 
     @property
     def base_s3_access_sids(self):
@@ -165,16 +176,56 @@ def load_policy_document(self):
         # triggers API call
         return self.policy.policy_document
 
-    def statement(self, sid):
-        if sid in self.base_s3_access_sids:
-            if sid not in self.statements:
-                stmt = deepcopy(BASE_S3_ACCESS_STATEMENT[sid])
-                self.statements[sid] = stmt
-                self.policy_document["Statement"].append(stmt)
-            return self.statements[sid]
+    def _build_statement(self, base_sid, sid):
+        """
+        Build and store a new statement dictionary copied from the
+        BASE_S3_ACCESS_STATEMENT.
+        If a suffix is given this is appended to the Sid of the new statement block.
+        """
+        statement = deepcopy(BASE_S3_ACCESS_STATEMENT[base_sid])
+        statement["Sid"] = sid
+        self.statements[sid] = statement
+        self.policy_document["Statement"].append(statement)
+        return statement
 
-    def add_resource(self, arn, sid):
-        statement = self.statement(sid)
+    @staticmethod
+    def _construct_sid(base_sid, suffix=None):
+        """
+        If a suffix is given this is used to create a md5 hash in order to meet AWS
+        requirements for the Sid, which supports only uppercase letters (A-Z), lowercase
+        letters (a-z), and numbers (0-9).
+        """
+        if not suffix:
+            return base_sid
+
+        suffix = hashlib.md5(suffix.encode()).hexdigest()
+        return f"{base_sid}{suffix}"
+
+    def statement(self, base_sid, suffix=None):
+        """
+        Get or build the statement element for the given Sid and suffix.
+
+        :param str base_sid: should be one of the Sid defined that are defined in the
+        BASE_S3_ACCESS_STATEMENT
+        :param suffix: Optional arg, if given will be used when constructing the Sid
+        that is used to lookup or build a statement element.
+        :type suffix: str or None
+        """
+        if base_sid not in self.base_s3_access_sids:
+            return
+
+        sid = self._construct_sid(base_sid, suffix)
+        statement = self.statements.get(sid, None)
+        if not statement:
+            statement = self._build_statement(
+                base_sid=base_sid,
+                sid=sid
+            )
+
+        return statement
+
+    def add_resource(self, arn, sid, sid_suffix=None):
+        statement = self.statement(sid, sid_suffix)
         if statement:
             statement["Resource"] = statement.get("Resource", [])
             if arn not in statement["Resource"]:
@@ -197,6 +248,44 @@ def _is_arn_part_of_resource(self, resource, arn):
                 return True
         return False
 
+    def remove_prefix(self, root_folder_path, sid, condition):
+        """
+        Remove the folder name from the prefixes condition of a statement block. The
+        prefixes condition is used to limit list access to specific folders in an S3
+        bucket, so by removing the folder name from the prefixes it removes access to
+        that folder.
+
+        :param str root_folder_path: Path to the root folder including bucket name e.g.
+        user-data-bucket/my-folder
+        :param str sid: Statement ID
+        :param str condition: Condition operator. Should be StringEquals or StringLike
+        """
+        # split the path into the bucket name and the folder name
+        bucket_name, folder = self.get_bucket_and_path(root_folder_path)
+        statement = self.statement(sid, suffix=bucket_name)
+        if not statement:
+            return
+
+        # build arn for the bucket to check that it is included in the statements
+        # resource element
+        bucket_arn = s3_arn(resource=bucket_name)
+        if bucket_arn not in statement.get("Resource", []):
+            return
+
+        try:
+            prefixes = statement["Condition"][condition]["s3:prefix"]
+        except KeyError:
+            prefixes = []
+
+        # remove access to the folder
+        prefixes[:] = [
+            prefix for prefix in prefixes if not prefix.startswith(folder)
+        ]
+
+        # remove the resource if no prefixes left so that the statement is removed
+        if prefixes == [] or prefixes == [""]:
+            statement.pop("Resource", None)
+
     def remove_resource(self, arn, sid):
         statement = self.statement(sid)
         if statement:
@@ -213,16 +302,29 @@ def grant_object_access(self, arn, access_level):
     def grant_list_access(self, arn):
         self.add_resource(arn, "list")
 
-    def _add_folder_to_list_folder_prefixes(self, folder):
-        statement = self.statement("listFolder")
+    def _add_folder_to_list_folder_prefixes(self, folder, bucket_name):
+        statement = self.statement("listFolder", suffix=bucket_name)
+        # make sure that we are updating statement for the correct bucket
+        if s3_arn(bucket_name) not in statement["Resource"]:
+            return
+
         try:
             prefixes = statement["Condition"]["StringEquals"]["s3:prefix"]
         except KeyError:
             prefixes = [""]
 
+        subfolders = folder.split("/")[:-1]
+        for index, path in enumerate(subfolders):
+            prev = "/".join(subfolders[:index])
+            if prev:
+                path = f"{prev}/{path}"
+
+            if path not in prefixes:
+                prefixes.append(path)
+                prefixes.append(f"{path}/")
+
         if folder not in prefixes:
             prefixes.append(folder)
-            prefixes.append(f"{folder}/")
 
         statement["Condition"] = {
             "StringEquals": {
@@ -231,8 +333,13 @@ def _add_folder_to_list_folder_prefixes(self, folder):
             }
         }
 
-    def _add_folder_to_list_sub_folders_prefixes(self, folder):
-        statement = self.statement("listSubFolders")
+    def _add_folder_to_list_sub_folders_prefixes(self, folder, bucket_name):
+        statement = self.statement("listSubFolders", suffix=bucket_name)
+
+        # make sure that we are updating statement for the correct bucket
+        if s3_arn(bucket_name) not in statement["Resource"]:
+            return
+
         try:
             prefixes = statement["Condition"]["StringLike"]["s3:prefix"]
         except KeyError:
@@ -248,28 +355,62 @@ def _add_folder_to_list_sub_folders_prefixes(self, folder):
             }
         }
 
-    def grant_folder_list_access(self, arn):
+    @staticmethod
+    def get_bucket_and_path(folder_path):
         """
-        Splits the resource arn to get the bucket ARN and folder name, then for all
-        permissions required for folder list access makes sure the ARN is added as the
-        resource, and folder name is used in the statement condition prefixes so that
-        access if only granted to the specific folder and sub folders in the S3 bucket.
-        For a detailed breakdown of folder-level permissions see the docs:
-        https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/  # noqa
+        Splits a path on the first / to return the name of the bucket and rest of
+        the path.
         """
-        arn, folder = arn.split("/")
-        # required to avoid warnings when accessing AWS console
-        self.add_resource(arn, "rootFolderBucketMeta")
-        self.add_resource(arn, "listFolder")
-        self._add_folder_to_list_folder_prefixes(folder)
-        self.add_resource(arn, "listSubFolders")
-        self._add_folder_to_list_sub_folders_prefixes(folder)
+        return folder_path.split("/", 1)
+
+    def grant_folder_access(self, root_folder_path, access_level, paths=None):
+        """
+        Grant access to the given folder for the given access level. If paths have been
+        specified, only grants access to those paths within the root folder.
+        """
+        bucket_name, folder = self.get_bucket_and_path(root_folder_path)
+        bucket_arn = s3_arn(bucket_name)
+        # make sure the root bucket arn is included in the resources
+        self.add_resource(bucket_arn, "rootFolderBucketMeta")
+        self.add_resource(bucket_arn, "listFolder", sid_suffix=bucket_name)
+        self.add_resource(bucket_arn, "listSubFolders", sid_suffix=bucket_name)
+
+        folder_paths = [folder]
+        if paths:
+            folder_paths = [f"{folder}{path}" for path in paths]
+
+        for folder_path in folder_paths:
+            self.grant_object_access(
+                arn=f"{bucket_arn}/{folder_path}",
+                access_level=access_level,
+            )
+            self._add_folder_to_list_folder_prefixes(folder_path, bucket_name)
+            self._add_folder_to_list_sub_folders_prefixes(folder_path, bucket_name)
 
     def revoke_access(self, arn):
         self.remove_resource(arn, "readonly")
         self.remove_resource(arn, "readwrite")
         self.remove_resource(arn, "list")
 
+    def revoke_folder_access(self, root_folder_path):
+        # build arn for full path, including the folder name. important to include the
+        # folder name, as this is the resource string that is used when granting access
+        bucket_name, _ = self.get_bucket_and_path(root_folder_path)
+        folder_resource_arn = s3_arn(root_folder_path)
+        self.remove_resource(arn=folder_resource_arn, sid="readonly")
+        self.remove_resource(arn=folder_resource_arn, sid="readwrite")
+        self.remove_resource(arn=s3_arn(bucket_name), sid="rootFolderBucketMeta")
+        self.remove_prefix(
+            root_folder_path=root_folder_path,
+            sid="listFolder",
+            condition="StringEquals",
+        )
+        self.remove_prefix(
+            root_folder_path=root_folder_path,
+            sid="listSubFolders",
+            condition="StringLike",
+        )
+
     def put(self, policy_document=None):
         if policy_document is None:
             policy_document = self.policy_document
@@ -307,16 +448,19 @@ def save_policy_document(self, policy_document):
 
 
 class AWSService:
-    def __init__(self, assume_role_name=None, profile_name=None):
+    def __init__(self, assume_role_name=None, profile_name=None, region_name=None):
         self.assume_role_name = assume_role_name
         self.profile_name = profile_name
+        self.region_name = region_name or settings.AWS_DEFAULT_REGION
 
         self.aws_sessions = AWSCredentialSessionSet()
 
     @property
     def boto3_session(self):
         return self.aws_sessions.get_session(
-            assume_role_name=self.assume_role_name, profile_name=self.profile_name
+            assume_role_name=self.assume_role_name,
+            profile_name=self.profile_name,
+            region_name=self.region_name
         )
 
 
@@ -375,14 +519,19 @@ def grant_bucket_access(self, role_name, bucket_arn, access_level, path_arns=Non
             policy.grant_object_access(arn, access_level)
         policy.put()
 
-    def grant_folder_access(self, role_name, bucket_arn, access_level):
+    def grant_folder_access(self, role_name, root_folder_path, access_level, paths):
+
         if access_level not in ("readonly", "readwrite"):
             raise ValueError("access_level must be one of 'readwrite' or 'readonly'")
 
         role = self.boto3_session.resource("iam").Role(role_name)
         policy = S3AccessPolicy(role.Policy("s3-access"))
-        policy.grant_folder_list_access(bucket_arn)
-        policy.grant_object_access(bucket_arn, access_level)
+        policy.revoke_folder_access(root_folder_path=root_folder_path)
+        policy.grant_folder_access(
+            root_folder_path=root_folder_path,
+            access_level=access_level,
+            paths=paths,
+        )
         policy.put()
 
     def revoke_bucket_access(self, role_name, bucket_arn=None):
@@ -403,6 +552,20 @@ def revoke_bucket_access(self, role_name, bucket_arn=None):
         policy.revoke_access(bucket_arn)
         policy.put()
 
+    def revoke_folder_access(self, role_name, root_folder_path):
+        try:
+            role = self.boto3_session.resource("iam").Role(role_name)
+            role.load()
+        except botocore.exceptions.ClientError as e:
+            if e.response["Error"]["Code"] == "NoSuchEntity":
+                log.warning(f"Role '{role_name}' doesn't exist: Nothing to revoke")
+                return
+            raise e
+
+        policy = S3AccessPolicy(role.Policy("s3-access"))
+        policy.revoke_folder_access(root_folder_path=root_folder_path)
+        policy.put()
+
 
 class AWSFolder(AWSService):
     @staticmethod
@@ -427,6 +590,27 @@ def exists(self, folder_name):
         except botocore.exceptions.ClientError:
             return False
 
+    def get_objects(self, bucket_name, folder_name):
+        bucket = self.boto3_session.resource("s3").Bucket(bucket_name)
+        return bucket.objects.filter(Prefix=f"{folder_name}/")
+
+    def archive_object(self, key, source_bucket_name=None, delete_original=True):
+        source_bucket_name = source_bucket_name or settings.S3_FOLDER_BUCKET_NAME
+        copy_source = {
+            'Bucket': source_bucket_name,
+            'Key': key
+        }
+        archive_bucket = self.boto3_session.resource("s3").Bucket(
+            settings.S3_ARCHIVE_BUCKET_NAME
+        )
+        new_key = f"{archive_bucket.name}/{key}"
+
+        archive_bucket.copy(copy_source, new_key)
+        log.info(f"Moved {key} to {new_key}")
+        if delete_original:
+            self.boto3_session.resource("s3").Object(source_bucket_name, key).delete()
+            log.info(f"deleted original: {source_bucket_name}/{key}")
+
 
 class AWSBucket(AWSService):
     def create(self, bucket_name, is_data_warehouse=False):
@@ -619,6 +803,23 @@ def delete_policy(self, policy_arn):
 
         policy.delete()
 
+    def grant_folder_access(
+        self, policy_arn, root_folder_path, access_level, paths=None
+    ):
+
+        if access_level not in ("readonly", "readwrite"):
+            raise ValueError("access_level must be one of 'readwrite' or 'readonly'")
+
+        policy = self.boto3_session.resource("iam").Policy(policy_arn)
+        policy = ManagedS3AccessPolicy(policy)
+        policy.revoke_folder_access(root_folder_path=root_folder_path)
+        policy.grant_folder_access(
+            root_folder_path=root_folder_path,
+            access_level=access_level,
+            paths=paths,
+        )
+        policy.put()
+
     def grant_policy_bucket_access(
         self, policy_arn, bucket_arn, access_level, path_arns=None
     ):
@@ -646,6 +847,12 @@ def revoke_policy_bucket_access(self, policy_arn, bucket_arn=None):
         policy.revoke_access(bucket_arn)
         policy.put()
 
+    def revoke_policy_folder_access(self, policy_arn, root_folder_path):
+        policy = self.boto3_session.resource("iam").Policy(policy_arn)
+        policy = ManagedS3AccessPolicy(policy)
+        policy.revoke_folder_access(root_folder_path=root_folder_path)
+        policy.put()
+
 
 class AWSParameterStore(AWSService):
     def __init__(self, assume_role_name=None, profile_name=None):
@@ -808,3 +1015,112 @@ def get_secret_if_found(self, secret_name: str) -> Optional[dict]:
         if self.has_existed(secret_name):
             return self.get_secret(secret_name)
         return {}
+
+
+class AWSSQS(AWSService):
+
+    def __init__(self, assume_role_name=None, profile_name=None):
+        super(AWSSQS, self).__init__(
+            assume_role_name=assume_role_name,
+            profile_name=profile_name,
+            region_name=settings.SQS_REGION
+        )
+        self.client = self.boto3_session.resource("sqs")
+
+    def get_queue(self, name):
+        """
+        Gets an SQS queue by name.
+
+        :param name: The name that was used to create the queue.
+        :return: A Queue object.
+        """
+        try:
+            queue = self.client.get_queue_by_name(QueueName=name)
+            log.info("Got queue '%s' with URL=%s", name, queue.url)
+        except botocore.exceptions.ClientError as error:
+            log.exception("Couldn't get queue named %s.", name)
+            raise error
+        else:
+            return queue
+
+    def send_message(self, queue_name, message_body, message_attributes=None):
+        """
+        Send a message to an Amazon SQS queue.
+
+        :param queue_name: The queue that receives the message.
+        :param message_body: The body text of the message.
+        :param message_attributes: Custom attributes of the message. These are key-value
+                                   pairs that can be whatever you want.
+        :return: The response from SQS that contains the assigned message ID.
+        """
+        if not message_attributes:
+            message_attributes = {}
+
+        queue = self.get_queue(name=queue_name)
+        try:
+            response = queue.send_message(
+                MessageBody=message_body,
+                MessageAttributes=message_attributes
+            )
+        except botocore.exceptions.ClientError as error:
+            log.exception("Send message failed: %s", message_body)
+            raise error
+        else:
+            return response
+
+    def receive_messages(self, queue_name, max_number, wait_time):
+        """
+        Receive a batch of messages in a single request from an SQS queue.
+
+        :param queue_name: The queue from which to receive messages.
+        :param max_number: The maximum number of messages to receive. The actual number
+                           of messages received might be less.
+        :param wait_time: The maximum time to wait (in seconds) before returning. When
+                          this number is greater than zero, long polling is used. This
+                          can result in reduced costs and fewer false empty responses.
+        :return: The list of Message objects received. These each contain the body
+                 of the message and metadata and custom attributes.
+        """
+        queue = self.get_queue(name=queue_name)
+        try:
+            messages = queue.receive_messages(
+                MessageAttributeNames=['All'],
+                MaxNumberOfMessages=max_number,
+                WaitTimeSeconds=wait_time
+            )
+            for msg in messages:
+                log.info("Received message: %s: %s", msg.message_id, msg.body)
+        except botocore.exceptions.ClientError as error:
+            log.exception("Couldn't receive messages from queue: %s", queue_name)
+            raise error
+        else:
+            return messages
+
+    def delete_messages(self, queue, messages):
+        """
+        Delete a batch of messages from a queue in a single request.
+
+        :param queue: The queue from which to delete the messages.
+        :param messages: The list of messages to delete.
+        :return: The response from SQS that contains the list of successful and failed
+                 message deletions.
+        """
+        try:
+            entries = [{
+                'Id': str(ind),
+                'ReceiptHandle': msg.receipt_handle
+            } for ind, msg in enumerate(messages)]
+            response = queue.delete_messages(Entries=entries)
+            if 'Successful' in response:
+                for msg_meta in response['Successful']:
+                    log.info("Deleted %s", messages[int(msg_meta['Id'])].receipt_handle)
+            if 'Failed' in response:
+                for msg_meta in response['Failed']:
+                    log.warning(
+                        "Could not delete %s",
+                        messages[int(msg_meta['Id'])].receipt_handle
+                    )
+        except botocore.exceptions.ClientError:
+            log.exception("Couldn't delete messages from queue %s", queue)
+        else:
+            return response
diff --git a/controlpanel/api/aws_auth.py b/controlpanel/api/aws_auth.py
index 97b8b0d76..ee0881c18 100644
--- a/controlpanel/api/aws_auth.py
+++ b/controlpanel/api/aws_auth.py
@@ -113,8 +113,13 @@ class AWSCredentialSessionSet(metaclass=SingletonMeta):
     def __init__(self):
         self.credential_sessions = {}
 
-    def get_session(self, profile_name: str = None, assume_role_name: str = None):
-        credential_session_key = "{}_{}".format(profile_name, assume_role_name)
+    def get_session(
+            self,
+            profile_name: str = None,
+            assume_role_name: str = None,
+            region_name: str = None):
+        credential_session_key = "{}_{}_{}".format(
+            profile_name, assume_role_name, region_name)
         if credential_session_key not in self.credential_sessions:
             log.warn(
                 "(for monitoring purpose) Initialising the session ({})".format(
@@ -122,6 +127,8 @@ def get_session(self, profile_name: str = None, assume_role_name: str = None):
                 )
             )
             self.credential_sessions[credential_session_key] = BotoSession(
-                profile_name=profile_name, assume_role_name=assume_role_name
+                region_name=region_name,
+                profile_name=profile_name,
+                assume_role_name=assume_role_name
             ).refreshable_session()
         return self.credential_sessions[credential_session_key]
diff --git a/controlpanel/api/cluster.py b/controlpanel/api/cluster.py
index e46160960..e13ba3c88 100644
--- a/controlpanel/api/cluster.py
+++ b/controlpanel/api/cluster.py
@@ -340,19 +340,26 @@ def delete(self):
         self.aws_role_service.delete_role(self.user.iam_role_name)
         self.delete_user_helm_charts()
 
-    def grant_bucket_access(self, bucket_arn, access_level, path_arns=[]):
+    def grant_bucket_access(self, bucket_arn, access_level, path_arns=None):
+        path_arns = path_arns or []
         self.aws_role_service.grant_bucket_access(
             self.iam_role_name, bucket_arn, access_level, path_arns
         )
 
-    def grant_folder_access(self, bucket_arn, access_level):
+    def grant_folder_access(self, root_folder_path, access_level, paths):
         self.aws_role_service.grant_folder_access(
-            self.iam_role_name, bucket_arn, access_level
+            role_name=self.iam_role_name,
+            root_folder_path=root_folder_path,
+            access_level=access_level,
+            paths=paths,
         )
 
     def revoke_bucket_access(self, bucket_arn):
         self.aws_role_service.revoke_bucket_access(self.iam_role_name, bucket_arn)
 
+    def revoke_folder_access(self, root_folder_path):
+        self.aws_role_service.revoke_folder_access(self.iam_role_name, root_folder_path)
+
     def has_required_installation_charts(self):
         """Checks if the expected helm charts exist for the user."""
         installed_helm_charts = helm.list_releases(namespace=self.k8s_namespace)
@@ -627,6 +634,8 @@ def create_auth_settings(
     ):
         client = None
         group = None
+        connections = connections or \
+                      {auth0.ExtendedAuth0.DEFAULT_CONNECTION_OPTION: {}}
         if not disable_authentication:
             client, group = self._get_auth0_instance().setup_auth0_client(
                 client_name=self.app.auth0_client_name(env_name),
@@ -640,7 +649,7 @@ def create_auth_settings(
         self._create_env_vars(
             env_name,
             disable_authentication,
-            connections or [],
+            connections,
             client=client,
         )
         return client, group
@@ -655,6 +664,20 @@ def remove_auth_settings(self, env_name):
         self._get_auth0_instance().clear_up_app(self.app.get_auth_client(env_name))
         self.app.clear_auth_settings(env_name)
 
+    def update_auth_connections(self, env_name, new_conns):
+        existing_conns = self.app.auth0_connections(env_name=env_name)
+        self.create_or_update_env_var(
+            env_name=env_name,
+            key_name=self.AUTH0_PASSWORDLESS,
+            key_value=auth0.ExtendedAuth0.DEFAULT_CONNECTION_OPTION in new_conns
+        )
+        auth0.ExtendedAuth0().update_client_auth_connections(
+            app_name=self.app.auth0_client_name(env_name),
+            client_id=self.app.get_auth_client(env_name).get("client_id"),
+            new_conns=new_conns,
+            existing_conns=existing_conns,
+        )
+
     def remove_redundant_env(self, env_name):
         self._get_auth0_instance().clear_up_app(self.app.get_auth_client(env_name))
         self.app.clear_auth_settings(env_name)
@@ -708,9 +731,21 @@ def _init_aws_services(self):
         self.aws_bucket_service = self.create_aws_service(self.aws_service_class)
 
     def exists(self, folder_name, bucket_owner):
+        # TODO this assumes only one multi root bucket
         folder_path = f"{settings.S3_FOLDER_BUCKET_NAME}/{folder_name}"
         return super().exists(folder_path, bucket_owner), folder_path
 
+    def get_objects(self):
+        bucket_name, folder_name = self.bucket.name.split("/")
+        return self.aws_bucket_service.get_objects(
+            bucket_name=bucket_name, folder_name=folder_name,
+        )
+
+    def archive_object(self, key, source_bucket=None, delete_original=True):
+        self.aws_bucket_service.archive_object(
+            key=key, source_bucket_name=source_bucket, delete_original=delete_original,
+        )
+
 
 class RoleGroup(EntityResource):
     """
@@ -758,9 +793,17 @@ def grant_bucket_access(self, bucket_arn, access_level, path_arns):
             self.arn, bucket_arn, access_level, path_arns
         )
 
+    def grant_folder_access(self, root_folder_path, access_level, paths):
+        self.aws_policy_service.grant_folder_access(
+            self.arn, root_folder_path, access_level, paths
+        )
+
     def revoke_bucket_access(self, bucket_arn):
         self.aws_policy_service.revoke_policy_bucket_access(self.arn, bucket_arn)
 
+    def revoke_folder_access(self, root_folder_path):
+        self.aws_policy_service.revoke_policy_folder_access(self.arn, root_folder_path)
+
 
 class AppParameter(EntityResource):
 
diff --git a/controlpanel/api/message_broker.py b/controlpanel/api/message_broker.py
new file mode 100644
index 000000000..bc682dbd0
--- /dev/null
+++ b/controlpanel/api/message_broker.py
@@ -0,0 +1,202 @@
+import os
+import socket
+import uuid
+import json
+import base64
+from collections.abc import Mapping
+
+from controlpanel.api.aws import AWSSQS
+from controlpanel import celery_app
+
+
+class MessageProtocolError(Exception):
+    pass
+
+
+class MessageProtocol:
+
+    def __init__(self, task_id: str, task_name: str, queue_name: str, args=None, kwargs=None):
+        self.task_id = task_id
+        self.task_name = task_name
+        self.queue_name = queue_name
+        self.args = args or ()
+        self.kwargs = kwargs or {}
+        self. _validate()
+
+    def _validate(self):
+        if not isinstance(self.args, (list, tuple)):
+            raise TypeError('task args must be a list or tuple')
+        if not isinstance(self.kwargs, Mapping):
+            raise TypeError('task keyword arguments must be a mapping')
+        try:
+            uuid.UUID(str(self.task_id))
+        except ValueError:
+            raise TypeError('task id arguments must be a uuid')
+        if not self.task_name:
+            raise TypeError('task name arguments must not be blank')
+        if not self.queue_name:
+            raise TypeError('queue name arguments must not be blank')
+
+    def prepare_message(self):
+        raise NotImplementedError("Note implemented")
+
+
+class SimpleBase64:
+    """Base64 codec."""
+
+    @staticmethod
+    def str_to_bytes(s):
+        """Convert str to bytes."""
+        if isinstance(s, str):
+            return s.encode()
+        return s
+
+    @staticmethod
+    def bytes_to_str(s):
+        """Convert bytes to str."""
+        if isinstance(s, bytes):
+            return s.decode(errors='replace')
+        return s
+
+    def encode(self, s):
+        return self.bytes_to_str(base64.b64encode(self.str_to_bytes(s)))
+
+    def decode(self, s):
+        return base64.b64decode(self.str_to_bytes(s))
+
+
+class CeleryTaskMessage(MessageProtocol):
+
+    #: Default body encoding.
+    DEFAULT_BODY_ENCODING = 'base64'
+    DEFAULT_CONTENT_TYPE = "application/json"
+    DEFAULT_CONTENT_ENCODING = "utf-8"
+    DEFAULT_PRIORITY = 0
+
+    DEFAULT_FUNC_SIGNATURE = None
+
+    codecs = {'base64': SimpleBase64()}
+
+    @staticmethod
+    def _anon_nodename():
+        """Return the nodename for this process (not a worker).
+
+        This is used for e.g. the origin task message field.
+        """
+        return f"{os.getpid()}@{socket.gethostname()}"
+
+    def _init_message(self):
+        headers = {
+            'lang': 'py',
+            'task': self.task_name,
+            'id': self.task_id,
+            'group': None,
+            'root_id': self.task_id,
+            'parent_id': None,
+            'origin': self._anon_nodename()
+        }
+
+        message = dict(
+            headers=headers,
+            properties={
+                'correlation_id': self.task_id,
+            },
+            body=(
+                self.args, self.kwargs, {
+                    'callbacks': self.DEFAULT_FUNC_SIGNATURE,
+                    'errbacks': self.DEFAULT_FUNC_SIGNATURE,
+                    'chain': self.DEFAULT_FUNC_SIGNATURE,
+                    'chord': self.DEFAULT_FUNC_SIGNATURE,
+                },
+            )
+        )
+        return message
+
+    def prepare_message(self):
+        message = self._init_message()
+        properties = message.get("properties") or {}
+        info = properties.setdefault('delivery_info', {})
+        info['priority'] = self.DEFAULT_PRIORITY or 0
+        message['content-encoding'] = self.DEFAULT_CONTENT_ENCODING
+        message['content-type'] = self.DEFAULT_CONTENT_TYPE
+        message['body'], body_encoding = self.__class__.encode_body(
+            json.dumps(message['body']), self.DEFAULT_BODY_ENCODING
+        )
+        props = message['properties']
+        props.update(
+            body_encoding=body_encoding,
+            delivery_tag=str(uuid.uuid4()),
+        )
+        props['delivery_info'].update(
+            routing_key=self.queue_name,
+        )
+        encoded_message, _ = self.__class__.encode_body(
+            json.dumps(message), self.DEFAULT_BODY_ENCODING)
+        return encoded_message
+
+    @classmethod
+    def encode_body(cls, body, encoding=None):
+        if encoding:
+            return cls.codecs.get(encoding).encode(body), encoding
+        return body, encoding
+
+    @classmethod
+    def decode_body(cls, body, encoding=None):
+        if encoding:
+            return cls.codecs.get(encoding).decode(body)
+        return body
+
+    @classmethod
+    def validate_message(cls, message):
+        decoded_message = cls.decode_body(message, cls.DEFAULT_BODY_ENCODING)
+        try:
+            message_body = json.loads(decoded_message)
+            assert message_body["content-encoding"] == cls.DEFAULT_CONTENT_ENCODING
+            assert message_body["content-type"] == cls.DEFAULT_CONTENT_TYPE
+            assert message_body["headers"]["id"] == message_body["headers"]["root_id"]
+            assert message_body["headers"]["id"] == message_body["properties"]["correlation_id"]
+            assert type(json.loads(cls.decode_body(message_body["body"], cls.DEFAULT_BODY_ENCODING))) == list
+            return True, message_body
+        except (ValueError, KeyError):
+            return False, None
+
+
+class MessageBrokerClient:
+    DEFAULT_MESSAGE_PROTOCOL = "celery"
+
+    MESSAGE_PROTOCOL_MAP_TABLE = {
+        "celery": CeleryTaskMessage
+    }
+
+    def __init__(self, message_protocol=None):
+        self.message_protocol = message_protocol or self.DEFAULT_MESSAGE_PROTOCOL
+        self.client = self._get_client()
+
+    def _get_client(self):
+        return AWSSQS()
+
+    def send_message(self, task_id, task_name, queue_name, args):
+        message_class = self.MESSAGE_PROTOCOL_MAP_TABLE.get(self.message_protocol)
+        if not message_class:
+            raise MessageProtocolError("Not support!")
+
+        message = message_class(
+            task_id=task_id,
+            task_name=task_name,
+            queue_name=queue_name,
+            args=tuple(args)
+        ).prepare_message()
+        self._get_client().send_message(queue_name=queue_name, message_body=message)
+        return message
+
+
+class LocalMessageBrokerClient:
+    """
+    Uses celery to send tasks so that it can be used with a message broker running
+    locally such as Redis
+    """
+    @staticmethod
+    def send_message(task_id, task_name, queue_name, args):
+        return celery_app.send_task(
+            task_name, task_id=task_id, queue_name=queue_name, args=args,
+        )
diff --git a/controlpanel/api/migrations/0030_task.py b/controlpanel/api/migrations/0030_task.py
new file mode 100644
index 000000000..d231a8915
--- /dev/null
+++ b/controlpanel/api/migrations/0030_task.py
@@ -0,0 +1,44 @@
+# Generated by Django 4.2.1 on 2023-07-30 14:52
+
+from django.db import migrations, models
+import django_extensions.db.fields
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0029_remove_tool_target_infrastructure"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="Task",
+            fields=[
+                (
+                    "created",
+                    django_extensions.db.fields.CreationDateTimeField(
+                        auto_now_add=True, verbose_name="created"
+                    ),
+                ),
+                (
+                    "modified",
+                    django_extensions.db.fields.ModificationDateTimeField(
+                        auto_now=True, verbose_name="modified"
+                    ),
+                ),
+                ("entity_class", models.CharField(max_length=20)),
+                ("entity_description", models.CharField(max_length=128)),
+                ("entity_id", models.BigIntegerField()),
+                ("user_id", models.CharField(max_length=128)),
+                ("task_id", models.UUIDField(primary_key=True, serialize=False)),
+                ("task_name", models.CharField(max_length=60)),
+                ("task_description", models.CharField(max_length=128)),
+                ("queue_name", models.CharField(max_length=60)),
+                ("completed", models.BooleanField(default=False)),
+                ("message_body", models.CharField(max_length=4000)),
+            ],
+            options={
+                "db_table": "control_panel_api_task",
+                "ordering": ("entity_class", "entity_id"),
+            },
+        ),
+    ]
diff --git a/controlpanel/api/migrations/0031_add_soft_delete_fields.py b/controlpanel/api/migrations/0031_add_soft_delete_fields.py
new file mode 100644
index 000000000..c66261360
--- /dev/null
+++ b/controlpanel/api/migrations/0031_add_soft_delete_fields.py
@@ -0,0 +1,31 @@
+# Generated by Django 4.2.1 on 2023-10-09 15:33
+
+# Third-party
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0030_task'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='s3bucket',
+            name='deleted_at',
+            field=models.DateTimeField(null=True),
+        ),
+        migrations.AddField(
+            model_name='s3bucket',
+            name='deleted_by',
+            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='deleted_s3buckets', to=settings.AUTH_USER_MODEL),
+        ),
+        migrations.AddField(
+            model_name='s3bucket',
+            name='is_deleted',
+            field=models.BooleanField(default=False),
+        ),
+    ]
diff --git a/controlpanel/api/models/__init__.py b/controlpanel/api/models/__init__.py
index 139a18257..e9383894b 100644
--- a/controlpanel/api/models/__init__.py
+++ b/controlpanel/api/models/__init__.py
@@ -16,3 +16,4 @@
 from controlpanel.api.models.userapp import UserApp
 from controlpanel.api.models.users3bucket import UserS3Bucket
 from controlpanel.api.models.app_ip_allowlist import AppIPAllowList
+from controlpanel.api.models.task import Task
diff --git a/controlpanel/api/models/access_to_s3bucket.py b/controlpanel/api/models/access_to_s3bucket.py
index 38cc543cf..369f216fa 100644
--- a/controlpanel/api/models/access_to_s3bucket.py
+++ b/controlpanel/api/models/access_to_s3bucket.py
@@ -76,6 +76,15 @@ def resources(self):
 # MUST use signals because cascade deletes do not call delete()
 @receiver(models.signals.pre_delete)
 def revoke_access(sender, **kwargs):
-    if issubclass(sender, AccessToS3Bucket):
-        obj = kwargs["instance"]
+    """
+    Revokes access when the delete is via cascade delete, as these do not call the
+    instance level delete() method. Checks that the origin is different to the instance,
+    to ensure that revoke_bucket_access is not called twice when deleting an access
+    object directly.
+    """
+    if not issubclass(sender, AccessToS3Bucket):
+        return
+
+    obj = kwargs["instance"]
+    if obj != kwargs["origin"]:
         obj.revoke_bucket_access()
diff --git a/controlpanel/api/models/app.py b/controlpanel/api/models/app.py
index 98036d78d..e94041b28 100644
--- a/controlpanel/api/models/app.py
+++ b/controlpanel/api/models/app.py
@@ -13,6 +13,7 @@
 from controlpanel.api import auth0, cluster
 from controlpanel.api.models import IPAllowlist
 from controlpanel.utils import github_repository_name, s3_slugify, webapp_release_name
+from controlpanel.api import tasks
 
 
 class App(TimeStampedModel):
@@ -34,6 +35,13 @@ class App(TimeStampedModel):
     # are not within the fields which will be searched frequently
     app_conf = models.JSONField(null=True)
 
+    # Non database field just for passing extra parameters
+    disable_authentication = False
+    connections = {}
+    current_user = None
+    deployment_envs = []
+    has_ip_ranges = False
+
     DEFAULT_AUTH_CATEGORY = "primary"
     KEY_WORD_FOR_AUTH_SETTINGS = "auth_settings"
 
@@ -43,6 +51,15 @@ class Meta:
         db_table = "control_panel_api_app"
         ordering = ("name",)
 
+    def __init__(self, *args, **kwargs):
+        """Overwrite this constructor to pass some non-field parameter"""
+        self.disable_authentication = kwargs.pop("disable_authentication", False)
+        self.connections = kwargs.pop("connections", {})
+        self.current_user = kwargs.pop("current_user", None)
+        self.deployment_envs = kwargs.pop("deployment_envs", [])
+        self.has_ip_ranges = kwargs.pop("has_ip_ranges", False)
+        super().__init__(*args, **kwargs)
+
     def __repr__(self):
         return f"<App: {self.slug}>"
 
@@ -232,15 +249,6 @@ def auth0_client_name(self, env_name=None):
         return settings.AUTH0_CLIENT_NAME_PATTERN.format(
             app_name=client_name, env=env_name)
 
-    @property
-    def migration_info(self):
-        # TODO: using app.description for temporary place for storing old app info,
-        #  The content of this field should be removed after app migration is completed.
-        try:
-            return json.loads(self.description).get("migration", {})
-        except ValueError:
-            return {}
-
     def app_url_name(self, env_name):
         format_pattern = settings.APP_URL_NAME_PATTERN.get(env_name.upper())
         if not format_pattern:
@@ -303,3 +311,27 @@ class DeleteCustomerError(Exception):
 
 App.AddCustomerError = AddCustomerError
 App.DeleteCustomerError = DeleteCustomerError
+
+
+from django.db.models.signals import post_save, post_delete
+from django.dispatch import receiver
+
+
+@receiver(post_save, sender=App)
+def trigger_app_create_related_messages(sender, instance, created, **kwargs):
+    if created:
+        tasks.AppCreateRole(instance, instance.current_user).create_task()
+        tasks.AppCreateAuth(instance, instance.current_user, extra_data=dict(
+            deployment_envs=instance.deployment_envs,
+            disable_authentication=instance.disable_authentication,
+            connections=instance.connections,
+            has_ip_ranges=instance.has_ip_ranges,
+        )).create_task()
+
+
+@receiver(post_delete, sender=App)
+def remove_app_related_tasks(sender, instance, **kwargs):
+    from controlpanel.api.models import Task
+    related_app_tasks = Task.objects.filter(entity_class="App", entity_id=instance.id)
+    for task in related_app_tasks:
+        task.delete()
diff --git a/controlpanel/api/models/apps3bucket.py b/controlpanel/api/models/apps3bucket.py
index 81740de15..9cd5d44d4 100644
--- a/controlpanel/api/models/apps3bucket.py
+++ b/controlpanel/api/models/apps3bucket.py
@@ -2,7 +2,7 @@
 from django.db import models
 
 # First-party/Local
-from controlpanel.api import cluster
+from controlpanel.api import cluster, tasks
 from controlpanel.api.models.access_to_s3bucket import AccessToS3Bucket
 
 
@@ -19,12 +19,20 @@ class AppS3Bucket(AccessToS3Bucket):
         on_delete=models.CASCADE,
     )
 
+    # Non database field just for passing extra parameters
+    current_user = None
+
     class Meta:
         db_table = "control_panel_api_apps3bucket"
         # one record per app/s3bucket
         unique_together = ("app", "s3bucket")
         ordering = ("id",)
 
+    def __init__(self, *args, **kwargs):
+        """Overwrite this constructor to pass some non-field parameter"""
+        self.current_user = kwargs.pop("current_user", None)
+        super().__init__(*args, **kwargs)
+
     @property
     def iam_role_name(self):
         return self.app.iam_role_name
@@ -33,11 +41,7 @@ def __repr__(self):
         return f"<AppS3Bucket: {self.app!r} {self.s3bucket!r} {self.access_level}>"
 
     def grant_bucket_access(self):
-        cluster.App(self.app).grant_bucket_access(
-            self.s3bucket.arn,
-            self.access_level,
-            self.resources,
-        )
+        tasks.S3BucketGrantToApp(self, self.current_user).create_task()
 
     def revoke_bucket_access(self):
-        cluster.App(self.app).revoke_bucket_access(self.s3bucket.arn)
+        tasks.S3BucketRevokeAppAccess(self, self.current_user).create_task()
diff --git a/controlpanel/api/models/policys3bucket.py b/controlpanel/api/models/policys3bucket.py
index 4ab0d346e..feb7e4299 100644
--- a/controlpanel/api/models/policys3bucket.py
+++ b/controlpanel/api/models/policys3bucket.py
@@ -21,7 +21,17 @@ class Meta:
         unique_together = ("policy", "s3bucket")
         ordering = ("id",)
 
+    def __init__(self, *args, **kwargs):
+        self.current_user = kwargs.pop("current_user", None)
+        super().__init__(*args, **kwargs)
+
     def grant_bucket_access(self):
+        if self.s3bucket.is_folder:
+            return cluster.RoleGroup(self.policy).grant_folder_access(
+                root_folder_path=self.s3bucket.name,
+                access_level=self.access_level,
+                paths=self.paths,
+            )
         cluster.RoleGroup(self.policy).grant_bucket_access(
             self.s3bucket.arn,
             self.access_level,
@@ -29,4 +39,10 @@ def grant_bucket_access(self):
         )
 
     def revoke_bucket_access(self):
+        # TODO update to use a Task to revoke access, to match user/app access
+        if self.s3bucket.is_folder:
+            return cluster.RoleGroup(self.policy).revoke_folder_access(
+                root_folder_path=self.s3bucket.name
+            )
+
         cluster.RoleGroup(self.policy).revoke_bucket_access(self.s3bucket.arn)
diff --git a/controlpanel/api/models/s3bucket.py b/controlpanel/api/models/s3bucket.py
index b1dcb4776..2194babb8 100644
--- a/controlpanel/api/models/s3bucket.py
+++ b/controlpanel/api/models/s3bucket.py
@@ -3,14 +3,16 @@
 
 # Third-party
 from django.conf import settings
+from django.contrib.auth.models import User
 from django.core.validators import MinLengthValidator
 from django.db import models
 from django.db.models import Q
 from django.db.transaction import atomic
+from django.utils import timezone
 from django_extensions.db.models import TimeStampedModel
 
 # First-party/Local
-from controlpanel.api import cluster, validators
+from controlpanel.api import cluster, tasks, validators
 from controlpanel.api.models.apps3bucket import AppS3Bucket
 from controlpanel.api.models.users3bucket import UserS3Bucket
 
@@ -56,6 +58,14 @@ class S3Bucket(TimeStampedModel):
     is_data_warehouse = models.BooleanField(default=False)
     # TODO remove this field - it's unused
     location_url = models.CharField(max_length=128, null=True)
+    is_deleted = models.BooleanField(default=False)
+    deleted_by = models.ForeignKey(
+        "User",
+        on_delete=models.SET_NULL,
+        null=True,
+        related_name="deleted_s3buckets"
+    )
+    deleted_at = models.DateTimeField(null=True)
 
     objects = S3BucketQuerySet.as_manager()
 
@@ -128,21 +138,27 @@ def access_level(self, user):
 
     def save(self, *args, **kwargs):
         is_create = not self.pk
-
         super().save(*args, **kwargs)
-
-        if is_create:
-            bucket_owner = kwargs.pop("bucket_owner", self.bucket_owner)
-            self.cluster.create(bucket_owner)
-
-            # XXX created_by is always set if model is saved by the API view
-            if self.created_by:
-                UserS3Bucket.objects.create(
-                    user=self.created_by,
-                    s3bucket=self,
-                    is_admin=True,
-                    access_level=UserS3Bucket.READWRITE,
-                )
+        if not is_create:
+            return self
+
+        tasks.S3BucketCreate(
+            entity=self,
+            user=self.created_by,
+            extra_data={
+                "bucket_owner": kwargs.pop("bucket_owner", self.bucket_owner),
+            }
+        ).create_task()
+
+        # created_by should always be set, but this is a failsafe
+        if self.created_by:
+            UserS3Bucket.objects.create(
+                user=self.created_by,
+                current_user=self.created_by,
+                s3bucket=self,
+                is_admin=True,
+                access_level=UserS3Bucket.READWRITE,
+            )
 
         return self
 
@@ -152,3 +168,19 @@ def delete(self, *args, **kwargs):
         if not self.is_folder:
             self.cluster.mark_for_archival()
         super().delete(*args, **kwargs)
+
+    def soft_delete(self, deleted_by: User):
+        """
+        Mark the object as deleted, but do not remove it from the database
+        """
+        self.is_deleted = True
+        self.deleted_by = deleted_by
+        self.deleted_at = timezone.now()
+        self.save()
+        # TODO update to handle deleting folders
+        if self.is_folder:
+            tasks.S3BucketArchive(self, self.deleted_by).create_task()
+        else:
+            self.cluster.mark_for_archival()
+
+        tasks.S3BucketRevokeAllAccess(self, self.deleted_by).create_task()
diff --git a/controlpanel/api/models/task.py b/controlpanel/api/models/task.py
new file mode 100644
index 000000000..815d48be1
--- /dev/null
+++ b/controlpanel/api/models/task.py
@@ -0,0 +1,50 @@
+import json
+
+# Third-party
+from django.db import models
+from django_extensions.db.models import TimeStampedModel
+
+from controlpanel.utils import send_sse
+
+
+class Task(TimeStampedModel):
+    """
+    Use the task table to track the basic status of task fired from the app
+    """
+
+    entity_class = models.CharField(max_length=20)
+    entity_description = models.CharField(max_length=128)
+    entity_id = models.BigIntegerField()
+    user_id = models.CharField(max_length=128)
+    task_id = models.UUIDField(primary_key=True)
+    task_name = models.CharField(max_length=60)
+    task_description = models.CharField(max_length=128)
+    queue_name = models.CharField(max_length=60)
+    completed = models.BooleanField(default=False)
+    message_body = models.CharField(max_length=4000)
+
+    class Meta:
+        db_table = "control_panel_api_task"
+        ordering = ("entity_class", "entity_id")
+
+    def __repr__(self):
+        return f"<Task: {self.entity_class}|{self.entity_id}|{self.task_name}|{self.task_id}>"
+
+    def save(self, *args, **kwargs):
+        super().save(*args, **kwargs)
+
+        if self.completed:
+            payload = {
+                "entity_name": self.entity_description,
+                "task_description": self.task_description,
+                "status": "COMPLETED",
+            }
+            send_sse(
+                self.user_id,
+                {
+                    "event": "taskStatus",
+                    "data": json.dumps(payload),
+                },
+            )
+
+
diff --git a/controlpanel/api/models/users3bucket.py b/controlpanel/api/models/users3bucket.py
index 1e54f2f28..7e5cfbec3 100644
--- a/controlpanel/api/models/users3bucket.py
+++ b/controlpanel/api/models/users3bucket.py
@@ -2,7 +2,7 @@
 from django.db import models
 
 # First-party/Local
-from controlpanel.api import cluster
+from controlpanel.api import cluster, tasks
 from controlpanel.api.models.access_to_s3bucket import AccessToS3Bucket
 
 
@@ -20,12 +20,20 @@ class UserS3Bucket(AccessToS3Bucket):
     )
     is_admin = models.BooleanField(default=False)
 
+    # Non database field just for passing extra parameters
+    current_user = None
+
     class Meta:
         db_table = "control_panel_api_users3bucket"
         # one record per user/s3bucket
         unique_together = ("user", "s3bucket")
         ordering = ("id",)
 
+    def __init__(self, *args, **kwargs):
+        """Overwrite this constructor to pass some non-field parameter"""
+        self.current_user = kwargs.pop("current_user", None)
+        super().__init__(*args, **kwargs)
+
     @property
     def iam_role_name(self):
         return self.user.iam_role_name
@@ -37,19 +45,10 @@ def __repr__(self):
         )
 
     def grant_bucket_access(self):
-        if self.s3bucket.is_folder:
-            # TODO update to include paths/resources
-            # will be implemented in ANPL-1592
-            return cluster.User(self.user).grant_folder_access(
-                bucket_arn=self.s3bucket.arn,
-                access_level=self.access_level,
-            )
-
-        cluster.User(self.user).grant_bucket_access(
-            self.s3bucket.arn,
-            self.access_level,
-            self.resources,
-        )
+        tasks.S3BucketGrantToUser(self, self.current_user).create_task()
 
     def revoke_bucket_access(self):
-        cluster.User(self.user).revoke_bucket_access(self.s3bucket.arn)
+        # TODO when soft delete is added, this should be updated to use the user that
+        # has deleted the parent S3bucket to ensure we store the user that has sent the
+        # task in the case of cascading deletes
+        tasks.S3BucketRevokeUserAccess(self, self.current_user).create_task()
diff --git a/controlpanel/api/rules.py b/controlpanel/api/rules.py
index 5d48bb784..058a3f7bb 100644
--- a/controlpanel/api/rules.py
+++ b/controlpanel/api/rules.py
@@ -214,3 +214,5 @@ def is_owner(user, obj):
 add_perm("api.retrieve_parameter", is_authenticated & is_owner)
 add_perm("api.update_parameter", is_authenticated & is_owner)
 add_perm("api.destroy_parameter", is_authenticated & is_owner)
+
+add_perm("api.list_task", is_authenticated & is_superuser)
diff --git a/controlpanel/api/serializers.py b/controlpanel/api/serializers.py
index e33b21f14..7761379c4 100644
--- a/controlpanel/api/serializers.py
+++ b/controlpanel/api/serializers.py
@@ -209,12 +209,18 @@ class Meta:
             "created_by",
             "is_data_warehouse",
             "location_url",
+            "is_deleted",
+            "deleted_by",
+            "deleted_at",
         )
         read_only_fields = (
             "apps3buckets",
             "users3buckets",
             "created_by",
             "url",
+            "is_deleted",
+            "deleted_by",
+            "deleted_at",
         )
 
 
@@ -404,8 +410,10 @@ def _process_existing_env_settings(self, app_auth_settings, auth_settings_status
             env_data["variables"] = sorted(var_data.values(), key=lambda  x: x["name"])
             env_data["auth_required"] = auth_required
 
-
     def _process_redundant_envs(self, app_auth_settings, auth_settings_status):
+        # NB. if earlier call to get app_auth_settings failed, this will have been
+        # passed into serializer as an empty dict. Which results in all env details
+        # being marked as redundant mistakenly
         redundant_envs = list(set(auth_settings_status.keys()) -
                               set(app_auth_settings.keys()))
         for env_name in redundant_envs:
diff --git a/controlpanel/api/tasks/__init__.py b/controlpanel/api/tasks/__init__.py
new file mode 100644
index 000000000..5f1ccf51f
--- /dev/null
+++ b/controlpanel/api/tasks/__init__.py
@@ -0,0 +1,13 @@
+
+# First-party/Local
+from controlpanel.api.tasks.app import AppCreateAuth, AppCreateRole
+from controlpanel.api.tasks.s3bucket import (
+    S3BucketArchive,
+    S3BucketArchiveObject,
+    S3BucketCreate,
+    S3BucketGrantToApp,
+    S3BucketGrantToUser,
+    S3BucketRevokeAllAccess,
+    S3BucketRevokeAppAccess,
+    S3BucketRevokeUserAccess,
+)
diff --git a/controlpanel/api/tasks/app.py b/controlpanel/api/tasks/app.py
new file mode 100644
index 000000000..ba399419d
--- /dev/null
+++ b/controlpanel/api/tasks/app.py
@@ -0,0 +1,41 @@
+# Third-party
+from django.conf import settings
+
+# First-party/Local
+from controlpanel.api.tasks.task_base import TaskBase
+
+
+class AppCreateRole(TaskBase):
+    ENTITY_CLASS = "App"
+    QUEUE_NAME = settings.IAM_QUEUE_NAME
+
+    @property
+    def task_name(self):
+        return "create_app_aws_role"
+
+    @property
+    def task_description(self):
+        return "creating aws role"
+
+
+class AppCreateAuth(AppCreateRole):
+
+    QUEUE_NAME = settings.AUTH_QUEUE_NAME
+
+    @property
+    def task_name(self):
+        return "create_app_auth_settings"
+
+    def _get_args_list(self):
+        return [
+            self.entity.id,
+            self.user.id if self.user else 'None',
+            self.extra_data.get('deployment_envs'),
+            self.extra_data.get('disable_authentication'),
+            self.extra_data.get('connections'),
+            # self.extra_data.get('has_ip_ranges') # NOT USED, REMOVE IT?
+        ]
+
+    @property
+    def task_description(self):
+        return "creating auth settings"
diff --git a/controlpanel/api/tasks/handlers/__init__.py b/controlpanel/api/tasks/handlers/__init__.py
new file mode 100644
index 000000000..3bc6b9fc0
--- /dev/null
+++ b/controlpanel/api/tasks/handlers/__init__.py
@@ -0,0 +1,24 @@
+# First-party/Local
+from controlpanel import celery_app
+from controlpanel.api.tasks.handlers.app import CreateAppAuthSettings, CreateAppAWSRole
+from controlpanel.api.tasks.handlers.s3 import (
+    ArchiveS3Bucket,
+    ArchiveS3Object,
+    CreateS3Bucket,
+    GrantAppS3BucketAccess,
+    GrantUserS3BucketAccess,
+    S3BucketRevokeAllAccess,
+    S3BucketRevokeAppAccess,
+    S3BucketRevokeUserAccess,
+)
+
+create_app_aws_role = celery_app.register_task(CreateAppAWSRole())
+create_s3bucket = celery_app.register_task(CreateS3Bucket())
+grant_app_s3bucket_access = celery_app.register_task(GrantAppS3BucketAccess())
+grant_user_s3bucket_access = celery_app.register_task(GrantUserS3BucketAccess())
+create_app_auth_settings = celery_app.register_task(CreateAppAuthSettings())
+revoke_user_s3bucket_access = celery_app.register_task(S3BucketRevokeUserAccess())
+revoke_app_s3bucket_access = celery_app.register_task(S3BucketRevokeAppAccess())
+revoke_all_access_s3bucket = celery_app.register_task(S3BucketRevokeAllAccess())
+archive_s3bucket = celery_app.register_task(ArchiveS3Bucket)
+archive_s3_object = celery_app.register_task(ArchiveS3Object)
diff --git a/controlpanel/api/tasks/handlers/app.py b/controlpanel/api/tasks/handlers/app.py
new file mode 100644
index 000000000..accc6d68b
--- /dev/null
+++ b/controlpanel/api/tasks/handlers/app.py
@@ -0,0 +1,32 @@
+# First-party/Local
+from controlpanel.api import cluster
+from controlpanel.api.models import App, User
+from controlpanel.api.tasks.handlers.base import BaseModelTaskHandler
+
+
+class CreateAppAuthSettings(BaseModelTaskHandler):
+    model = App
+    name = "create_app_auth_settings"
+
+    def handle(self, envs, disable_authentication, connections):
+        task_user = User.objects.filter(pk=self.task_user_pk).first()
+        if not task_user or not task_user.github_api_token:
+            # TODO maybe log this as something has gone wrong?
+            return self.complete()
+
+        for env in envs:
+            cluster.App(self.object, task_user.github_api_token).create_auth_settings(
+                env_name=env,
+                disable_authentication=disable_authentication,
+                connections=connections,
+            )
+        self.complete()
+
+
+class CreateAppAWSRole(BaseModelTaskHandler):
+    model = App
+    name = "create_app_aws_role"
+
+    def handle(self):
+        cluster.App(self.object).create_iam_role()
+        self.complete()
diff --git a/controlpanel/api/tasks/handlers/base.py b/controlpanel/api/tasks/handlers/base.py
new file mode 100644
index 000000000..ecccf684b
--- /dev/null
+++ b/controlpanel/api/tasks/handlers/base.py
@@ -0,0 +1,67 @@
+# Third-party
+from celery import Task as CeleryTask
+
+# First-party/Local
+from controlpanel.api.models import Task
+
+
+class BaseTaskHandler(CeleryTask):
+    # can be applied to project settings also
+    # these settings mean that messages are only removed from the queue (acknowledged)
+    # when returned. if an error occurs, they remain in the queue, and will be resent
+    # to the worker when the "visibility_timeout" has expired. "visibility_timeout" is
+    # a setting that is configured in SQS per queue. Currently set to 30secs
+    acks_late = True
+    acks_on_failure_or_timeout = False
+    task_obj = None
+
+    def complete(self):
+        if self.task_obj:
+            self.task_obj.completed = True
+            self.task_obj.save()
+
+    def get_task_obj(self):
+        return Task.objects.filter(task_id=self.request.id).first()
+
+    def run(self, *args, **kwargs):
+        self.task_obj = self.get_task_obj()
+        if self.task_obj and self.task_obj.completed:
+            return
+        self.handle(*args, **kwargs)
+
+    def handle(self, *args, **kwargs):
+        """
+        Should contain the logic to run the task, and will be called after the run
+        method has been successfully called.
+        """
+        raise NotImplementedError("Task logic not implemented")
+
+
+class BaseModelTaskHandler(BaseTaskHandler):
+    name = None
+    model = None
+    object = None
+    task_user_pk = None
+
+    def get_object(self, pk):
+        try:
+            return self.model.objects.get(pk=pk)
+        except self.model.DoesNotExist as exc:
+            # if the main object cannot be found, raise error and allow message to be
+            # added back to the queue as could be due to a race condition
+            raise exc
+
+    def run(self, obj_pk, task_user_pk, *args, **kwargs):
+        """
+        Default method that a celery Task object requires to be defined, and will be
+        called by the worker when a message is received by the queue. This will look up
+        the instance of the model, and store the PK of the user running the task to use
+        to look up the user later if required. The `handle` method is then called
+        with any other args and kwargs sent.
+        """
+        self.task_obj = self.get_task_obj()
+        if self.task_obj and self.task_obj.completed:
+            return
+        self.object = self.get_object(obj_pk)
+        self.task_user_pk = task_user_pk
+        self.handle(*args, **kwargs)
diff --git a/controlpanel/api/tasks/handlers/s3.py b/controlpanel/api/tasks/handlers/s3.py
new file mode 100644
index 000000000..65773c320
--- /dev/null
+++ b/controlpanel/api/tasks/handlers/s3.py
@@ -0,0 +1,125 @@
+# Third-party
+import structlog
+from django.db.models.deletion import Collector
+
+# First-party/Local
+from controlpanel.api import cluster, tasks
+from controlpanel.api.models import App, AppS3Bucket, S3Bucket, User, UserS3Bucket
+from controlpanel.api.models.access_to_s3bucket import AccessToS3Bucket
+from controlpanel.api.tasks.handlers.base import BaseModelTaskHandler, BaseTaskHandler
+
+log = structlog.getLogger(__name__)
+
+
+class CreateS3Bucket(BaseModelTaskHandler):
+    model = S3Bucket
+    name = "create_s3bucket"
+
+    def handle(self, bucket_owner=None):
+        bucket_owner = bucket_owner or "USER"
+        self.object.cluster.create(owner=bucket_owner)
+        self.complete()
+
+
+class GrantAppS3BucketAccess(BaseModelTaskHandler):
+    model = AppS3Bucket
+    name = 'grant_app_s3bucket_access'
+
+    def handle(self):
+        cluster.App(self.object.app).grant_bucket_access(
+            self.object.s3bucket.arn,
+            self.object.access_level,
+            self.object.resources,
+        )
+        self.complete()
+
+
+class GrantUserS3BucketAccess(BaseModelTaskHandler):
+    model = UserS3Bucket
+    name = "grant_user_s3bucket_access"
+
+    def handle(self):
+        if self.object.s3bucket.is_folder:
+            cluster.User(self.object.user).grant_folder_access(
+                root_folder_path=self.object.s3bucket.name,
+                access_level=self.object.access_level,
+                paths=self.object.paths,
+            )
+        else:
+            cluster.User(self.object.user).grant_bucket_access(
+                bucket_arn=self.object.s3bucket.arn,
+                access_level=self.object.access_level,
+                path_arns=self.object.resources,
+            )
+        self.complete()
+
+
+class S3BucketRevokeUserAccess(BaseTaskHandler):
+    name = "revoke_user_s3bucket_access"
+
+    def handle(self, bucket_identifier, bucket_user_pk, is_folder):
+        bucket_user = User.objects.get(pk=bucket_user_pk)
+        if is_folder:
+            cluster.User(bucket_user).revoke_folder_access(bucket_identifier)
+        else:
+            cluster.User(bucket_user).revoke_bucket_access(bucket_identifier)
+        self.complete()
+
+
+class S3BucketRevokeAppAccess(BaseTaskHandler):
+    name = "revoke_app_s3bucket_access"
+
+    def handle(self, bucket_arn, app_pk):
+        try:
+            app = App.objects.get(pk=app_pk)
+        except App.DoesNotExist:
+            # if the app doesnt exist, nothing to revoke, so mark completed
+            self.complete()
+        cluster.App(app).revoke_bucket_access(bucket_arn)
+        self.complete()
+
+
+class S3BucketRevokeAllAccess(BaseModelTaskHandler):
+    model = S3Bucket
+    name = "s3bucket_revoke_all_access"
+
+    def handle(self, *args, **kwargs):
+        """
+        When an S3Bucket is soft-deleted, the related objects that handle access will
+        remain in place. In order to keep IAM roles updated, this task collects objects
+        that would have been deleted by a cascade, and revokes access to deleted bucket
+        """
+        task_user = User.objects.filter(pk=self.task_user_pk).first()
+        collector = Collector(using="default")
+        collector.collect([self.object])
+        for model, instance in collector.instances_with_model():
+            if not issubclass(model, AccessToS3Bucket):
+                continue
+
+            instance.current_user = task_user
+            instance.revoke_bucket_access()
+
+        self.complete()
+
+
+class ArchiveS3Bucket(BaseModelTaskHandler):
+    model = S3Bucket
+    name = "archive_s3bucket"
+
+    def handle(self, *args, **kwargs):
+        task_user = User.objects.filter(pk=self.task_user_pk).first()
+        for s3obj in cluster.S3Folder(self.object).get_objects():
+            tasks.S3BucketArchiveObject(
+                self.object, task_user, extra_data={"s3obj_key": s3obj.key}
+            ).create_task()
+        self.complete()
+
+
+class ArchiveS3Object(BaseModelTaskHandler):
+    model = S3Bucket
+    name = "archive_s3_object"
+
+    def handle(self, s3obj_key):
+        # TODO update to use self.object.cluster to work with buckets
+        cluster.S3Folder(self.object).archive_object(key=s3obj_key)
+        self.complete()
diff --git a/controlpanel/api/tasks/s3bucket.py b/controlpanel/api/tasks/s3bucket.py
new file mode 100644
index 000000000..cccbff8d8
--- /dev/null
+++ b/controlpanel/api/tasks/s3bucket.py
@@ -0,0 +1,131 @@
+# Third-party
+from django.conf import settings
+
+# First-party/Local
+from controlpanel.api.tasks.task_base import TaskBase
+
+
+class S3BucketCreate(TaskBase):
+    ENTITY_CLASS = "S3Bucket"
+    QUEUE_NAME = settings.S3_QUEUE_NAME
+
+    @property
+    def task_name(self):
+        return "create_s3bucket"
+
+    @property
+    def task_description(self):
+        return "creating s3 bucket"
+
+    def _get_args_list(self):
+        return [
+            self.entity.id,
+            self.user.id if self.user else 'None',
+            self.extra_data.get('bucket_owner'),
+        ]
+
+
+class S3BucketRevokeAllAccess(TaskBase):
+    ENTITY_CLASS = "S3Bucket"
+    QUEUE_NAME = settings.S3_QUEUE_NAME
+
+    @property
+    def task_name(self):
+        return "s3bucket_revoke_all_access"
+
+    @property
+    def task_description(self):
+        return "Revokes all access to an S3 bucket"
+
+
+class S3AccessMixin:
+    ACTION = None
+    ROLE = None
+    QUEUE_NAME = settings.IAM_QUEUE_NAME
+
+    @property
+    def task_name(self):
+        return "{action}_{role}_s3bucket_access".format(
+            action=self.ACTION.lower(),
+            role=self.ROLE.lower()
+        )
+
+    @property
+    def task_description(self):
+        return "{action} access to the {role}".format(
+            action=self.ACTION.lower(),
+            role=self.ROLE.lower()
+        )
+
+    @property
+    def entity_description(self):
+        return self.entity.s3bucket.name
+
+
+class S3BucketGrantToUser(S3AccessMixin, TaskBase):
+    ENTITY_CLASS = "UserS3Bucket"
+    ACTION = "GRANT"
+    ROLE = "USER"
+
+
+class S3BucketGrantToApp(S3AccessMixin, TaskBase):
+    ENTITY_CLASS = "AppS3Bucket"
+    ACTION = "GRANT"
+    ROLE = "APP"
+
+
+class S3BucketRevokeUserAccess(S3AccessMixin, TaskBase):
+    ENTITY_CLASS = "UserS3Bucket"
+    ACTION = "REVOKE"
+    ROLE = "USER"
+
+    def _get_args_list(self):
+        bucket = self.entity.s3bucket
+        return [
+            bucket.name if bucket.is_folder else bucket.arn,
+            self.entity.user.pk,
+            bucket.is_folder,
+        ]
+
+
+class S3BucketRevokeAppAccess(S3AccessMixin, TaskBase):
+    ENTITY_CLASS = "AppS3Bucket"
+    ACTION = "REVOKE"
+    ROLE = "APP"
+
+    def _get_args_list(self):
+        return [
+            self.entity.s3bucket.arn,
+            self.entity.app.pk,
+        ]
+
+
+class S3BucketArchive(TaskBase):
+    ENTITY_CLASS = "S3Bucket"
+    QUEUE_NAME = settings.S3_QUEUE_NAME
+
+    @property
+    def task_name(self):
+        return "archive_s3bucket"
+
+    @property
+    def task_description(self):
+        return "move contents of s3 datasource to the archive bucket"
+
+
+class S3BucketArchiveObject(TaskBase):
+    ENTITY_CLASS = "S3Bucket"
+    QUEUE_NAME = settings.S3_QUEUE_NAME
+
+    @property
+    def task_name(self):
+        return "archive_s3_object"
+
+    @property
+    def task_description(self):
+        return "move object to archive bucket"
+
+    def _get_args_list(self):
+        args = super()._get_args_list()
+        args.append(self.extra_data.get('s3obj_key'))
+        return args
diff --git a/controlpanel/api/tasks/task_base.py b/controlpanel/api/tasks/task_base.py
new file mode 100644
index 000000000..8b124ed54
--- /dev/null
+++ b/controlpanel/api/tasks/task_base.py
@@ -0,0 +1,91 @@
+# Standard library
+import uuid
+
+# Third-party
+from django.conf import settings
+
+# First-party/Local
+from controlpanel.api.message_broker import (
+    LocalMessageBrokerClient,
+    MessageBrokerClient,
+)
+from controlpanel.api.models.task import Task
+
+
+class TaskError(Exception):
+    pass
+
+
+class TaskBase:
+
+    QUEUE_NAME = settings.DEFAULT_QUEUE
+    ENTITY_CLASS = None
+
+    def __init__(self, entity, user=None, extra_data=None):
+        self._message_broker_client = None
+        self.entity = entity
+        self.user = user
+        self.extra_data = extra_data
+        self._validate()
+
+    def _validate(self):
+        if not self.entity:
+            raise TaskError("Please provide entity instance")
+        if self.user and self.user.__class__.__name__ != "User":
+            raise TaskError("The instance has to be user class")
+        if self.entity.__class__.__name__ != self.ENTITY_CLASS:
+            raise TaskError(f"The instance has to be {self.ENTITY_CLASS} class")
+
+    @property
+    def task_id(self):
+        return str(uuid.uuid4())
+
+    @property
+    def task_description(self):
+        raise NotImplementedError("Not implemented")
+
+    @property
+    def entity_description(self):
+        return self.entity.name
+
+    @property
+    def task_name(self):
+        raise NotImplementedError("Not implemented")
+
+    @property
+    def message_broker_client(self):
+        if self._message_broker_client is None:
+            self._message_broker_client = self._get_message_broker_client()
+        return self._message_broker_client
+
+    @staticmethod
+    def _get_message_broker_client():
+        if settings.USE_LOCAL_MESSAGE_BROKER:
+            return LocalMessageBrokerClient()
+        return MessageBrokerClient()
+
+    def _get_args_list(self):
+        args = [self.entity.id]
+        if self.user:
+            args.append(self.user.id)
+        return args
+
+    def create_task(self):
+        task_id = self.task_id
+        message = self.message_broker_client.send_message(
+            task_id=task_id,
+            task_name=self.task_name,
+            queue_name=self.QUEUE_NAME,
+            args=self._get_args_list()
+        )
+        Task.objects.create(
+            entity_class=self.ENTITY_CLASS,
+            entity_description=self.task_description,
+            entity_id=self.entity.id,
+            user_id=self.user.auth0_id if self.user else 'None',
+            task_id=task_id,
+            task_description=self.task_description,
+            task_name=self.task_name,
+            queue_name=self.QUEUE_NAME,
+            message_body=message
+        )
diff --git a/controlpanel/develop/__init__.py b/controlpanel/api/tasks/user.py
similarity index 100%
rename from controlpanel/develop/__init__.py
rename to controlpanel/api/tasks/user.py
diff --git a/controlpanel/api/urls.py b/controlpanel/api/urls.py
index 89b551751..d8031516d 100644
--- a/controlpanel/api/urls.py
+++ b/controlpanel/api/urls.py
@@ -36,4 +36,9 @@
         views.ToolDeploymentAPIView.as_view(),
         name="tool-deployments",
     ),
+    path(
+        "tasks/<uuid:task_id>/<str:action>",
+        views.TaskAPIView.as_view(),
+        name="tasks",
+    ),
 ]
diff --git a/controlpanel/api/views/__init__.py b/controlpanel/api/views/__init__.py
index bffde87fb..cd76283df 100644
--- a/controlpanel/api/views/__init__.py
+++ b/controlpanel/api/views/__init__.py
@@ -16,3 +16,4 @@
 from controlpanel.api.views.tools import ToolViewSet
 from controlpanel.api.views.apps import AppByNameViewSet
 from controlpanel.api.views.repos import RepoApi, RepoEnvironmentAPI
+from controlpanel.api.views.tasks import TaskAPIView
diff --git a/controlpanel/api/views/models.py b/controlpanel/api/views/models.py
index 9a6ab04f0..9a0e44f5a 100644
--- a/controlpanel/api/views/models.py
+++ b/controlpanel/api/views/models.py
@@ -20,10 +20,12 @@
 
 
 class UserViewSet(viewsets.ModelViewSet):
+    resource = "user"
+
     queryset = User.objects.all()
     serializer_class = serializers.UserSerializer
     filter_backends = (DjangoFilterBackend,)
-    permission_classes = (permissions.UserPermissions,)
+    permission_classes = (permissions.UserPermissions | permissions.JWTTokenResourcePermissions,)
 
 
 class AppViewSet(viewsets.ModelViewSet):
diff --git a/controlpanel/api/views/tasks.py b/controlpanel/api/views/tasks.py
new file mode 100644
index 000000000..69cb75162
--- /dev/null
+++ b/controlpanel/api/views/tasks.py
@@ -0,0 +1,33 @@
+# Third-party
+from rest_framework import status
+from rest_framework.generics import GenericAPIView
+from rest_framework.permissions import IsAuthenticated
+from rest_framework.response import Response
+
+from controlpanel.api.models import Task
+from controlpanel.api.message_broker import MessageBrokerClient
+
+
+class TaskAPIView(GenericAPIView):
+
+    http_method_names = ["post"]
+    permission_classes = (IsAuthenticated,)
+
+    def _send_message(self, task_id):
+        task = Task.objects.filter(task_id=task_id).first()
+        if task:
+            message_client = MessageBrokerClient()
+            message_client.client.send_message(
+                queue_name=task.queue_name,
+                message_body=task.message_body
+            )
+
+    def post(self, request, *args, **kwargs):
+        task_id = self.kwargs["task_id"]
+        task_action = self.kwargs["action"]
+        task_action_function = getattr(self, f"_{task_action}", None)
+        if task_action_function and callable(task_action_function):
+            task_action_function(task_id)
+            return Response(status=status.HTTP_200_OK)
+        else:
+            return Response(status=status.HTTP_400_BAD_REQUEST)
diff --git a/controlpanel/api/views/tool_deployments.py b/controlpanel/api/views/tool_deployments.py
index 4444f71a8..6d81e1981 100644
--- a/controlpanel/api/views/tool_deployments.py
+++ b/controlpanel/api/views/tool_deployments.py
@@ -6,7 +6,7 @@
 
 # First-party/Local
 from controlpanel.api import serializers
-from controlpanel.frontend.consumers import start_background_task
+from controlpanel.utils import start_background_task
 
 
 class ToolDeploymentAPIView(GenericAPIView):
diff --git a/controlpanel/celery.py b/controlpanel/celery.py
new file mode 100644
index 000000000..5aa3f345e
--- /dev/null
+++ b/controlpanel/celery.py
@@ -0,0 +1,53 @@
+# Standard library
+import os
+from pathlib import Path
+
+# Third-party
+import dotenv
+import structlog
+from celery import Celery
+from django.conf import settings
+from kombu import Queue
+
+# First-party/Local
+from controlpanel.utils import load_app_conf_from_file
+
+dotenv.load_dotenv()
+
+
+# Set the default Django settings module for the 'celery' program.
+os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'controlpanel.settings')
+load_app_conf_from_file()
+
+app = Celery('controlpanel')
+
+# Using a string here means the worker doesn't have to serialize
+# the configuration object to child processes.
+# - namespace='CELERY' means all celery-related configuration keys
+#   should have a `CELERY_` prefix.
+app.config_from_object('django.conf:settings')
+# Load task modules from all registered Django apps.
+app.autodiscover_tasks()
+
+log = structlog.getLogger(__name__)
+
+
+@app.task(bind=True, ignore_result=True)
+def debug_task(self):
+    print(f'Request: {self.request!r}')
+
+
+@app.task(bind=True, ignore_result=True)
+def worker_health_check(self):
+    Path(settings.WORKER_HEALTH_FILENAME).touch()
+    log.debug("Worker health ping task executed")
+
+
+# ensures worker picks and runs tasks from all queues rather than just default queue
+# alternative is to run the worker and pass queue name to -Q flag
+app.conf.task_queues = [
+    Queue(settings.IAM_QUEUE_NAME, routing_key=settings.IAM_QUEUE_NAME),
+    Queue(settings.AUTH_QUEUE_NAME, routing_key=settings.AUTH_QUEUE_NAME),
+    Queue(settings.S3_QUEUE_NAME, routing_key=settings.S3_QUEUE_NAME),
+]
+app.conf.task_default_exchange = "tasks"
diff --git a/controlpanel/cli/management/commands/get_customer_emails_csv.py b/controlpanel/cli/management/commands/get_customer_emails_csv.py
new file mode 100644
index 000000000..01137c804
--- /dev/null
+++ b/controlpanel/cli/management/commands/get_customer_emails_csv.py
@@ -0,0 +1,31 @@
+# Standard library
+import csv
+from datetime import datetime
+
+# Third-party
+from django.core.management import BaseCommand
+
+# First-party/Local
+from controlpanel.api import auth0
+
+
+class Command(BaseCommand):
+    help = "Writes a CSV with all customer emails for an auth0 group"
+
+    def add_arguments(self, parser):
+        parser.add_argument(
+            "group_name",
+            type=str,
+            help="input: The auth0 group name to get customers emails for"
+        )
+
+    def handle(self, *args, **options):
+        group_name = options["group_name"]
+        auth_instance = auth0.ExtendedAuth0()
+        group_id = auth_instance.groups.get_group_id(group_name)
+        timestamp = datetime.now().strftime("%d-%m-%Y_%H%M")
+        with open(f"{group_name}_customers_{timestamp}.csv", "w") as f:
+            writer = csv.writer(f)
+            writer.writerow(["Email"])
+            for customer in auth_instance.groups.get_group_members(group_id):
+                writer.writerow([customer["email"]])
diff --git a/controlpanel/cli/management/commands/migrating_customers.py b/controlpanel/cli/management/commands/migrating_customers.py
index 9d978b8d0..ed92e993a 100644
--- a/controlpanel/cli/management/commands/migrating_customers.py
+++ b/controlpanel/cli/management/commands/migrating_customers.py
@@ -10,7 +10,10 @@
 
 
 class Command(BaseCommand):
-    help = "Copy the customers of an application from old auth client to new auth clients"
+    help = """Copy the customers of an application from old auth client to new auth
+        clients. This is idempotent, meaning that rerunning for the apps will not
+        problems, all copied customers will remain but any un-copied customers will be
+        migrated."""
 
     DEFAULT_ENVS = ["dev", "prod"]
 
diff --git a/controlpanel/cli/management/commands/post_migration_clearup.py b/controlpanel/cli/management/commands/post_migration_clearup.py
new file mode 100644
index 000000000..8315a72c6
--- /dev/null
+++ b/controlpanel/cli/management/commands/post_migration_clearup.py
@@ -0,0 +1,91 @@
+
+# Third-party
+from django.core.management.base import BaseCommand
+
+# First-party/Local
+from controlpanel.api.models import App, AppS3Bucket
+from controlpanel.api import auth0
+
+
+class Command(BaseCommand):
+    help = "Clear up the redundant resources for migrated apps " \
+           "- remove the old auth0 related resources " \
+           "- remove old auth0 information from control db" \
+           "- remove the apps which are not required any more"
+
+    SCRIPT_LOG_FILE_NAME = "./clear_up_auth0_resources_log.txt"
+
+    EXCEPTION_APPS = ["gold-scorecard-form"]
+
+    def add_arguments(self, parser):
+        parser.add_argument(
+            "-a", "--apply", action="store_true", help="Apply the actions"
+        )
+
+    def _remove_old_auth0_clients(self, app, auth0_instance):
+        old_client_info = (app.app_conf or {}).get(App.KEY_WORD_FOR_AUTH_SETTINGS, {}).\
+            get(App.DEFAULT_AUTH_CATEGORY, {})
+        if not old_client_info:
+            self._log_info(f"No old client for {app.slug} - {app.repo_url}")
+            return
+
+        self._log_info(f"Removing the old client for {app.slug} - {app.repo_url}")
+        if self.apply_action:
+            auth0_instance.clear_up_app(old_client_info)
+
+    def _update_db(self, app):
+        self._log_info(f"Removing the migration info and old clients for {app.slug} - {app.repo_url}")
+        app.description = ""
+        if App.DEFAULT_AUTH_CATEGORY in (app.app_conf or {}).get(App.KEY_WORD_FOR_AUTH_SETTINGS, {}):
+            del app.app_conf[App.KEY_WORD_FOR_AUTH_SETTINGS][App.DEFAULT_AUTH_CATEGORY]
+        if self.apply_action:
+            app.save()
+
+    def _remove_application(self, app):
+        self._log_info(f"Removing the application {app.slug} - {app.repo_url}")
+
+        """ TODO: how to deal with related bucket? we will output
+        the related datasets from this script"""
+        # log the related buckets information into file
+        related_buckets = AppS3Bucket.objects.filter(app_id=app.id)
+        for item in related_buckets:
+            self._log_info(f"The app links the bucket - {item.s3bucket.name}")
+            # Remove the relationship to avoid removal of the bucket when removing the app
+            if self.apply_action:
+                item.delete()
+        if self.apply_action:
+            app.delete()
+
+    def _log_info(self, info):
+        self.stdout.write(info)
+        with open(self.SCRIPT_LOG_FILE_NAME, "a") as f:
+            f.write(info)
+            f.write("\n")
+
+    def _clear_up_resources(self, auth0_instance):
+        apps = App.objects.all()
+        counter = 1
+        for app in apps:
+            if app.slug in self.EXCEPTION_APPS:
+                self._log_info(f"Ignore the application {app.slug}")
+                continue
+
+            try:
+                self._log_info(f"{counter}--Processing the application {app.slug}")
+
+                self._remove_old_auth0_clients(app, auth0_instance)
+                self._update_db(app)
+                if "moj-analytical-services" in app.repo_url:
+                    self._remove_application(app)
+                self._log_info(f"{counter}--Done with the application {app.slug}")
+                counter += 1
+            except Exception as ex:
+                self._log_info(f"Failed to process {app.slug} due to error : {ex.__str__()}")
+
+    def handle(self, *args, **options):
+        self.stdout.write("start to scan the apps from database.")
+        auth0_instance = auth0.ExtendedAuth0()
+        self.apply_action = options.get('apply') or False
+        self._clear_up_resources(auth0_instance)
+        self.stdout.write("Clean up action has completed.")
+
diff --git a/controlpanel/develop/apps.py b/controlpanel/develop/apps.py
deleted file mode 100644
index 0aa76d51a..000000000
--- a/controlpanel/develop/apps.py
+++ /dev/null
@@ -1,6 +0,0 @@
-# Third-party
-from django.apps import AppConfig
-
-
-class DevelopConfig(AppConfig):
-    name = "controlpanel.develop"
diff --git a/controlpanel/develop/templates/develop/index.html b/controlpanel/develop/templates/develop/index.html
deleted file mode 100644
index f4ff53dec..000000000
--- a/controlpanel/develop/templates/develop/index.html
+++ /dev/null
@@ -1,56 +0,0 @@
-<html>
-<head>
-    <style>
-        * {
-          -webkit-font-smoothing: antialiased;
-          -moz-osx-font-smoothing: grayscale;
-        }
-
-        body {
-            color: #333;
-            font-family: Arial, Helvetica, sans-serif;
-            margin: 20px;
-        }
-
-        legend {
-            font-weight: bold;
-        }
-        input {
-            margin: 10px;
-        }
-
-        input[type="submit"] {
-            padding: 10px;
-            background-color: #00703c;
-            color: white;
-        }
-    </style>
-</head>
-<body>
-
-    <h1>Development integration page</h1>
-    <h2>User: {{ username }}</h2>
-
-    <h3>Status: {{ status | default:"Pending" }}</h3>
-
-    <form action="." method="POST">
-        {% csrf_token %}
-        <legend>Tool installation</legend>
-        <input type="radio" name="tool" value="jupyterlab" {%if "jupyterlab" in tool %}checked{%endif%}>Jupyter Lab</input><br/>
-        <input type="radio" name="tool" value="rstudio" {%if "rstudio" in tool %}checked{%endif%}>RStudio</input><br/>
-        <input type="radio" name="tool" value="airflow" {%if "airflow" in tool %}checked{%endif%}>Airflow</input><br/>
-
-        <input type="submit" value="Create"></input>
-    </form>
-
-
-    <h2>Currently installed tools</h2>
-    <ul>
-        {% for tool in installed_tools %}
-        <li> {{ tool }} </li>
-        {% endfor %}
-    </ul>
-
-</body>
-
-</html>
diff --git a/controlpanel/develop/urls.py b/controlpanel/develop/urls.py
deleted file mode 100644
index 73f35aad8..000000000
--- a/controlpanel/develop/urls.py
+++ /dev/null
@@ -1,8 +0,0 @@
-# Third-party
-from django.urls import path
-
-from .views import develop_index
-
-urlpatterns = [
-    path("", develop_index, name="develop_index"),
-]
diff --git a/controlpanel/develop/views.py b/controlpanel/develop/views.py
deleted file mode 100644
index 235537c04..000000000
--- a/controlpanel/develop/views.py
+++ /dev/null
@@ -1,45 +0,0 @@
-# Standard library
-from typing import List
-
-# Third-party
-from django.contrib.auth.decorators import login_required
-from django.shortcuts import render
-
-
-def installed_tools(username: str) -> List[str]:
-    # TODO: Get a list of this user's installed tools and return
-    # a list of string ["like", "this"]
-
-    return []
-
-
-def user_selected_tool(username: str, toolname: str) -> str:
-    # TODO: Create/Ensure instance of the named tool
-
-    return f"Install {toolname} for {username}"
-
-
-@login_required()
-def develop_index(request):
-    status = None
-    tool = None
-
-    if request.method == "POST":
-        data = request.POST
-
-        tool = data.get("tool", "")
-        if not tool:
-            status = "No tool selected"
-        else:
-            status = user_selected_tool(request.user, tool)
-
-    return render(
-        request,
-        "develop/index.html",
-        {
-            "username": request.user,
-            "status": status,
-            "tool": tool,
-            "installed_tools": installed_tools(request.user),
-        },
-    )
diff --git a/controlpanel/frontend/consumers.py b/controlpanel/frontend/consumers.py
index a3f3895e7..4c5431ce1 100644
--- a/controlpanel/frontend/consumers.py
+++ b/controlpanel/frontend/consumers.py
@@ -9,10 +9,9 @@
 
 # Third-party
 import structlog
-from asgiref.sync import async_to_sync
 from channels.consumer import SyncConsumer
-from channels.layers import get_channel_layer
 from django.db import transaction
+from django.conf import settings
 
 # First-party/Local
 from controlpanel.api import cluster
@@ -31,12 +30,8 @@
     ToolDeployment,
     User,
 )
-from controlpanel.utils import PatchedAsyncHttpConsumer, sanitize_dns_label
+from controlpanel.utils import (PatchedAsyncHttpConsumer, sanitize_dns_label, send_sse)
 
-WORKER_HEALTH_FILENAME = "/tmp/worker_health.txt"
-
-
-channel_layer = get_channel_layer()
 
 log = structlog.getLogger(__name__)
 
@@ -234,21 +229,11 @@ def home_reset(self, message):
             log.debug(f"Reset home directory for user {user}")
 
     def workers_health(self, message):
-        Path(WORKER_HEALTH_FILENAME).touch()
+        Path(settings.WORKER_HEALTH_FILENAME).touch()
 
         log.debug("Worker health ping task executed")
 
 
-def send_sse(user_id, event):
-    """
-    Tell the SSEConsumer to send an event to the specified user
-    """
-    async_to_sync(channel_layer.group_send)(
-        sanitize_dns_label(user_id),
-        {"type": "sse.event", **event},
-    )
-
-
 def update_tool_status(tool_deployment, id_token, status):
     user = tool_deployment.user
     tool = tool_deployment.tool
@@ -282,16 +267,6 @@ def update_home_status(home_directory, status):
     )
 
 
-def start_background_task(task, message):
-    async_to_sync(channel_layer.send)(
-        "background_tasks",
-        {
-            "type": task,
-            **message,
-        },
-    )
-
-
 def wait_for_deployment(tool_deployment, id_token):
     status = TOOL_DEPLOYING
     while status == TOOL_DEPLOYING:
diff --git a/controlpanel/frontend/forms.py b/controlpanel/frontend/forms.py
index 9c841df54..4fe857c1c 100644
--- a/controlpanel/frontend/forms.py
+++ b/controlpanel/frontend/forms.py
@@ -146,7 +146,7 @@ class CreateAppForm(AppAuth0Form):
         required=False,
     )
     existing_datasource_id = DatasourceChoiceField(
-        queryset=S3Bucket.objects.filter(is_data_warehouse=False),
+        queryset=S3Bucket.objects.filter(is_data_warehouse=False, is_deleted=False),
         empty_label="Select",
         required=False,
     )
@@ -284,7 +284,8 @@ class GrantAccessForm(forms.Form):
         label="Paths (optional)",
         help_text=(
             "Add specific paths for this user or group to access or leave blank "
-            "for whole bucket access"
+            "for full access. Paths must be separated by a newline, with a "
+            "leading forward slash and no trailing slash. For example: /my-path"
         ),
         required=False,
         delimiter="\n",
@@ -308,12 +309,28 @@ def clean(self):
             cleaned_data["is_admin"] = True
 
         if cleaned_data["entity_type"] == "user":
-            cleaned_data["user_id"] = cleaned_data["entity_id"]
+            cleaned_data["user_id"] = cleaned_data.get("entity_id")
         elif cleaned_data["entity_type"] == "group":
-            cleaned_data["policy_id"] = cleaned_data["entity_id"]
+            cleaned_data["policy_id"] = cleaned_data.get("entity_id")
 
         return cleaned_data
 
+    def clean_paths(self):
+        """
+        Validation to ensure paths are entered with a leading forward slash, and without
+        trailing slash. This is to ensure that the correct IAM permissions are added
+        at the aws.S3AccessPolicy level.
+        """
+        paths = self.cleaned_data["paths"]
+        for path in paths:
+            if not path.startswith("/"):
+                raise ValidationError("Enter paths prefixed with a forward slash")
+
+            if path.endswith("/"):
+                raise ValidationError("Enter paths without a trailing forward slash")
+
+        return paths
+
 
 class GrantAppAccessForm(forms.Form):
     access_level = forms.ChoiceField(
@@ -336,9 +353,11 @@ def __init__(self, *args, **kwargs):
         if self.exclude_connected:
             self.fields["datasource"].queryset = S3Bucket.objects.exclude(
                 id__in=[a.s3bucket_id for a in self.app.apps3buckets.all()],
-            )
+            ).filter(is_deleted=False)
         else:
-            self.fields["datasource"].queryset = S3Bucket.objects.all()
+            self.fields["datasource"].queryset = S3Bucket.objects.filter(
+                is_deleted=False,
+            )
 
 
 class CreateIAMManagedPolicyForm(forms.Form):
diff --git a/controlpanel/frontend/jinja2/customers-list.html b/controlpanel/frontend/jinja2/customers-list.html
index a31fed92d..9c3f042a4 100644
--- a/controlpanel/frontend/jinja2/customers-list.html
+++ b/controlpanel/frontend/jinja2/customers-list.html
@@ -18,7 +18,11 @@ <h2 class="govuk-heading-m">
     Customer management for {{ app.name }}
 </h2>
 
-{% if groups_dict %}
+{% if not groups_dict %}
+   <h2 class="govuk-heading-s">
+      No need to manage the customers of the app on Control panel as it does not require authentication
+   </h2>
+{% else %}
   <section>
    <h2 class="govuk-heading-s">
       Switch to different deployment environment from the following links:
@@ -48,13 +52,6 @@ <h2 class="govuk-heading-s">
     App customers under {{ groups_dict.get(group_id) }} environment
     {{ modal_dialog(app_customers_html|safe) }}
   </h2>
-{% else %}
-   <h2 class="govuk-heading-s">
-      No need to manage the customers of app on Control panel
-   </h2>
-{% endif %}
-
-
 
   <form method="post" action="{{ url("remove-app-customer", kwargs={"pk": app.id, "group_id": group_id }) }}">
     {{ csrf_input }}
@@ -112,41 +109,44 @@ <h2 class="govuk-heading-s">
     )
   }}
 
-{% if request.user.has_perm('api.add_app_customer', app) %}
-  <form action="{{ url('add-app-customers', kwargs={ "pk": app.id, "group_id": group_id }) }}" method="post">
-    {{ csrf_input }}
-    <div class="govuk-form-group {% if errors and errors.customer_email %}govuk-form-group--error{% endif %}">
-      <label class="govuk-label" for="customer_email">
-        Add app customers by entering their email addresses (separated by spaces)
-      </label>
-      {% if errors and errors.customer_email %}
-        {% for error in errors.customer_email %}
-      <span id="customer_email-error" class="govuk-error-message">
-        <span class="govuk-visually-hidden">Error:</span> {{ error }}
-      </span>
-        {% endfor %}
-      {% endif %}
-      <input id="customer_email" class="govuk-input cpanel-input" name="customer_email" autocomplete="off">
-    </div>
-    <div class="govuk-form-group">
-      <button class="govuk-button" {% if not group_id %} disabled {% endif %}>Add customer</button>
-    </div>
-  </form>
-{% endif %}
+    {% if request.user.has_perm('api.add_app_customer', app) %}
+      <form action="{{ url('add-app-customers', kwargs={ "pk": app.id, "group_id": group_id }) }}" method="post">
+        {{ csrf_input }}
+        <div class="govuk-form-group {% if errors and errors.customer_email %}govuk-form-group--error{% endif %}">
+          <label class="govuk-label" for="customer_email">
+            Add app customers by entering their email addresses (separated by spaces)
+          </label>
+          {% if errors and errors.customer_email %}
+            {% for error in errors.customer_email %}
+          <span id="customer_email-error" class="govuk-error-message">
+            <span class="govuk-visually-hidden">Error:</span> {{ error }}
+          </span>
+            {% endfor %}
+          {% endif %}
+          <input id="customer_email" class="govuk-input cpanel-input" name="customer_email" autocomplete="off">
+        </div>
+        <div class="govuk-form-group">
+          <button class="govuk-button" {% if not group_id %} disabled {% endif %}>Add customer</button>
+        </div>
+      </form>
+    {% endif %}
+
+    {% if remove_perm %}
+      <form action="{{ url('remove-app-customer-by-email', kwargs={ "pk": app.id, "group_id": group_id}) }}" method="post">
+        {{ csrf_input }}
+        <div class="govuk-form-group">
+          <label class="govuk-label" for="{{ remove_customer_form.email.id_for_label }}">
+            Remove a customer by entering their email address
+          </label>
+          {{ remove_customer_form.email }}
+        </div>
+        <div class="govuk-form-group">
+          <button class="govuk-button" {% if not group_id %} disabled {% endif %}>Remove customer</button>
+        </div>
+      </form>
+    {% endif %}
 
-{% if remove_perm %}
-  <form action="{{ url('remove-app-customer-by-email', kwargs={ "pk": app.id, "group_id": group_id}) }}" method="post">
-    {{ csrf_input }}
-    <div class="govuk-form-group">
-      <label class="govuk-label" for="{{ remove_customer_form.email.id_for_label }}">
-        Remove a customer by entering their email address
-      </label>
-      {{ remove_customer_form.email }}
-    </div>
-    <div class="govuk-form-group">
-      <button class="govuk-button" {% if not group_id %} disabled {% endif %}>Remove customer</button>
-    </div>
-  </form>
 {% endif %}
 
+
 {% endblock %}
diff --git a/controlpanel/frontend/jinja2/datasource-access-grant.html b/controlpanel/frontend/jinja2/datasource-access-grant.html
index 9aadd3f2d..00ab26269 100644
--- a/controlpanel/frontend/jinja2/datasource-access-grant.html
+++ b/controlpanel/frontend/jinja2/datasource-access-grant.html
@@ -14,7 +14,7 @@ <h1 class="govuk-heading-xl">{{ page_title }}</h1>
   <form action="{{ grant_url }}" method="post">
     {{ csrf_input }}
     <input type="hidden" name="entity_type" value="{{ entity_type }}">
-    <div class="govuk-form-group">
+    <div class="govuk-form-group{% if form.entity_id.errors %} govuk-form-group--error{% endif %}">
       <label class="govuk-label" for="entity_id">Grant access to this data to other {{ entity_type }}s</label>
       <select class="govuk-form-control no-blank autocomplete-select" id="entity_id" name="entity_id">
         <option value="">Select a user</option>
diff --git a/controlpanel/frontend/jinja2/datasource-access-update.html b/controlpanel/frontend/jinja2/datasource-access-update.html
index 384796a5f..266dff172 100644
--- a/controlpanel/frontend/jinja2/datasource-access-update.html
+++ b/controlpanel/frontend/jinja2/datasource-access-update.html
@@ -30,9 +30,9 @@ <h2 class="govuk-error-summary__title" id="error-summary-title">
     <input type="hidden" name="entity_type" value="{{ entity_type }}">
     <input type="hidden" name="entity_id" value="{{ entity_id }}">
 
-    <div {% if form.errors %}class="govuk-form-group--error"{% endif %}>
+    <div {% if form.access_level.errors %}class="govuk-form-group--error"{% endif %}>
       <fieldset class="govuk-fieldset ">
-        {% if form.errors %}
+        {% if form.access_level.errors %}
         <span id="confirm-error" class="govuk-error-message">
           <span class="govuk-visually-hidden">Error:</span>
           {% for error in form.errors.access_level %}
diff --git a/controlpanel/frontend/jinja2/datasource-detail.html b/controlpanel/frontend/jinja2/datasource-detail.html
index 82932d011..82106174a 100644
--- a/controlpanel/frontend/jinja2/datasource-detail.html
+++ b/controlpanel/frontend/jinja2/datasource-detail.html
@@ -20,13 +20,25 @@
 <h1 class="govuk-heading-xl">{{ page_title }}</h1>
 
 <p class="govuk-body">
-  <a href="{{ bucket.aws_url }}" class="govuk-button govuk-button--secondary" target="_blank" rel="noopener">
-    Open on AWS
-  </a>
+  {% if bucket.is_deleted %}
+    <div class="govuk-warning-text">
+      <span class="govuk-warning-text__icon" aria-hidden="true">!</span>
+      <strong class="govuk-warning-text__text">
+          <span class="govuk-warning-text__assistive">Warning</span>
+          This bucket was deleted by <a href="{{ url('manage-user', kwargs={ "pk": bucket.deleted_by.auth0_id }) }}">
+          {{ user_name(bucket.deleted_by) }}</a> on {{ bucket.deleted_at.strftime("%Y/%m/%d %H:%M:%S") }}.<br>
+          All access listed below has been revoked in IAM.
+      </strong>
+    </div>
+  {% else %}
+    <a href="{{ bucket.aws_url }}" class="govuk-button govuk-button--secondary" target="_blank" rel="noopener">
+      Open on AWS
+    </a>
+  {% endif %}
 </p>
 
-<section class="cpanel-section">
-  <h2 class="govuk-heading-m">Users and groups with access</h2>
+<section class="cpanel-section track_task">
+  <h2 class="govuk-heading-m">Users and groups with{% if bucket.is_deleted %} revoked{% endif %} access</h2>
   <table class="govuk-table">
     <thead class="govuk-table__head">
       <tr class="govuk-table__row">
@@ -63,7 +75,7 @@ <h2 class="govuk-heading-m">Users and groups with access</h2>
         {%- endif %}
         </td>
         <td class="govuk-table__cell">
-          {% if request.user.has_perm('api.update_users3bucket', member) %}
+          {% if request.user.has_perm('api.update_users3bucket', member) and not bucket.is_deleted %}
           <a href="{% if member.user -%}{{ url("update-access-level", kwargs={"pk": member.id}) }}{%- else -%}{{ url("update-policy-access-level", kwargs={"pk": member.id}) }}{%- endif %}"
              class="govuk-button govuk-button--secondary right">
             Edit access level
@@ -73,17 +85,19 @@ <h2 class="govuk-heading-m">Users and groups with access</h2>
       </tr>
     {% endfor %}
     </tbody>
+
+    {% set plural = access_list|length > 1 %}
     <tfoot class="govuk-table__foot">
       <tr class="govuk-table__row">
         <td class="govuk-table__cell" colspan="3">
           {{ access_list|length }}
-          user{%- if access_list|length != 1 -%}s{% endif %} or group{%- if access_list|length != 1 -%}s have{% else %} has{% endif %}
+          user{%- if plural -%}s{% endif %} or group{%- if plural -%}s{% endif %}{% if bucket.is_deleted %} had{% elif plural %} have{% else %} has{% endif %}
           access to this {{ datasource_type }} data source
       </tr>
     </tfoot>
   </table>
 
-  {% if request.user.has_perm('api.create_users3bucket', bucket) and users_options|length %}
+  {% if request.user.has_perm('api.create_users3bucket', bucket) and users_options|length and not bucket.is_deleted %}
     <a href="{{ url('grant-datasource-access', kwargs={'pk': bucket.pk}) }}"
        class="govuk-button govuk-button--secondary">
       Grant user access
@@ -91,7 +105,7 @@ <h2 class="govuk-heading-m">Users and groups with access</h2>
   {% endif %}
 
   {% if request.user.has_perm('api.manage_groups') %}
-    {% if request.user.has_perm('api.create_policys3bucket', bucket) and policies_options|length %}
+    {% if request.user.has_perm('api.create_policys3bucket', bucket) and policies_options|length and not bucket.is_deleted %}
       <a href="{{ url('grant-datasource-policy-access', kwargs={'pk': bucket.pk}) }}"
          class="govuk-button govuk-button--secondary">
         Grant group access
@@ -212,7 +226,7 @@ <h2 class="govuk-heading-m">Data access log</h2>
 </section>
 {% endif %}
 
-{% if request.user.has_perm('api.destroy_s3bucket', bucket) %}
+{% if not bucket.is_deleted and request.user.has_perm('api.destroy_s3bucket', bucket) %}
 <section class="cpanel-section">
   <form action="{{ url('delete-datasource', kwargs={ "pk": bucket.id }) }}" method="post">
     {{ csrf_input }}
diff --git a/controlpanel/frontend/jinja2/datasource-list.html b/controlpanel/frontend/jinja2/datasource-list.html
index 8e2027d88..7c575bc6a 100644
--- a/controlpanel/frontend/jinja2/datasource-list.html
+++ b/controlpanel/frontend/jinja2/datasource-list.html
@@ -4,12 +4,12 @@
 
 {% extends "base.html" %}
 
-{% if datasource_type %}
-  {% set page_name = datasource_type + "-datasource-list" %}
-  {% set page_title = "Your " + datasource_type + " data sources" %}
-{% else %}
+{% if all_datasources %}
   {% set page_name = "all-datasources" %}
   {% set page_title = "All data sources" %}
+{% else %}
+  {% set page_name = datasource_type + "-datasource-list" %}
+  {% set page_title = "Your " + datasource_type + " data sources" %}
 {% endif %}
 
 {% set access_levels_html %}
@@ -71,4 +71,9 @@ <h3 class="govuk-heading-m">Other {{ datasource_type }} data sources</h3>
   </table>
 {% endif %}
 
+{% if request.user.is_superuser and deleted_datasources %}
+  <h3 class="govuk-heading-m">Deleted data sources</h3>
+  {{ datasource_list(deleted_datasources, datasource_type|default(""), request.user) }}
+{% endif %}
+
 {% endblock %}
diff --git a/controlpanel/frontend/jinja2/home.html b/controlpanel/frontend/jinja2/home.html
index 2099de5a3..33107e2df 100644
--- a/controlpanel/frontend/jinja2/home.html
+++ b/controlpanel/frontend/jinja2/home.html
@@ -15,6 +15,7 @@ <h2 class="govuk-heading-m">Superuser functions</h2>
     <li><a href="{{ url('list-all-datasources') }}">List all data sources</a></li>
     <li><a href="{{ url('list-tool-releases') }}">List all tool releases</a></li>
     <li><a href="{{ url('list-ip-allowlists') }}">List all IP allowlists</a></li>
+    <li><a href="{{ url('list-tasks') }}">List all tasks</a></li>
   </ul>
   {% endif %}
 
diff --git a/controlpanel/frontend/jinja2/includes/app-list.html b/controlpanel/frontend/jinja2/includes/app-list.html
index 0954212d6..f5338ec20 100644
--- a/controlpanel/frontend/jinja2/includes/app-list.html
+++ b/controlpanel/frontend/jinja2/includes/app-list.html
@@ -7,7 +7,7 @@
 
 {% macro app_list(apps, user) %}
 {%- set num_apps = apps|length %}
-<table class="govuk-table">
+<table class="govuk-table track_task">
   <thead class="govuk-table__head">
     <tr class="govuk-table__row">
       <th class="govuk-table__header">App name</th>
diff --git a/controlpanel/frontend/jinja2/includes/datasource-access-form.html b/controlpanel/frontend/jinja2/includes/datasource-access-form.html
index d1531b4ad..38b6e40e5 100644
--- a/controlpanel/frontend/jinja2/includes/datasource-access-form.html
+++ b/controlpanel/frontend/jinja2/includes/datasource-access-form.html
@@ -1,7 +1,7 @@
 {% from "includes/list-field.html" import list_field_textarea %}
 
 {% macro data_access_paths_textarea(field) -%}
-  <div class="govuk-form-group panel panel-border-narrow js-list-field">
+  <div class="govuk-form-group panel panel-border-narrow js-list-field{% if field.errors %} govuk-form-group--error{% endif %}">
     {{ list_field_textarea(field.name, field.label, field.help_text, field.value() or "", field.errors) }}
   </div>
 {%- endmacro %}
diff --git a/controlpanel/frontend/jinja2/includes/list-field.html b/controlpanel/frontend/jinja2/includes/list-field.html
index cceec944e..0fae11dde 100644
--- a/controlpanel/frontend/jinja2/includes/list-field.html
+++ b/controlpanel/frontend/jinja2/includes/list-field.html
@@ -1,5 +1,5 @@
 {% from "fieldset/macro.html" import govukFieldset %}
-
+{% from "error-message/macro.html" import govukErrorMessage %}
 
 {% macro list_field_textarea(name, label, help_text="", value="", errors={}) -%}
   {% call govukFieldset({
@@ -9,6 +9,9 @@
     },
     "help_text": help_text
   }) %}
+    {% if errors %}
+      {{ govukErrorMessage({"text": errors|join(". ")}) }}
+    {% endif %}
     <textarea rows="8" class="govuk-textarea govuk-!-width-two-thirds" name="{{ name }}" id="{{ name }}_id">{{ value }}</textarea>
   {%- endcall %}
 {%- endmacro %}
diff --git a/controlpanel/frontend/jinja2/includes/task-list.html b/controlpanel/frontend/jinja2/includes/task-list.html
new file mode 100644
index 000000000..bd2c6b298
--- /dev/null
+++ b/controlpanel/frontend/jinja2/includes/task-list.html
@@ -0,0 +1,49 @@
+{% macro task_list(tasks, csrf_input) %}
+{%- set num_tasks = tasks|length %}
+<table class="govuk-table">
+  <thead class="govuk-table__head">
+    <tr class="govuk-table__row">
+      <th class="govuk-table__header">Entity class</th>
+      <th class="govuk-table__header">Entity ID</th>
+      <th class="govuk-table__header">Entity description</th>
+      <th class="govuk-table__header">Task ID</th>
+      <th class="govuk-table__header">Task description</th>
+      <th class="govuk-table__header">Create time</th>
+      <th class="govuk-table__header">
+        <span class="govuk-visually-hidden">Action</span>
+      </th>
+    </tr>
+  </thead>
+  <tbody class="govuk-table__body">
+  {%- for task in tasks %}
+    <tr class="govuk-table__row">
+      <td class="govuk-table__cell">{{ task.entity_class }}</td>
+      <td class="govuk-table__cell">{{ task.entity_id }}</td>
+      <td class="govuk-table__cell">{{ task.entity_description }}</td>
+      <td class="govuk-table__cell">{{ task.task_id }}</td>
+      <td class="govuk-table__cell">{{ task.task_description }}</td>
+      <td class="govuk-table__cell">{{ task.created }}</td>
+      <td class="govuk-table__cell">
+        <form style="display: inline;" id="form-task" action="" method="post">
+          {{ csrf_input }}
+          <button class="govuk-button cpanel-button--destructive js-confirm"
+              data-form-url="{{ url('tasks', kwargs={'task_id': task.task_id, 'action': 'send_message'}) }}"
+              data-form-target="form-task"
+              id="task-{{ task_name }}"
+              data-confirm-message="Do you wish to re-trigger the task again?">
+            Re-trigger task
+          </button>
+        </form>
+      </td>
+    </tr>
+  {% endfor %}
+  </tbody>
+  <tfoot class="govuk-table__foot">
+    <tr class="govuk-table__row">
+      <td class="govuk-table__cell" colspan="3">
+        {{ num_tasks }} task{% if num_tasks != 1 %}s{% endif %}
+      </td>
+    </tr>
+  </tfoot>
+</table>
+{% endmacro %}
diff --git a/controlpanel/frontend/jinja2/policy-create.html b/controlpanel/frontend/jinja2/policy-create.html
index 29b412092..74f7da365 100644
--- a/controlpanel/frontend/jinja2/policy-create.html
+++ b/controlpanel/frontend/jinja2/policy-create.html
@@ -8,6 +8,7 @@
 {%- endset %}
 
 {% set page_name = "policies" %}
+{% set page_title = "Create a group for use with s3 permissions" %}
 
 {% block content %}
   <h1 class="govuk-heading-xl">{{ legend }}</h1>
diff --git a/controlpanel/frontend/jinja2/task-list.html b/controlpanel/frontend/jinja2/task-list.html
new file mode 100644
index 000000000..debbfda1e
--- /dev/null
+++ b/controlpanel/frontend/jinja2/task-list.html
@@ -0,0 +1,13 @@
+{% from "user/macro.html" import user_name %}
+{% from "includes/task-list.html" import task_list %}
+
+{% extends "base.html" %}
+
+{% set page_title = "Incomplete Tasks" %}
+
+{% block content %}
+<h1 class="govuk-heading-xl track_task">{{ page_title }}</h1>
+
+{{ task_list(tasks, csrf_input) }}
+
+{% endblock %}
diff --git a/controlpanel/frontend/jinja2/webapp-detail.html b/controlpanel/frontend/jinja2/webapp-detail.html
index 7b7d0c3af..99155982d 100644
--- a/controlpanel/frontend/jinja2/webapp-detail.html
+++ b/controlpanel/frontend/jinja2/webapp-detail.html
@@ -12,8 +12,7 @@
 {% set page_name = "webapps" %}
 {% set page_title = app.name %}
 {% set app_domain = settings.APP_DOMAIN %}
-{% set app_old_url = "https://" + app.slug + "/" + settings.APP_DOMAIN_BEFORE_MIGRATION %}
-{% set feature_enabled = settings.features.app_migration.enabled %}
+{% set app_old_url = "https://" + app.slug + "." + settings.APP_DOMAIN_BEFORE_MIGRATION %}
 
 {% set app_admins_html %}
 {% include "modals/app_admins.html" %}
@@ -26,54 +25,17 @@
 {% block content %}
 
 <header>
-  {% if feature_enabled %}
-  <div class="govuk-width-container">
-    <div class="govuk-warning-text">
-      <span class="govuk-warning-text__icon" aria-hidden="true">!</span>
-      <strong class="govuk-warning-text__text">
-        <span class="govuk-warning-text__assistive">Warning</span>
-        More information and user guidance for the webapp deployment pipeline and related settings will be provided soon. If you have questions about the app migration process, please contact us on the <a href=https://mojdt.slack.com/archives/C0504KY0Z2N>#data-platform-application-migration-support</a> Slack channel.
-      </strong>
-    </div>
-    <hr class="govuk-section-break govuk-section-break--visible">
-  </div>
-  <br/>
-  {% endif %}
 
   <span class="govuk-caption-xl">Webapp</span>
   <h1 class="govuk-heading-xl">{{ page_title }}</h1>
 
-  {% if feature_enabled %}
-      <h2 class="govuk-heading-m">Migration status:</h2>
-      {% if app_migration_status == "in_progress" %}
-        <p class="govuk-body" ><b>This app is currently being migrated. It has been deployed onto Cloud Platform for testing, and the original version is still available on the Alpha cluster.</b></p>
-        <ul class="govuk-body">
-          <li>Old repository: <a href="{{ app_migration_info["repo_url"] }}">{{ app_migration_info["repo_url"] }}</a></li>
-          <li>Old app name: <strong>{{ app_migration_info["app_name"] }}</strong></li>
-          <li>Old app URL: <a href="{{ app_migration_info["app_url"] }}">{{ app_migration_info["app_url"] }}</a></li>
-        </ul>
-        <p class="govuk-body" >
-          <b style="color:red">The above information about old app will be removed once the migration process is completed.</b>
-        </p>
-      {% elif app_migration_status == "done" %}
-        <p class="govuk-body">
-          <b style="color:red">The migration for this app has been completed</b>
-        </p>
-      {% else %}
-        <p class="govuk-body">
-          <b style="color:red">The migration process for this app has not been started yet!</b>
-        </p>
-      {% endif %}
-  {% else %}
-    {% if app.description %}
-      <p class="govuk-body">
-        {{ app.description }}
-      </p>
-    {% endif %}
+  {% if app.description %}
+    <p class="govuk-body">
+      {{ app.description }}
+    </p>
   {% endif %}
 
-
-  {% if feature_enabled and repo_access_error_msg %}
+  {% if repo_access_error_msg %}
   <div class="govuk-grid-row">
     <div class="govuk-column-two-thirds">
 
@@ -92,14 +54,6 @@ <h2 class="govuk-heading-m govuk-error-summary-heading">
   </div>
   {% endif %}
 
-  {% if not app_migration_info and app_old_url %}
-  <h2 class="govuk-heading-m">Deployed URL</h2>
-    <p> If the app was successfully built on the alpha (original) cluster, it can be accessed here:</p>
-    <p class="govuk-body">
-      <a href="{{ app_old_url }}">{{ app_old_url }}</a>
-    </p>
-  {% endif %}
-
   <h2 class="govuk-heading-m">Source Code Repository</h2>
   <p class="govuk-body">
     {% if app.repo_url %}
@@ -109,53 +63,49 @@ <h2 class="govuk-heading-m">Source Code Repository</h2>
     {% endif %}
   </p>
 
-  {% if feature_enabled %}
-
-    <h2 class="govuk-heading-m">App logs</h2>
-    <p class="govuk-body">
-      <a href="{{ settings.KIBANA_BASE_URL }}">{{ settings.KIBANA_BASE_URL }}</a>
-    </p>
+  <h2 class="govuk-heading-m">App logs</h2>
+  <p class="govuk-body">
+    <a href="{{ settings.KIBANA_BASE_URL }}">{{ settings.KIBANA_BASE_URL }}</a>
+  </p>
 
-    <h2 class="govuk-heading-m">App resources usage dashboard</h2>
-    <p class="govuk-body">
-      <a href="{{ settings.GRAFANA_BASE_URL }}">{{ settings.GRAFANA_BASE_URL }}</a>
-    </p>
+  <h2 class="govuk-heading-m">App resources usage dashboard</h2>
+  <p class="govuk-body">
+    <a href="{{ settings.GRAFANA_BASE_URL }}">{{ settings.GRAFANA_BASE_URL }}</a>
+  </p>
 
-    <h2 class="govuk-heading-m">Deployment Pipeline</h2>
-    <p class="govuk-body"> Github workflows on app's repo are used for deploying the app.</p>
-    <p class="govuk-body"><strong>You are required to be member of admin team for this app repo in order to be able to maintain the deployments settings</strong></p>
-  {% endif %}
+  <h2 class="govuk-heading-m">Deployment Pipeline</h2>
+  <p class="govuk-body"> Github workflows on app's repo are used for deploying the app.</p>
+  <p class="govuk-body"><strong>You are required to be member of admin team for this app repo in order to be able to maintain the deployments settings</strong></p>
 
 </header>
 
-<section class="cpanel-section app-auth-settings-panel">
-  {% if feature_enabled %}
-    {% if github_settings_access_error_msg %}
-      <div class="govuk-error-summary" role="alert" aria-labelledby="error-summary-heading-example-1" tabindex="-1">
-        <p style="color:red">Couldn't load the github settings</p>
-        <p style="color:red">Raw error message: {{ github_settings_access_error_msg }}</p>
-      </div>
-    {% endif %}
+<section class="cpanel-section track_task app-auth-settings-panel">
 
-    {% for env_name, deployment_setting in deployments_settings.items() %}
-    <h2 class="govuk-heading-m" >Deployment settings under {{ env_name }}</h2>
-      {% if deployment_setting.get('is_redundant') and request.user.has_perm('api.update_app', app) %}
-        <section class="cpanel-section">
-          <p style="color:red">It appears this deployment environment is redundant and can be removed</p>
-          <form action="{{ url('remove-app-deployment-env', kwargs={'pk': app.id, 'env_name': env_name}) }}" method="post">
-            {{ csrf_input }}
-            <button class="govuk-button cpanel-button--destructive js-confirm"
-                    data-confirm-message="Are you sure you want to remove this deployment environment?">
-              Remove redundant deployment environment
-            </button>
-          </form>
-        </section>
-      {% else %}
-        {{ app_deployment_settings(app, env_name, app_domain, deployment_setting, request, csrf_input) }}
-      {% endif %}
-    {% endfor %}
+  {% if github_settings_access_error_msg %}
+    <div class="govuk-error-summary" role="alert" aria-labelledby="error-summary-heading-example-1" tabindex="-1">
+      <p style="color:red">Couldn't load the github settings</p>
+      <p style="color:red">Raw error message: {{ github_settings_access_error_msg }}</p>
+    </div>
   {% endif %}
 
+  {% for env_name, deployment_setting in deployments_settings.items() %}
+  <h2 class="govuk-heading-m" >Deployment settings under {{ env_name }}</h2>
+    {% if deployment_setting.get('is_redundant') and request.user.has_perm('api.update_app', app) %}
+      <section class="cpanel-section">
+        <p style="color:red">It appears this deployment environment is redundant and can be removed</p>
+        <form action="{{ url('remove-app-deployment-env', kwargs={'pk': app.id, 'env_name': env_name}) }}" method="post">
+          {{ csrf_input }}
+          <button class="govuk-button cpanel-button--destructive js-confirm"
+                  data-confirm-message="Are you sure you want to remove this deployment environment?">
+            Remove redundant deployment environment
+          </button>
+        </form>
+      </section>
+    {% else %}
+      {{ app_deployment_settings(app, env_name, app_domain, deployment_setting, request, csrf_input) }}
+    {% endif %}
+  {% endfor %}
+
 </section>
 
 <section class="cpanel-section">
diff --git a/controlpanel/frontend/jinja2/webapp-update-ip-allowlists.html b/controlpanel/frontend/jinja2/webapp-update-ip-allowlists.html
index d3ecc5626..d772af857 100644
--- a/controlpanel/frontend/jinja2/webapp-update-ip-allowlists.html
+++ b/controlpanel/frontend/jinja2/webapp-update-ip-allowlists.html
@@ -14,8 +14,6 @@
         {% endif %}
     </div>
 
-    {% if app_migration_feature_enabled %}
-
     <form action="{{ url('update-app-ip-allowlists', kwargs={'pk': app.pk}) }}" method="post">
         {{ csrf_input }}
         <input type="hidden" name="env_name" value="{{ env_name }}">
@@ -44,12 +42,6 @@
         contact the Analytical Platform team via our <a href="https://asdslack.slack.com/archives/C4PF7QAJZ">support Slack channel</a>.
     </p>
 
-    {% else %}
-
-    <h2 class="govuk-heading-m">IP allowlists for {{app.name}}</h2>
-    <p>This feature is not yet available for general use.</p>
-
-    {% endif %}
 
 </section>
 
diff --git a/controlpanel/frontend/management/commands/celery_worker_health.py b/controlpanel/frontend/management/commands/celery_worker_health.py
new file mode 100644
index 000000000..be1ed15a7
--- /dev/null
+++ b/controlpanel/frontend/management/commands/celery_worker_health.py
@@ -0,0 +1,57 @@
+# Standard library
+import random
+from datetime import datetime, timedelta
+from pathlib import Path
+from sys import exit
+
+# Third-party
+from django.conf import settings
+from django.core.management.base import BaseCommand
+
+# First-party/Local
+from controlpanel.celery import worker_health_check
+
+
+class Command(BaseCommand):
+    help = "Checks if this worker is still running tasks"
+
+    def add_arguments(self, parser):
+        parser.add_argument(
+            "--stale-after-secs",
+            type=int,
+            default=120,
+            help="For how many seconds the last executed task is considered recent enough for the health check to pass",  # noqa: E501
+        )
+
+    def handle(self, *args, **options):
+        stale_after_secs = options["stale_after_secs"]
+        # send task to randomly chosen queue
+        worker_health_check.apply_async(
+            queue=random.choice(settings.PRE_DEFINED_QUEUES)
+        )
+        # Attempt to read worker health ping file
+        # NOTE: This may initially fail depending on timing of health task
+        # execution but that's fine as Kubernetes' `failureThreashold`
+        # will be more than 1 anyway
+        try:
+            last_run_at_epoch = Path(settings.WORKER_HEALTH_FILENAME).stat().st_mtime
+            last_run_at = datetime.utcfromtimestamp(last_run_at_epoch)
+        except FileNotFoundError:
+            # Health ping file not found. Health task hasn't run on this worker yet
+            self.stderr.write(self.style.ERROR("Health ping file not found"))
+            exit(-1)
+
+        self.stdout.write(f"Last run on this worker at: {last_run_at}")
+
+        # check if this worker's health ping file is fresh/recent enough
+        if last_run_at < datetime.utcnow() - timedelta(seconds=stale_after_secs):
+            self.stderr.write(self.style.ERROR("Health ping file was stale"))
+            exit(-1)
+
+        # Health ping file is fresh, success
+        self.stdout.write(
+            self.style.SUCCESS(
+                "Health ping file is fresh. This worker ran health task recently."
+            )
+        )
+        exit(0)
diff --git a/controlpanel/frontend/management/commands/worker_health.py b/controlpanel/frontend/management/commands/worker_health.py
index e40bee561..796dfae4b 100644
--- a/controlpanel/frontend/management/commands/worker_health.py
+++ b/controlpanel/frontend/management/commands/worker_health.py
@@ -7,9 +7,7 @@
 from asgiref.sync import async_to_sync
 from channels.layers import get_channel_layer
 from django.core.management.base import BaseCommand
-
-# First-party/Local
-from controlpanel.frontend.consumers import WORKER_HEALTH_FILENAME
+from django.conf import settings
 
 
 class Command(BaseCommand):
@@ -38,7 +36,7 @@ def handle(self, *args, **options):
         # execution but that's fine as Kubernetes' `failureThreashold`
         # will be more than 1 anyway
         try:
-            last_run_at_epoch = Path(WORKER_HEALTH_FILENAME).stat().st_mtime
+            last_run_at_epoch = Path(settings.WORKER_HEALTH_FILENAME).stat().st_mtime
             last_run_at = datetime.utcfromtimestamp(last_run_at_epoch)
         except FileNotFoundError:
             # Health ping file not found. Health task hasn't run on this worker yet
diff --git a/controlpanel/frontend/static/javascripts/modules/confirm.js b/controlpanel/frontend/static/javascripts/modules/confirm.js
index d9566f77b..f091d587a 100644
--- a/controlpanel/frontend/static/javascripts/modules/confirm.js
+++ b/controlpanel/frontend/static/javascripts/modules/confirm.js
@@ -18,7 +18,7 @@ moj.Modules.jsConfirm = {
 
     // works on any children of a `<form>` with `confirmClass` but it's
     // usually used on `<input type="submit">` or `<button>`
-    $(document).on('click', `form .${this.confirmClass}`, (e) => {
+    $(document).on('click', `.${this.confirmClass}`, (e) => {
       const $el = $(e.target);
       e.preventDefault();
 
@@ -27,11 +27,15 @@ moj.Modules.jsConfirm = {
         const target_url = $el.data("form-url");
         // Check if the button has a target form to submit.
         const target = $el.data("form-target");
+        var data = []
+        if (target) {
+          data = $('#' + target).serializeArray()
+        };
         if(target_url) {
             $.ajax({
                 type: "POST",
                 url: target_url,
-                data: $('#' + target).serializeArray(),
+                data: data,
                 success: function () {
                     console.log('success post');
                 }
diff --git a/controlpanel/frontend/static/javascripts/modules/track-tasks.js b/controlpanel/frontend/static/javascripts/modules/track-tasks.js
new file mode 100644
index 000000000..e271f3761
--- /dev/null
+++ b/controlpanel/frontend/static/javascripts/modules/track-tasks.js
@@ -0,0 +1,58 @@
+moj.Modules.trackAppTask = {
+  eventType: "taskStatus",
+  listenerClass: ".track_task",
+  alertsClass: ".alerts",
+  mojPrimaryNavigationClass: ".moj-primary-navigation",
+
+  init() {
+    const taskStatusListeners = document.querySelectorAll(this.listenerClass);
+    if (taskStatusListeners) {
+      this.bindEvents(taskStatusListeners);
+    }
+  },
+
+  bindEvents(listeners) {
+    listeners.forEach(listener => {
+      moj.Modules.eventStream.addEventListener(
+        this.eventType,
+        this.buildEventHandler(listener)
+      );
+    });
+  },
+
+  buildEventHandler(listener) {
+    const appTask = this;
+    return event => {
+      const data = JSON.parse(event.data);
+      switch (data.status.toUpperCase()) {
+        case 'COMPLETED':
+          appTask.updateMessage("The " + data.entity_name + "'s task (" + data.task_description + ") has been completed")
+          break;
+      };
+    };
+  },
+
+  updateMessage(newMessage) {
+    // 2. Added new message
+    let elementLocation = document.querySelector(this.mojPrimaryNavigationClass);
+    if (elementLocation) {
+      var AlertsElement = document.querySelector(this.alertsClass);
+      if (!AlertsElement) {
+        AlertsElement = document.createElement("div");
+        AlertsElement.setAttribute("class", 'alerts govuk-width-container');
+        elementLocation.after(AlertsElement);
+      };
+
+      var newMessageTagElement = document.createElement("div");
+      newMessageTagElement.setAttribute("class", 'alerts--item success');
+      var newMessageElement = document.createElement("span");
+      newMessageElement.setAttribute("class", 'alerts--message');
+      newMessageElement.innerHTML = newMessage;
+
+      newMessageTagElement.appendChild(newMessageElement);
+      AlertsElement.appendChild(newMessageTagElement);
+//      elementLocation.after(AlertsElement);
+    }
+  }
+
+};
diff --git a/controlpanel/frontend/urls.py b/controlpanel/frontend/urls.py
index c25ca9d8a..d32cdb5b7 100644
--- a/controlpanel/frontend/urls.py
+++ b/controlpanel/frontend/urls.py
@@ -218,4 +218,5 @@
         name="delete-ip-allowlist",
     ),
     path("accessibility/", views.Accessibility.as_view(), name="accessibility"),
+    path("tasks/", views.TaskList.as_view(), name="list-tasks"),
 ]
diff --git a/controlpanel/frontend/views/__init__.py b/controlpanel/frontend/views/__init__.py
index 63821b77b..18fb7e25d 100644
--- a/controlpanel/frontend/views/__init__.py
+++ b/controlpanel/frontend/views/__init__.py
@@ -78,6 +78,7 @@
     UserList,
 )
 from controlpanel.oidc import OIDCLoginRequiredMixin
+from controlpanel.frontend.views.task import TaskList
 
 
 class IndexView(OIDCLoginRequiredMixin, TemplateView):
diff --git a/controlpanel/frontend/views/app.py b/controlpanel/frontend/views/app.py
index 1d1dee03f..d4edceadc 100644
--- a/controlpanel/frontend/views/app.py
+++ b/controlpanel/frontend/views/app.py
@@ -28,6 +28,7 @@
     IPAllowlist,
     User,
     UserApp,
+    Task,
 )
 from controlpanel.api.pagination import Auth0Paginator
 from controlpanel.api.serializers import AppAuthSettingsSerializer
@@ -78,12 +79,17 @@ def _get_all_app_settings(self, app):
         access_repo_error_msg = None
         github_settings_access_error_msg = None
         try:
+            # NB: if this call fails....
             deployment_env_names = app_manager_ins.get_deployment_envs()
         except requests.exceptions.HTTPError as ex:
             access_repo_error_msg = ex.__str__()
+            github_settings_access_error_msg = ex.__str__()
+            # ...this is set to empty list...
             deployment_env_names = []
+        # ...which means this will remain empty dict...
         deployments_settings = {}
         auth0_connections = app.auth0_connections_by_env()
+        # ...so no call to get secrets/variables is made
         try:
             for env_name in deployment_env_names:
                 deployments_settings[env_name] = {
@@ -93,7 +99,7 @@ def _get_all_app_settings(self, app):
                 }
         except requests.exceptions.HTTPError as ex:
             github_settings_access_error_msg = ex.__str__()
-
+        # ...knock on effect is in serializers.py these envs will be marked as redundant
         return deployments_settings, access_repo_error_msg, \
             github_settings_access_error_msg
 
@@ -110,6 +116,8 @@ def get_context_data(self, **kwargs):
             exclude_connected=True,
         )
 
+        # If auth settings not returned, all envs marked redundant in the serializer.
+        # Should hide them instead?
         auth_settings, access_repo_error_msg, github_settings_access_error_msg \
             = self._get_all_app_settings(app)
         auth0_clients_status = app.auth0_clients_status()
@@ -120,9 +128,6 @@ def get_context_data(self, **kwargs):
         context["repo_access_error_msg"] = access_repo_error_msg
         context["github_settings_access_error_msg"] = github_settings_access_error_msg
 
-        # TODO: The following field should be removed after app migration
-        context["app_migration_info"] = app.migration_info
-        context["app_migration_status"] = context["app_migration_info"].get('status', "")
         return context
 
 
@@ -190,13 +195,12 @@ def get_success_url(self):
 
     def form_valid(self, form):
         try:
-            env_name = form.cleaned_data.get("env_name")
-            auth0_client_id = self.object.get_auth_client(env_name).get("client_id")
-            auth0.ExtendedAuth0().update_client_auth_connections(
-                app_name=self.object.auth0_client_name(env_name),
-                client_id=auth0_client_id,
+            cluster.App(
+                app=self.get_object(),
+                github_api_token=self.request.user.github_api_token
+            ).update_auth_connections(
+                env_name=form.cleaned_data.get("env_name"),
                 new_conns=form.cleaned_data.get("auth0_connections"),
-                existing_conns=form.auth0_connections,
             )
         except Exception as ex:
             form.add_error("connections", str(ex))
@@ -216,9 +220,6 @@ class UpdateAppIPAllowlists(
     def get_context_data(self, *args, **kwargs):
         context = super().get_context_data(*args, **kwargs)
         context["app"] = self.get_object()
-        context[
-            "app_migration_feature_enabled"
-        ] = settings.features.app_migration.enabled
         context["env_name"] = self.request.GET.get("env_name")
         context["app_ip_allowlists"] = [
             {
@@ -281,12 +282,14 @@ def form_valid(self, form):
                 app_id=self.kwargs["pk"],
             )
             self.object.access_level = form.cleaned_data["access_level"]
+            self.object.current_user = self.request.user
             self.object.save()
         except AppS3Bucket.DoesNotExist:
             self.object = AppS3Bucket.objects.create(
                 access_level=form.cleaned_data["access_level"],
                 app_id=self.kwargs["pk"],
                 s3bucket=form.cleaned_data["datasource"],
+                current_user=self.request.user,
             )
         return FormMixin.form_valid(self, form)
 
@@ -303,6 +306,11 @@ class RevokeAppAccess(OIDCLoginRequiredMixin, PermissionRequiredMixin, DeleteVie
     model = AppS3Bucket
     permission_required = "api.remove_app_bucket"
 
+    def get_object(self, queryset=None):
+        obj = super().get_object(queryset=queryset)
+        obj.current_user = self.request.user
+        return obj
+
     def get_success_url(self):
         messages.success(self.request, "Successfully disconnected data source")
         return reverse_lazy("manage-app", kwargs={"pk": self.object.app.id})
@@ -321,6 +329,13 @@ def get_success_url(self):
             )
         return reverse_lazy("manage-app", kwargs={"pk": self.object.app.id})
 
+    def form_valid(self, form):
+        self.object = self.get_object()
+        self.object.access_level = form.cleaned_data.get("access_level")
+        self.object.current_user = self.request.user
+        self.object.save()
+        return HttpResponseRedirect(self.get_success_url())
+
 
 class DeleteApp(OIDCLoginRequiredMixin, PermissionRequiredMixin, DeleteView):
     model = App
diff --git a/controlpanel/frontend/views/apps_mng.py b/controlpanel/frontend/views/apps_mng.py
index 93dbad396..7a54d7b30 100644
--- a/controlpanel/frontend/views/apps_mng.py
+++ b/controlpanel/frontend/views/apps_mng.py
@@ -11,7 +11,7 @@
     UserApp,
     UserS3Bucket,
 )
-from controlpanel.frontend.consumers import start_background_task
+from controlpanel.utils import start_background_task
 
 
 class AppManager:
@@ -33,15 +33,28 @@ def register_app(self, user, app_data):
         _, name = repo_url.rsplit("/", 1)
 
         # Create app and all the related sources
-        with transaction.atomic():
-            new_app = self._create_app(name=name, repo_url=repo_url)
-            self._add_ip_allowlists(new_app, envs, ip_allowlists)
-            self._add_app_to_users(new_app, user)
-            self._create_app_role(new_app)
-            self._create_or_link_datasource(new_app, user, app_data)
-        self._create_auth_settigs(
-            new_app, envs, github_api_token, disable_authentication, connections
+        new_app = self._create_app(
+            name=name,
+            repo_url=repo_url,
+            disable_authentication=disable_authentication,
+            connections=connections,
+            current_user=user,
+            deployment_envs=envs,
+            has_ip_ranges=True if ip_allowlists else False
         )
+        self._add_ip_allowlists(new_app, envs, ip_allowlists)
+        self._add_app_to_users(new_app, user)
+        # self._create_app_role(new_app)
+        self._create_or_link_datasource(new_app, user, app_data)
+        # with transaction.atomic():
+        #     self._add_ip_allowlists(new_app, envs, ip_allowlists)
+        #     self._add_app_to_users(new_app, user)
+        #     # self._create_app_role(new_app)
+        #     self._create_or_link_datasource(new_app, user, app_data)
+
+        # self._create_auth_settigs(
+        #     new_app, envs, github_api_token, disable_authentication, connections
+        # )
 
         return new_app
 
@@ -103,18 +116,15 @@ def _create_auth_settigs(
     def _create_or_link_datasource(self, app, user, bucket_data):
         if bucket_data.get("new_datasource_name"):
             bucket = S3Bucket.objects.create(
-                name=bucket_data["new_datasource_name"], bucket_owner="APP"
+                name=bucket_data["new_datasource_name"],
+                bucket_owner="APP",
+                created_by=user,
             )
             AppS3Bucket.objects.create(
                 app=app,
                 s3bucket=bucket,
                 access_level="readonly",
-            )
-            UserS3Bucket.objects.create(
-                user=user,
-                s3bucket=bucket,
-                access_level="readwrite",
-                is_admin=True,
+                current_user=user,
             )
         elif bucket_data.get("existing_datasource_id"):
             AppS3Bucket.objects.create(
diff --git a/controlpanel/frontend/views/datasource.py b/controlpanel/frontend/views/datasource.py
index 91ee55813..94c79b12a 100644
--- a/controlpanel/frontend/views/datasource.py
+++ b/controlpanel/frontend/views/datasource.py
@@ -5,17 +5,18 @@
 from django.conf import settings
 from django.contrib import messages
 from django.core.exceptions import PermissionDenied
+from django.db import transaction
+from django.http import HttpResponseRedirect
 from django.shortcuts import get_object_or_404
 from django.urls import reverse_lazy
 from django.views.generic.base import ContextMixin
 from django.views.generic.detail import DetailView
 from django.views.generic.edit import CreateView, DeleteView, FormMixin, UpdateView
 from django.views.generic.list import ListView
-from django.db import transaction
 from rules.contrib.views import PermissionRequiredMixin
 
 # First-party/Local
-from controlpanel.api import cluster
+from controlpanel.api import cluster, tasks
 from controlpanel.api.elasticsearch import bucket_hits_aggregation
 from controlpanel.api.models import (
     IAMManagedPolicy,
@@ -26,8 +27,8 @@
 )
 from controlpanel.api.serializers import ESBucketHitsSerializer
 from controlpanel.frontend.forms import (
-    CreateDatasourceForm,
     CreateDatasourceFolderForm,
+    CreateDatasourceForm,
     GrantAccessForm,
 )
 from controlpanel.oidc import OIDCLoginRequiredMixin
@@ -44,7 +45,7 @@ class DatasourceMixin(ContextMixin):
 
     def get_context_data(self, *args, **kwargs):
         context = super().get_context_data(*args, **kwargs)
-        context["all-datasources"] = self.all_datasources
+        context["all_datasources"] = self.all_datasources
         context["datasource_type"] = self.get_datasource_type()
         return context
 
@@ -75,6 +76,7 @@ def get_queryset(self):
         return S3Bucket.objects.prefetch_related("users3buckets").filter(
             is_data_warehouse=self.datasource_type == "warehouse",
             users3buckets__user=self.request.user,
+            is_deleted=False,
         )
 
     def get_context_data(self, *args, **kwargs):
@@ -84,6 +86,7 @@ def get_context_data(self, *args, **kwargs):
             "users3buckets__user"
         ).filter(
             is_data_warehouse=self.datasource_type == "warehouse",
+            is_deleted=False,
         )
         other_datasources = all_datasources.exclude(id__in=self.get_queryset())
         other_datasources_admins = {}
@@ -103,7 +106,14 @@ class AdminBucketList(BucketList):
     permission_required = "api.is_superuser"
 
     def get_queryset(self):
-        return S3Bucket.objects.prefetch_related("users3buckets").all()
+        return S3Bucket.objects.prefetch_related("users3buckets").filter(
+            is_deleted=False
+        )
+
+    def get_context_data(self, *args, **kwargs):
+        context = super().get_context_data(*args, **kwargs)
+        context["deleted_datasources"] = S3Bucket.objects.filter(is_deleted=True)
+        return context
 
 
 class WebappBucketList(BucketList):
@@ -121,6 +131,12 @@ class BucketDetail(
     permission_required = "api.retrieve_s3bucket"
     template_name = "datasource-detail.html"
 
+    def get_queryset(self):
+        queryset = super().get_queryset()
+        if not self.request.user.is_superuser:
+            queryset = queryset.filter(is_deleted=False)
+        return queryset
+
     def get_context_data(self, *args, **kwargs):
         context = super().get_context_data(*args, **kwargs)
         bucket = kwargs["object"]
@@ -163,6 +179,8 @@ def get_success_url(self):
         return reverse_lazy("manage-datasource", kwargs={"pk": self.object.pk})
 
     def get_form_class(self):
+        if self.request.GET.get("type") == "webapp":
+            return CreateDatasourceForm
         if settings.features.s3_folders.enabled:
             return CreateDatasourceFolderForm
         return CreateDatasourceForm
@@ -172,16 +190,15 @@ def form_valid(self, form):
         datasource_type = self.request.GET.get("type")
 
         try:
-            with transaction.atomic():
-                self.object = S3Bucket.objects.create(
-                    name=name,
-                    created_by=self.request.user,
-                    is_data_warehouse=datasource_type == "warehouse",
-                )
-                messages.success(
-                    self.request,
-                    f"Successfully created {name} {datasource_type} data source",
-                )
+            self.object = S3Bucket.objects.create(
+                name=name,
+                created_by=self.request.user,
+                is_data_warehouse=datasource_type == "warehouse",
+            )
+            messages.success(
+                self.request,
+                f"Successfully created {name} {datasource_type} data source",
+            )
         except Exception as ex:
             form.add_error("name", str(ex))
             return FormMixin.form_invalid(self, form)
@@ -197,16 +214,16 @@ class DeleteDatasource(
     permission_required = "api.destroy_s3bucket"
     success_url = reverse_lazy("list-warehouse-datasources")
 
-    def delete(self, *args, **kwargs):
-        bucket = self.get_object()
-        if not bucket.is_data_warehouse:
-            self.success_url = reverse_lazy("list-webapp-datasources")
-
-        response = super().delete(*args, **kwargs)
+    def get_success_url(self):
+        if not self.object.is_data_warehouse:
+            return reverse_lazy("list-webapp-datasources")
+        return self.success_url
 
+    def form_valid(self, *args, **kwargs):
+        self.object = self.get_object()
+        self.object.soft_delete(deleted_by=self.request.user)
         messages.success(self.request, "Successfully deleted data source")
-
-        return response
+        return HttpResponseRedirect(self.get_success_url())
 
 
 class UpdateAccessLevelMixin:
@@ -232,6 +249,7 @@ def get_success_url(self):
     def form_valid(self, form):
         self.object.access_level = form.cleaned_data["access_level"]
         self.object.is_admin = form.cleaned_data.get("is_admin")
+        self.object.current_user = self.request.user
         self.object.paths = form.cleaned_data["paths"]
         self.object.save()
         return FormMixin.form_valid(self, form)
@@ -291,6 +309,11 @@ class RevokeAccess(OIDCLoginRequiredMixin, PermissionRequiredMixin, DeleteView):
     model = UserS3Bucket
     permission_required = "api.destroy_users3bucket"
 
+    def get_object(self, queryset=None):
+        obj = super().get_object(queryset=queryset)
+        obj.current_user = self.request.user
+        return obj
+
     def get_success_url(self):
         messages.success(self.request, "Successfully revoked access")
         return reverse_lazy("manage-datasource", kwargs={"pk": self.object.s3bucket.id})
@@ -323,7 +346,9 @@ def form_valid(self, form):
         if is_admin and not user.has_perm("api.add_s3bucket_admin", bucket):
             raise PermissionDenied()
 
-        self.object = self.model.objects.create(**self.values(form))
+        self.object = self.model.objects.create(
+            current_user=self.request.user,
+            **self.values(form))
         return FormMixin.form_valid(self, form)
 
 
@@ -337,8 +362,8 @@ class GrantAccess(
     model = UserS3Bucket
     permission_required = "api.create_users3bucket"
 
-    def get_context_data(self):
-        context = super().get_context_data()
+    def get_context_data(self, **kwargs):
+        context = super().get_context_data(**kwargs)
         bucket = get_object_or_404(S3Bucket, pk=self.kwargs["pk"])
         context["bucket"] = bucket
         member_ids = list(
diff --git a/controlpanel/frontend/views/reset.py b/controlpanel/frontend/views/reset.py
index 2b8d277eb..b05c8a1ea 100644
--- a/controlpanel/frontend/views/reset.py
+++ b/controlpanel/frontend/views/reset.py
@@ -4,7 +4,7 @@
 from django.views.generic.edit import FormView
 
 # First-party/Local
-from controlpanel.frontend.consumers import start_background_task
+from controlpanel.utils import start_background_task
 from controlpanel.frontend.forms import ResetHomeDirectoryForm
 from controlpanel.oidc import OIDCLoginRequiredMixin
 
diff --git a/controlpanel/frontend/views/task.py b/controlpanel/frontend/views/task.py
new file mode 100644
index 000000000..e9ea282a7
--- /dev/null
+++ b/controlpanel/frontend/views/task.py
@@ -0,0 +1,21 @@
+# Third-party
+from django.views.generic.list import ListView
+from rules.contrib.views import PermissionRequiredMixin
+
+# First-party/Local
+from controlpanel.api.models import Task
+from controlpanel.oidc import OIDCLoginRequiredMixin
+
+
+class TaskList(OIDCLoginRequiredMixin, PermissionRequiredMixin, ListView):
+    """
+    Used to display a list of incomplete tasks
+    panel application.
+    """
+
+    context_object_name = "tasks"
+    model = Task
+    permission_required = "api.list_task"
+    queryset = Task.objects.filter(completed=False)
+    template_name = "task-list.html"
+    ordering = ["entity_class", "entity_description", "created"]
diff --git a/controlpanel/frontend/views/tool.py b/controlpanel/frontend/views/tool.py
index 78cc98ee5..1943d71c4 100644
--- a/controlpanel/frontend/views/tool.py
+++ b/controlpanel/frontend/views/tool.py
@@ -19,7 +19,7 @@
     get_helm_entries,
 )
 from controlpanel.api.models import Tool, ToolDeployment
-from controlpanel.frontend.consumers import start_background_task
+from controlpanel.utils import start_background_task
 from controlpanel.oidc import OIDCLoginRequiredMixin
 
 log = structlog.getLogger(__name__)
@@ -220,9 +220,6 @@ def get_context_data(self, *args, **kwargs):
         id_token = user.get_id_token()
 
         context = super().get_context_data(*args, **kwargs)
-        context[
-            "ip_range_feature_enabled"
-        ] = settings.features.app_migration.enabled  # noqa: E501
         context["user_guidance_base_url"] = settings.USER_GUIDANCE_BASE_URL
         context["aws_service_url"] = settings.AWS_SERVICE_URL
 
diff --git a/controlpanel/middleware/__init__.py b/controlpanel/middleware/__init__.py
index db89777f5..7f5761b18 100644
--- a/controlpanel/middleware/__init__.py
+++ b/controlpanel/middleware/__init__.py
@@ -1,3 +1,2 @@
 # First-party/Local
-from controlpanel.middleware.legacy_api_redirect import LegacyAPIRedirectMiddleware
 from controlpanel.middleware.never_cache import DisableClientSideCachingMiddleware
diff --git a/controlpanel/middleware/legacy_api_redirect.py b/controlpanel/middleware/legacy_api_redirect.py
deleted file mode 100644
index f4c6cb72a..000000000
--- a/controlpanel/middleware/legacy_api_redirect.py
+++ /dev/null
@@ -1,41 +0,0 @@
-# Standard library
-import re
-
-# Third-party
-import structlog
-from django.conf import settings
-
-API_PATH = re.compile(r"^/(?P<resource>[^/]+)")
-
-log = structlog.getLogger(__name__)
-
-
-class LegacyAPIRedirectMiddleware:
-    def __init__(self, get_response):
-        self.get_response = get_response
-
-    def __call__(self, request):
-        if settings.features.redirect_legacy_api_urls.enabled:
-            json_requested = request.META.get("HTTP_ACCEPT") == "application/json"
-            is_api_path = legacy_api_path(request.path_info)
-
-            if is_api_path and json_requested:
-                log.debug(f"Redirecting legacy API request: {request.path_info}")
-                request.urlconf = "controlpanel.api.urls"
-
-        return self.get_response(request)
-
-
-def legacy_api_path(path):
-    match = API_PATH.match(path)
-    if match:
-        return match.group("resource") in [
-            "apps",
-            "apps3buckets",
-            "groups",
-            "s3buckets",
-            "userapps",
-            "users",
-            "users3buckets",
-            "tools",
-        ]
diff --git a/controlpanel/settings/common.py b/controlpanel/settings/common.py
index 3256ba852..d12a7c955 100644
--- a/controlpanel/settings/common.py
+++ b/controlpanel/settings/common.py
@@ -83,7 +83,6 @@
 MIDDLEWARE = [
     "django_prometheus.middleware.PrometheusBeforeMiddleware",
     "controlpanel.middleware.DisableClientSideCachingMiddleware",
-    "controlpanel.middleware.LegacyAPIRedirectMiddleware",
     "django.middleware.security.SecurityMiddleware",
     "django.contrib.sessions.middleware.SessionMiddleware",
     "django.middleware.common.CommonMiddleware",
@@ -538,3 +537,33 @@
 # volume name for the EFS directory for user homes
 EFS_VOLUME = os.environ.get("EFS_VOLUME")
 MAX_RELEASE_NAME_LEN = 53
+
+
+# Configure for celery for message queues
+IAM_QUEUE_NAME = os.environ.get("IAM_QUEUE_NAME", "control-panel-iam")
+S3_QUEUE_NAME = os.environ.get("S3_QUEUE_NAME", "control-panel-s3")
+AUTH_QUEUE_NAME = os.environ.get("AUTH_QUEUE_NAME", "control-panel-auth")
+
+BROKER_URL = os.environ.get("BROKER_URL", "sqs://")
+DEFAULT_QUEUE = AUTH_QUEUE_NAME
+DEFAULT_BACKOFF_POLICY = {1: 10, 2: 20, 3: 40, 4: 80, 5: 320, 6: 640}
+PRE_DEFINED_QUEUES = [IAM_QUEUE_NAME, S3_QUEUE_NAME, AUTH_QUEUE_NAME]
+CELERY_DEFAULT_QUEUE = DEFAULT_QUEUE
+SQS_REGION = os.environ.get("SQS_REGION", "eu-west-2")
+BROKER_TRANSPORT_OPTIONS = {
+    "polling_interval": 1,
+    "region": SQS_REGION,
+    "wait_time_seconds": 0,
+    "predefined_queues": {}
+}
+for queue in PRE_DEFINED_QUEUES:
+    BROKER_TRANSPORT_OPTIONS['predefined_queues'][queue] = {
+        'url': f'https://sqs.{SQS_REGION}.amazonaws.com/{AWS_DATA_ACCOUNT_ID}/{queue}',
+        'backoff_policy': DEFAULT_BACKOFF_POLICY,
+    }
+
+CELERY_IMPORTS = [
+    "controlpanel.api.tasks.handlers"
+]
+
+S3_ARCHIVE_BUCKET_NAME = "dev-archive-folder"
diff --git a/controlpanel/settings/development.py b/controlpanel/settings/development.py
index 836f1f052..022995e1b 100644
--- a/controlpanel/settings/development.py
+++ b/controlpanel/settings/development.py
@@ -10,9 +10,6 @@
 # Allow all hostnames to access the server
 ALLOWED_HOSTS = ["localhost", "127.0.0.1", "0.0.0.0"]
 
-# Install the develop pages in development mode
-INSTALLED_APPS.append("controlpanel.develop")  # noqa: F405
-
 # Enable Django debug toolbar
 if os.environ.get("ENABLE_DJANGO_DEBUG_TOOLBAR"):
     MIDDLEWARE.insert(  # noqa: F405, E501
diff --git a/controlpanel/settings/test.py b/controlpanel/settings/test.py
index d79f88450..4f260e330 100644
--- a/controlpanel/settings/test.py
+++ b/controlpanel/settings/test.py
@@ -29,3 +29,6 @@
     "api_token": "test-slack-api-token",
     "channel": "test-slack-channel",
 }
+
+SQS_REGION = "eu-west-1"
+USE_LOCAL_MESSAGE_BROKER = False
diff --git a/controlpanel/urls.py b/controlpanel/urls.py
index 555ccb7b6..f74ded820 100644
--- a/controlpanel/urls.py
+++ b/controlpanel/urls.py
@@ -20,9 +20,5 @@
     path("metrics", exports.ExportToDjangoView, name="prometheus-django-metrics"),
 ]
 
-if "controlpanel.develop" in settings.INSTALLED_APPS:
-    urlpatterns += [
-        path("develop/", include("controlpanel.develop.urls")),
-    ]
 
 urlpatterns += staticfiles_urlpatterns()
diff --git a/controlpanel/utils.py b/controlpanel/utils.py
index b2a2e1bd8..402ec1514 100644
--- a/controlpanel/utils.py
+++ b/controlpanel/utils.py
@@ -1,4 +1,5 @@
 # Standard library
+import time
 from base64 import b64encode
 import os
 import re
@@ -7,8 +8,10 @@
 # Third-party
 import structlog
 import yaml
+from asgiref.sync import async_to_sync
 from channels.exceptions import StopConsumer
 from channels.generic.http import AsyncHttpConsumer
+from channels.layers import get_channel_layer
 from django.conf import settings
 from django.template.defaultfilters import slugify
 from nacl import encoding, public
@@ -216,3 +219,42 @@ def encrypt_data_by_using_public_key(public_key: str, data: str) -> str:
     sealed_box = public.SealedBox(public_key)
     encrypted = sealed_box.encrypt(data.encode("utf-8"))
     return b64encode(encrypted).decode("utf-8")
+
+
+def time_it(func):
+    """
+    Debug tool to time how long a function takes. Use as a decorator e.g.:
+    @time_it
+    def my_func():
+    """
+    def wrapper(*args, **kwargs):
+        start = time.time()
+        result = func(*args, **kwargs)
+        end = time.time()
+        elapsed = end - start
+        print(f"{func.__name__} took {elapsed:.5f} secs")
+        return result
+
+    return wrapper
+
+
+def send_sse(user_id, event):
+    """
+    Tell the SSEConsumer to send an event to the specified user
+    """
+    channel_layer = get_channel_layer()
+    async_to_sync(channel_layer.group_send)(
+        sanitize_dns_label(user_id),
+        {"type": "sse.event", **event},
+    )
+
+
+def start_background_task(task, message):
+    channel_layer = get_channel_layer()
+    async_to_sync(channel_layer.send)(
+        "background_tasks",
+        {
+            "type": task,
+            **message,
+        },
+    )
diff --git a/controlpanel/develop/models.py b/controlpanel/worker.py
similarity index 100%
rename from controlpanel/develop/models.py
rename to controlpanel/worker.py
diff --git a/doc/architecture.md b/doc/architecture.md
index 8ed59c657..97a9f954c 100644
--- a/doc/architecture.md
+++ b/doc/architecture.md
@@ -98,4 +98,38 @@ AWS_ROLES_MAP:
   
 - The feature of supporting the multi AWS accounts was required by the app migration, since we changed
   cluster to Cloud-Platoform team, the feature is not required any more but we are not going to revert
-  the code back as the current code support single account too
\ No newline at end of file
+  the code back as the current code support single account too
+  
+## Message Broker and Queue
+The Control panel is under the process of refactoring how we manage/trigger/perform the tasks which are related to
+external third party of tools, service and infrastructure including AWS and cluster etc,.
+Although right now those tasks are mainly application and user related, potentially it can be
+extended to other type of resources the future. 
+
+We introduce the message broker and queue as the key role during this process, 
+
+The main reasons for introduce the MB and MQ:
+- Make the sequences of task more controllable and not affect each other, more robust 
+- Outsource or offload the heavy task (e.g. ip_range lookup table change)
+- Make the parts related infrastructure side easier to be maintained or be replaced
+  better visibility for background tasks
+  
+Main tech stack
+- Use AWS SQS as message broker
+- Use celery for workers
+- User boto3 to send message but following the message protocol of celery for 
+  decoupling sender from particular mq client
+
+## RESTFul APIs
+
+Two ways for allowing external parties to use Control Panel's APIs
+- SessionAuthentication
+- JWTAuthentication(Oauth2 flow): mainly for Machine to Machine API call
+  we use Auth0 as the oauth server to produce the access token. 
+  The process for granting the access to Control panel's API
+  - Register a machine-to-machine auth0 client for this external party
+  - Grant the access to Control panel APIs from auth0:
+    Applications>APIs>`Control panel APIs`>`Machine To Machine Applications`
+  - Choose the suitable scopes for this third party there
+  
+  
\ No newline at end of file
diff --git a/doc/environment.md b/doc/environment.md
index 5a7feeddf..29f084bf4 100644
--- a/doc/environment.md
+++ b/doc/environment.md
@@ -92,3 +92,5 @@ in django settings.
 | `SLACK_API_TOKEN` | Slack token ([more information)](https://slack.dev/python-slackclient/auth.html) | Only required when you're working with Slack |
 | `ENABLE_DB_SSL` | Optional: When set to True ensures the database connection requires SSL. If set to False, allow unencrypted connections | Default is False for local env but True for production |
 | `BROADCAST_MESSAGE` | Optional: The public message for Control app users, it can be switched off by setting up the value as empty string |  |
+| `USE_LOCAL_MESSAGE_BROKER` | Determines which message broker client is used. For local development it is recommended this is set to True.  | `False` |
+| `BROKER_URL` | Broker url setting used by Celery. For local development, recommended to use Redis e.g. redis://localhost:6379/0  | `sqs://` |
diff --git a/doc/lambda_function_example.py b/doc/lambda_function_example.py
new file mode 100644
index 000000000..726347e88
--- /dev/null
+++ b/doc/lambda_function_example.py
@@ -0,0 +1,102 @@
+import json
+import requests
+import os
+
+
+def _get_access_token():
+    request_headers = {
+        "content-type": "application/x-www-form-urlencoded"
+    }
+    token_url = f'https://{os.environ["AUTH0_OIDC_DOMAIN"]}/oauth/token'
+    data = {
+        'client_id': os.environ['CLIENT_ID'],
+        'client_secret': os.environ['CLIENT_SECRET'],
+        'audience': os.environ['AUDIENCE'],
+        'grant_type': os.environ['GRANT_TYPE'],
+    }
+    response = requests.post(
+        url=token_url,
+        data=data,
+        headers=request_headers
+    )
+    try:
+        content = json.loads(response.text)
+        if content.get("access_token"):
+            print("got the access_token")
+            return content.get("access_token")
+        else:
+            raise Exception(response.text)
+    except ValueError:
+        raise Exception("No result is returned")
+
+
+def _get_user_info(access_token, user_id):
+    request_headers = {
+        "content-type": "application/json",
+        "Authorization": f"Bearer {access_token}"
+    }
+    user_api_url = f'{os.environ["CPANEL_API_URL"]}/users/{user_id}'
+    response = requests.get(
+        url=user_api_url,
+        headers=request_headers
+    )
+    try:
+        print("getting user_info from cpanel.")
+        return json.loads(response.text)
+    except ValueError:
+        raise Exception("No result is returned")
+
+
+def create_user_in_data_catalogue(user_info):
+    request_headers = {
+        "content-type": "application/json",
+        "Authorization": f'Bearer {os.environ["OPEN_METADATA_JWT_TOKEN"]}'
+    }
+    api_url = f'{os.environ["OPEN_METADATA_API_DOMAIN"]}/users'
+    data = {
+        'displayName': user_info.get("username"),
+        'email': user_info.get("email"),
+        'name': user_info.get("username")
+    }
+    response = requests.post(
+        url=api_url,
+        json=data,
+        headers=request_headers
+    )
+    try:
+        content = json.loads(response.text)
+        if content.get("id"):
+            print("user has been created")
+            return content
+        else:
+            print(response.text)
+            raise Exception(response.text)
+    except ValueError:
+        raise Exception("No result is returned")
+
+
+def process_user(user_id):
+    access_token = _get_access_token()
+    user_info = _get_user_info(access_token, user_id)
+    try:
+        created_user = create_user_in_data_catalogue(user_info)
+        if created_user:
+            print(created_user)
+    except Exception as ex:
+        print(f"Failed to create the user {user_id}. due to error {str(ex)}")
+
+
+def lambda_handler(event, context):
+    print("testing....")
+    for record in event["Records"]:
+        print(record['body'])
+        try:
+            body_message = json.loads(record['body'])
+            if body_message.get('user_id'):
+                process_user(body_message.get('user_id'))
+        except ValueError:
+            pass
+    return {
+        'statusCode': 200,
+        'body': json.dumps('ok')
+    }
diff --git a/doc/running.md b/doc/running.md
index 359193d39..3837fc3bb 100644
--- a/doc/running.md
+++ b/doc/running.md
@@ -197,6 +197,32 @@ Then you can run migrations:
 python3 manage.py migrate
 ```
 
+### Message broker
+
+The Control Panel uses a message queue to run some tasks. For local development, Redis
+is recommended as the message broker rather than SQS (which is used in the development
+and production environments). To use Redis as the message broker you need to ensure that
+the following environment variables are set in your local .env file:
+
+```
+USE_LOCAL_MESSAGE_BROKER=True
+BROKER_URL=redis://localhost:6379/0
+```
+
+You will need to ensure that you have Redis running locally (see steps above), and then
+start the celery worker with the following command from your terminal:
+
+```
+celery -A controlpanel worker --loglevel=info
+```
+
+Note, if using aws vault you will need to prefix the command with
+`aws-vault exec admin-dev-sso -- `.
+
+When running correctly you will see the output `Connected to redis://localhost:6379/0`.
+Now when tasks are sent to the message queue by Control Panel they will bypass SQS,
+making sure that tasks are only received by your locally running celery worker.
+
 
 ### Compile Sass and Javascript
 
@@ -245,19 +271,19 @@ and then ask a colleague for help.
 
 ## Run the app
 
-**Assumption**: 
+**Assumption**:
 - You have completed your local env setup by following the above sections.
 - we use aws with sso login, the name of profile for our aws dev account is `admin-dev-sso`
 
 ### Local AWS profile setup (on first run only)
 This app needs to interact with AWS account.
 The AWS resources like IAM, s3 buckets are under our dev account and will be managed by
-app through [boto3](https://boto3.amazonaws.com/v1/documentation/api/latest/index.html). 
+app through [boto3](https://boto3.amazonaws.com/v1/documentation/api/latest/index.html).
 In order to make sure the boto3 can obtain the right profile for local env.
 
 #### using aws-cli directly
 
-Check your `.aws/config`, the profile `admin-dev-sso` should look like below 
+Check your `.aws/config`, the profile `admin-dev-sso` should look like below
 
 ```ini
     [profile admin-dev-sso]
@@ -270,7 +296,7 @@ __NOTES__ boto3 doesn't recognise `sso_session` and it will fail to retrieve the
 `.aws/sso/cache` folder if you mix above setting with `sso_session` together.
 
 #### using aws-vault
-If you use aws-vault to manage your aws credential, then the profile should look like 
+If you use aws-vault to manage your aws credential, then the profile should look like
 
 ```ini
     [profile sso-default]
@@ -359,15 +385,15 @@ Or with Gunicorn WSGI server:
 ```sh
 gunicorn -b 0.0.0.0:8000 -k uvicorn.workers.UvicornWorker -w 4 controlpanel.asgi:application
 ```
-if you use `aws-vault` to manage the aws-cli, then you need put `aws-vault exec <profile_name e.g. admin-dev-sso> -- ` 
-before the above command e.g. 
+if you use `aws-vault` to manage the aws-cli, then you need put `aws-vault exec <profile_name e.g. admin-dev-sso> -- `
+before the above command e.g.
 ```sh
 aws-vault exec admin-dev-sso -- python3 manage.py runserver
 ```
 If the AWS session token is expired,  you will be redirected to auth-flow to refresh the session token automatically
 
-if you choose not using `aws-vault`, then in order to reduce the chance of getting sesion_token expiration during 
-debugging, make sure you run the following command in advance 
+if you choose not using `aws-vault`, then in order to reduce the chance of getting sesion_token expiration during
+debugging, make sure you run the following command in advance
 ```sh
 aws sso login --profile <profile_name e.g. admin-dev-sso>
 ```
@@ -418,19 +444,7 @@ Current checks are:-
 - `black` library (formats Python code)
 - `isort` library (standardises the order of Python imports)
 - `flake8` library (formats Python code and also improves code style)
-- Jira ticket reference (commits must reference the ticket number)
 
 To override the above for whatever reason (maybe you don't have a ticket number and because you are working on hotfix) you can use the following command.
 
 `PRE_COMMIT_ALLOW_NO_CONFIG=1 git push ...`
-
-### Git commit message
-
-Commit messages should follow the appropriate format.
-All commits must begin with the Jira ticket they are associated with.
-
-format: `ANPL-[int]`
-
-e.g.
-
-`git commit -m "ANPL-1234 insert message here"`
diff --git a/requirements.txt b/requirements.txt
index f03e4f583..ffbfe9ecf 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,7 +1,8 @@
 asgiref==3.6.0
 auth0-python==3.13.0
 beautifulsoup4==4.12.2
-boto3==1.20.13
+boto3==1.26.143
+celery[sqs]==5.3.1
 channels==4.0.0
 channels-redis==4.0.0
 daphne==4.0.0
@@ -33,5 +34,5 @@ pyyaml==6.0
 rules==3.3
 sentry-sdk==1.14.0
 slackclient==2.8.1
-urllib3==1.26.11
+urllib3==1.26.16
 uvicorn[standard]==0.20.0
diff --git a/settings.yaml b/settings.yaml
index eebe69f6b..aaa9713fa 100644
--- a/settings.yaml
+++ b/settings.yaml
@@ -1,9 +1,4 @@
 enabled_features:
-  app_migration:
-    _DEFAULT: false
-    _HOST_dev: true
-    _HOST_prod: true
-    _HOST_alpha: true
   redirect_legacy_api_urls:
     _DEFAULT: true
   s3_folders:
@@ -59,7 +54,7 @@ AWS_DEFAULT_REGION: "eu-west-1"
 APP_DOMAIN_BEFORE_MIGRATION: apps.alpha.mojanalytics.xyz
 APP_DOMAIN: apps.live.cloud-platform.service.justice.gov.uk
 
-SLACK_CHANNEL: "#analytical-platform"
+SLACK_CHANNEL: "#data-platform-notifications"
 
 
 AWS_ROLES_MAP:
@@ -131,3 +126,8 @@ S3_FOLDER_BUCKET_NAME:
   _DEFAULT: "dev-folder-migration-spike"
   _HOST_test: "test-folder-bucket"
   _HOST_dev: "dev-folder-migration-spike"
+
+
+WORKER_HEALTH_FILENAME: "/tmp/worker_health.txt"
+USE_LOCAL_MESSAGE_BROKER: false
+BROKER_URL: "sqs://"
diff --git a/tests/api/cluster/test_access_to_s3buckets.py b/tests/api/cluster/test_access_to_s3buckets.py
index 481be8d81..a49cb51ce 100644
--- a/tests/api/cluster/test_access_to_s3buckets.py
+++ b/tests/api/cluster/test_access_to_s3buckets.py
@@ -17,6 +17,14 @@ def grant_bucket_access():
         yield grant_bucket_access_action
 
 
+@pytest.fixture
+def grant_folder_access():
+    with patch(
+        "controlpanel.api.cluster.AWSRole.grant_folder_access"
+    ) as grant_bucket_access_action:
+        yield grant_bucket_access_action
+
+
 @pytest.fixture
 def grant_policy_bucket_access():
     with patch(
@@ -24,6 +32,13 @@ def grant_policy_bucket_access():
     ) as grant_policy_bucket_access_action:
         yield grant_policy_bucket_access_action
 
+@pytest.yield_fixture
+def grant_policy_folder_access():
+    with patch(
+        "controlpanel.api.cluster.AWSPolicy.grant_folder_access"
+    ) as grant_policy_folder_access_action:
+        yield grant_policy_folder_access_action
+
 
 @pytest.fixture(autouse=True)
 def enable_db_for_all_tests(db):
@@ -71,6 +86,29 @@ def test_grant_access(grant_bucket_access, bucket, entities, entity_type, resour
     )
 
 
+@pytest.mark.parametrize(
+    "entity_type, paths",
+    [
+        ("user", []),
+        ("user", ["/foo/bar", "/foo/baz"]),
+    ],
+    ids=[
+        "user",
+        "user-paths",
+    ],
+)
+def test_grant_folder_access(grant_folder_access, bucket, entities, entity_type, paths):
+    entity = entities[entity_type]
+    entity.grant_folder_access(bucket.name, "readonly", paths)
+
+    grant_folder_access.assert_called_with(
+        role_name=entity.iam_role_name,
+        root_folder_path=bucket.name,
+        access_level="readonly",
+        paths=paths,
+    )
+
+
 @pytest.mark.parametrize(
     "resources",
     [
@@ -92,3 +130,26 @@ def test_grant_group_access(grant_policy_bucket_access, bucket, entities, resour
         "readonly",
         resources,
     )
+
+
+@pytest.mark.parametrize(
+    "entity_type, resources",
+    [
+        ("group", []),
+        ("group", ["/foo/bar", "/foo/baz"]),
+    ],
+    ids=[
+        "group",
+        "group-paths",
+    ],
+)
+def test_grant_group_folder_access(grant_policy_folder_access, bucket, entities, entity_type, resources):
+    entity = entities["group"]
+    entity.grant_folder_access(bucket.name, "readonly", resources)
+
+    grant_policy_folder_access.assert_called_with(
+        entity.arn,
+        bucket.name,
+        "readonly",
+        resources,
+    )
diff --git a/tests/api/cluster/test_app.py b/tests/api/cluster/test_app.py
index d0f0134bf..6be859f60 100644
--- a/tests/api/cluster/test_app.py
+++ b/tests/api/cluster/test_app.py
@@ -67,5 +67,64 @@ def test_app_delete(aws_delete_role, app, authz):
     aws_delete_role.assert_called_with(app.iam_role_name)
 
 
+@pytest.fixture
+def ExtendedAuth0():
+    with patch("controlpanel.api.auth0.ExtendedAuth0") as authz:
+        authz.DEFAULT_CONNECTION_OPTION = "email"
+        yield authz.return_value
+
+
+def test_update_auth_connections(app, ExtendedAuth0):
+    with patch.object(ExtendedAuth0, "get_client_enabled_connections") as get_conns, \
+            patch.object(ExtendedAuth0, "update_client_auth_connections") as update_conns, \
+            patch("controlpanel.api.cluster.App.create_or_update_env_var") as create_or_update:
+        testing_env = "testing_env"
+        testing_client_id = "testing_client_id"
+        app.app_conf = {
+            models.App.KEY_WORD_FOR_AUTH_SETTINGS: {
+                testing_env: {"client_id": testing_client_id}
+            }
+        }
+        app.repo_url = "https://github.com/moj-analytical-services/my_repo"
+
+        # Change to use non-passwordless connection
+        new_conns = {"github": {}},
+        get_conns.return_value = {
+            testing_client_id: "email"
+        }
+        cluster.App(app, github_api_token="testing").update_auth_connections(
+            testing_env,
+            new_conns=new_conns
+        )
+        create_or_update.assert_called_with(
+            env_name='testing_env',
+            key_name='AUTH0_PASSWORDLESS',
+            key_value=False)
+        update_conns.assert_called_with(
+            app_name='data-platform-app-slug-testing_env',
+            client_id='testing_client_id',
+            new_conns=new_conns,
+            existing_conns='email')
+
+        # Change to use passwordless connection
+        new_conns = {"email": {}}
+        get_conns.return_value = {
+            testing_client_id: "github"
+        }
+        cluster.App(app, github_api_token="testing").update_auth_connections(
+            testing_env,
+            new_conns=new_conns
+        )
+        create_or_update.assert_called_with(
+            env_name='testing_env',
+            key_name='AUTH0_PASSWORDLESS',
+            key_value=True)
+        update_conns.assert_called_with(
+            app_name='data-platform-app-slug-testing_env',
+            client_id='testing_client_id',
+            new_conns=new_conns,
+            existing_conns='github')
+
+
 mock_ingress = MagicMock(name="Ingress")
 mock_ingress.spec.rules = [MagicMock(name="Rule", host="test-app.example.com")]
diff --git a/tests/api/filters/test_apps3bucket_filter.py b/tests/api/filters/test_apps3bucket_filter.py
index 314a68d0c..b779d396a 100644
--- a/tests/api/filters/test_apps3bucket_filter.py
+++ b/tests/api/filters/test_apps3bucket_filter.py
@@ -10,7 +10,7 @@
 
 
 @pytest.fixture(autouse=True)
-def apps3buckets(s3):
+def apps3buckets(s3, sqs):
     with patch("controlpanel.api.aws.AWSBucket.create"),\
             patch("controlpanel.api.aws.AWSRole.grant_bucket_access"):
         mommy.make("api.AppS3Bucket", NUM_APPS3BUCKETS)
diff --git a/tests/api/fixtures/aws.py b/tests/api/fixtures/aws.py
index 3d76c4c80..0f858bae6 100644
--- a/tests/api/fixtures/aws.py
+++ b/tests/api/fixtures/aws.py
@@ -41,6 +41,16 @@ def ssm(aws_creds):
         yield boto3.client("ssm", region_name="eu-west-1")
 
 
+@pytest.fixture(autouse=True)
+def sqs(aws_creds):
+    with moto.mock_sqs():
+        sqs = boto3.resource("sqs")
+        sqs.create_queue(QueueName=settings.DEFAULT_QUEUE)
+        sqs.create_queue(QueueName=settings.IAM_QUEUE_NAME)
+        sqs.create_queue(QueueName=settings.S3_QUEUE_NAME)
+        yield sqs
+
+
 @pytest.fixture(autouse=True)
 def secretsmanager(aws_creds):
     with moto.mock_secretsmanager():
diff --git a/tests/api/fixtures/nomis_body.json b/tests/api/fixtures/nomis_body.json
index 17a598b0c..084d06dbd 100644
--- a/tests/api/fixtures/nomis_body.json
+++ b/tests/api/fixtures/nomis_body.json
@@ -1,7 +1,7 @@
 {
   "options": {
     "scripts": {
-      "fetchUserProfile": "function(accessToken, ctx, cb) {\n  var base_url = \"https://testing.com\";\n  var user_endpoint = \"/auth/api/user/me\";\n  var user_profile_url = base_url + user_endpoint;\n\n  // call oauth2 API with the accesstoken and create the profile\n  request.get(\n    user_profile_url, {\n      headers: {\n        Authorization: \"Bearer \" + accessToken\n      }\n    },\n    function(err, resp, body) {\n      if (err) {\n        cb(err);\n        return;\n      }\n      if (!/^2/.test(\"\" + resp.statusCode)) {\n        cb(body);\n        return;\n      }\n      let parsedBody = JSON.parse(body);\n      let profile = {\n        user_id: parsedBody.staffId,\n        nickname: parsedBody.name,\n        name: parsedBody.name,\n        email: parsedBody.username + \"+\" + parsedBody.activeCaseLoadId + \"@nomis\",\n        username: parsedBody.username,\n        blocked: !parsedBody.active,\n        activeCaseLoadId: parsedBody.activeCaseLoadId,\n        _nomisAccessToken: accessToken\n      };\n      cb(null, profile);\n    }\n  );\n}"
+      "fetchUserProfile": "function fetchUserProfile(accessToken, context, callback) {\n  // The email is only for auth0 usage purpose, not the actual email of login user\n  const profile = {\n    sub: context.sub,\n    user_id: context.user_id,\n    auth_source: context.auth_source,\n    nickname: context.name,\n    name: context.name,\n    username: context.user_name,\n    _accessToken: accessToken,\n    email: context.user_name + \"+\" + context.user_id + \"@\" + context.auth_source,\n  };\n  callback(null, profile);\n}"
     },
     "client_id": "test_nomis_connection_id",
     "client_secret": "WNXFkM3FCTXJhUWs0Q1NwcKFu",
diff --git a/tests/api/models/test_app.py b/tests/api/models/test_app.py
index d1b9e934a..f479a1f56 100644
--- a/tests/api/models/test_app.py
+++ b/tests/api/models/test_app.py
@@ -3,6 +3,7 @@
 
 # Third-party
 import pytest
+from django.conf import settings
 from model_mommy import mommy
 
 # First-party/Local
@@ -28,7 +29,7 @@ def update_aws_secrets_manager():
 @pytest.fixture
 def app():
     app = mommy.make("api.App")
-    app.repo_url="https://github.com/example.com/repo_name"
+    app.repo_url = "https://github.com/example.com/repo_name"
     auth_settings = dict(
         client_id="testing_client_id",
         group_id="testing_group_id"
@@ -41,6 +42,20 @@ def app():
     return app
 
 
+@pytest.mark.django_db
+def test_create(sqs, helpers):
+    repo_url = "https://example.com/foo__bar-baz!bat-1337"
+    app = App.objects.create(repo_url=repo_url)
+    iam_messages = helpers.retrieve_messages(sqs, queue_name=settings.IAM_QUEUE_NAME)
+    helpers.validate_task_with_sqs_messages(
+        iam_messages, App.__name__, app.id, queue_name=settings.IAM_QUEUE_NAME
+    )
+    auth_messages = helpers.retrieve_messages(sqs, queue_name=settings.AUTH_QUEUE_NAME)
+    helpers.validate_task_with_sqs_messages(
+        auth_messages, App.__name__, app.id, queue_name=settings.AUTH_QUEUE_NAME
+    )
+
+
 @pytest.mark.django_db
 def test_slug_characters_replaced():
     repo_url = "https://example.com/foo__bar-baz!bat-1337"
@@ -180,8 +195,11 @@ def test_app_allowed_ip_ranges():
     ]
     app = mommy.make("api.App")  # noqa:F841
     for item in ip_allow_lists:
-        mommy.make("api.AppIPAllowList",
-            app_id=app.id, ip_allowlist_id=item.id, deployment_env="test"
+        mommy.make(
+            "api.AppIPAllowList",
+            app_id=app.id,
+            ip_allowlist_id=item.id,
+            deployment_env="test",
         )
     app_ip_ranges = app.env_allowed_ip_ranges("test")
     assert " " not in app_ip_ranges
@@ -190,4 +208,3 @@ def test_app_allowed_ip_ranges():
     full_app_ip_ranges = app.app_allowed_ip_ranges
     assert " " not in full_app_ip_ranges
     assert len(full_app_ip_ranges.split(",")) == 4
-
diff --git a/tests/api/models/test_apps3bucket.py b/tests/api/models/test_apps3bucket.py
index a3f5632c7..2d27bf3e4 100644
--- a/tests/api/models/test_apps3bucket.py
+++ b/tests/api/models/test_apps3bucket.py
@@ -3,6 +3,7 @@
 
 # Third-party
 import pytest
+from django.conf import settings
 from django.db.utils import IntegrityError
 from model_mommy import mommy
 
@@ -37,54 +38,25 @@ def test_one_record_per_app_per_s3bucket(app, bucket):
 
 
 @pytest.mark.django_db
-def test_update_aws_permissions(app, bucket):
-    with patch(
-        "controlpanel.api.cluster.AWSRole.grant_bucket_access"
-    ) as grant_bucket_access_action:
-        apps3bucket = AppS3Bucket(
-            app=app,
-            s3bucket=bucket,
-            access_level=AppS3Bucket.READONLY,
-        )
+def test_aws_permissions(app, bucket, sqs, helpers):
+    apps3bucket = AppS3Bucket(
+        app=app,
+        s3bucket=bucket,
+        access_level=AppS3Bucket.READONLY,
+    )
 
-        apps3bucket.save()
-
-        grant_bucket_access_action.assert_called_with(
-            app.iam_role_name,
-            bucket.arn,
-            AppS3Bucket.READONLY,
-            apps3bucket.resources,
-        )
-        # TODO get policy from call and assert ARN in correct place
-
-
-@pytest.mark.django_db
-def test_aws_create(app, bucket):
-    with patch(
-        "controlpanel.api.cluster.AWSRole.grant_bucket_access"
-    ) as grant_bucket_access_action:
-        apps3bucket = AppS3Bucket(
-            app=app,
-            s3bucket=bucket,
-            access_level=AppS3Bucket.READONLY,
-        )
-
-        apps3bucket.save()
-
-        grant_bucket_access_action.assert_called_with(
-            app.iam_role_name,
-            bucket.arn,
-            AppS3Bucket.READONLY,
-            apps3bucket.resources,
-        )
-        # TODO make this test a case on previous
+    apps3bucket.save()
+    messages = helpers.retrieve_messages(sqs, queue_name=settings.IAM_QUEUE_NAME)
+    helpers.validate_task_with_sqs_messages(
+        messages, AppS3Bucket.__name__, apps3bucket.id, settings.IAM_QUEUE_NAME
+    )
 
 
 @pytest.mark.django_db
 def test_delete_revoke_permissions(app, bucket):
-    with patch("controlpanel.api.aws.AWSRole.grant_bucket_access"), \
-            patch("controlpanel.api.cluster.AWSRole.revoke_bucket_access") \
-                    as revoke_bucket_access_action:
+    with patch(
+        "controlpanel.api.tasks.S3BucketRevokeAppAccess"
+    ) as revoke_bucket_access_task:
         apps3bucket = mommy.make(
             "api.AppS3Bucket",
             app=app,
@@ -94,7 +66,8 @@ def test_delete_revoke_permissions(app, bucket):
 
         apps3bucket.delete()
 
-        revoke_bucket_access_action.assert_called_with(
-            apps3bucket.iam_role_name,
-            bucket.arn,
+        revoke_bucket_access_task.assert_called_once_with(
+            apps3bucket,
+            None
         )
+        revoke_bucket_access_task.return_value.create_task.assert_called_once()
diff --git a/tests/api/models/test_s3bucket.py b/tests/api/models/test_s3bucket.py
index bbd66ae07..63c999cbb 100644
--- a/tests/api/models/test_s3bucket.py
+++ b/tests/api/models/test_s3bucket.py
@@ -4,6 +4,7 @@
 # Third-party
 import pytest
 from botocore.exceptions import ClientError
+from django.conf import settings
 from model_mommy import mommy
 
 # First-party/Local
@@ -22,20 +23,16 @@ def bucket():
 
 
 def test_delete_revokes_permissions(bucket):
-    with patch("controlpanel.api.aws.AWSRole.grant_bucket_access"), \
-            patch("controlpanel.api.cluster.AWSRole.revoke_bucket_access") \
-            as revoke_bucket_access_action:
-        users3bucket = mommy.make("api.UserS3Bucket", s3bucket=bucket)
-        apps3bucket = mommy.make("api.AppS3Bucket", s3bucket=bucket)
-
+    with patch("controlpanel.api.models.AppS3Bucket.revoke_bucket_access") as app_revoke_bucket_access, \
+            patch("controlpanel.api.models.UserS3Bucket.revoke_bucket_access") as user_revoke_user_bucket_access:
+        # link the bucket with an UserS3Bucket and AppS3Bucket
+        mommy.make("api.UserS3Bucket", s3bucket=bucket)
+        mommy.make("api.AppS3Bucket", s3bucket=bucket)
+        # delete the source S3Bucket
         bucket.delete()
-
-        revoke_bucket_access_action.assert_has_calls(
-            [
-                call(apps3bucket.iam_role_name, bucket.arn),
-                call(users3bucket.iam_role_name, bucket.arn),
-            ]
-        )
+        # check that related objects revoke access methods were called
+        app_revoke_bucket_access.assert_called_once()
+        user_revoke_user_bucket_access.assert_called_once()
 
 
 def test_delete_marks_bucket_for_archival(bucket):
@@ -54,22 +51,29 @@ def test_delete_marks_bucket_for_archival_when_tag_bucket_fails(bucket):
         assert S3Bucket.objects.filter(name=bucket.name).exists()
 
 
-def test_bucket_create():
-    with patch("controlpanel.api.aws.AWSBucket.create") as create_bucket:
-        bucket = S3Bucket.objects.create(name="test-bucket-1")
-        create_bucket.assert_called_with(bucket.name, False)
-
-
-def test_create_users3bucket(superuser):
-    with patch("controlpanel.api.aws.AWSBucket.create") as create_bucket:
-        bucket = S3Bucket.objects.create(
-            name="test-bucket-1",
-            created_by=superuser,
-        )
+def test_bucket_create(sqs, superuser, helpers):
+    bucket = S3Bucket.objects.create(name="test-bucket-1")
+    messages = helpers.retrieve_messages(sqs, queue_name=settings.S3_QUEUE_NAME)
+    helpers.validate_task_with_sqs_messages(
+        messages, S3Bucket.__name__, bucket.id, queue_name=settings.S3_QUEUE_NAME,
+    )
 
-        create_bucket.assert_called()
 
-        assert UserS3Bucket.objects.get(user=superuser, s3bucket=bucket)
+def test_create_users3bucket(sqs, superuser, helpers):
+    bucket = S3Bucket.objects.create(
+        name="test-bucket-1",
+        created_by=superuser,
+    )
+    user_s3bucket = UserS3Bucket.objects.get(user=superuser, s3bucket=bucket)
+    assert user_s3bucket
+    s3_messages = helpers.retrieve_messages(sqs, queue_name=settings.S3_QUEUE_NAME)
+    helpers.validate_task_with_sqs_messages(
+        s3_messages, S3Bucket.__name__, bucket.id, queue_name=settings.S3_QUEUE_NAME
+    )
+    iam_messages = helpers.retrieve_messages(sqs, queue_name=settings.IAM_QUEUE_NAME)
+    helpers.validate_task_with_sqs_messages(
+        iam_messages, UserS3Bucket.__name__, user_s3bucket.id, queue_name=settings.IAM_QUEUE_NAME
+    )
 
 
 @pytest.mark.parametrize(
@@ -92,3 +96,42 @@ def test_is_folder(name, expected):
 )
 def test_cluster(name, expected):
     assert isinstance(S3Bucket(name=name).cluster, expected)
+
+
+def test_soft_delete_bucket(bucket, users, sqs, helpers):
+    user = users["superuser"]
+
+    assert bucket.is_deleted is False
+    with patch("controlpanel.api.cluster.S3Bucket.mark_for_archival") as archive:
+        bucket.soft_delete(deleted_by=user)
+
+    assert bucket.is_deleted is True
+    assert bucket.deleted_by == user
+    assert bucket.deleted_at is not None
+    archive.assert_called_once()
+
+    messages = helpers.retrieve_messages(sqs, queue_name=settings.S3_QUEUE_NAME)
+    helpers.validate_task_with_sqs_messages(
+        messages, S3Bucket.__name__, bucket.id, queue_name=settings.S3_QUEUE_NAME,
+    )
+
+
+def test_soft_delete_folder(users, sqs, helpers):
+    folder = S3Bucket.objects.create(name="bucket/folder-1")
+    user = users["superuser"]
+
+    assert folder.is_deleted is False
+    folder.soft_delete(deleted_by=user)
+
+    assert folder.is_deleted is True
+    assert folder.deleted_by == user
+    assert folder.deleted_at is not None
+
+    messages = helpers.retrieve_messages(sqs, queue_name=settings.S3_QUEUE_NAME)
+    task_names = [message["headers"]["task"] for message in messages]
+
+    helpers.validate_task_with_sqs_messages(
+        messages, S3Bucket.__name__, folder.id, queue_name=settings.S3_QUEUE_NAME,
+    )
+    assert "archive_s3bucket" in task_names
+    assert "s3bucket_revoke_all_access" in task_names
diff --git a/tests/api/models/test_users3bucket.py b/tests/api/models/test_users3bucket.py
index 1726c62b4..c67b80ea0 100644
--- a/tests/api/models/test_users3bucket.py
+++ b/tests/api/models/test_users3bucket.py
@@ -1,12 +1,14 @@
 # Standard library
-from unittest.mock import patch, PropertyMock
+from unittest.mock import PropertyMock, patch
 
 # Third-party
 import pytest
+from django.conf import settings
 from django.db.utils import IntegrityError
 from model_mommy import mommy
 
 # First-party/Local
+from controlpanel.api.models import UserS3Bucket
 from controlpanel.api.models.access_to_s3bucket import AccessToS3Bucket
 
 
@@ -39,49 +41,39 @@ def test_one_record_per_user_per_s3bucket(user, bucket, users3bucket):
 
 
 @pytest.mark.django_db
-def test_aws_create_bucket(user, bucket):
-    with patch(
-        "controlpanel.api.cluster.AWSRole.grant_bucket_access"
-    ) as grant_bucket_access:
-        users3bucket = user.users3buckets.create(
-            s3bucket=bucket,
-            access_level=AccessToS3Bucket.READONLY,
-        )
-
-        grant_bucket_access.assert_called_with(
-            user.iam_role_name,
-            bucket.arn,
-            AccessToS3Bucket.READONLY,
-            users3bucket.resources,
-        )
-        # TODO get policy from call and assert bucket ARN present
+def test_aws_create_bucket(user, bucket, sqs, helpers):
+    users3bucket = user.users3buckets.create(
+        s3bucket=bucket,
+        access_level=AccessToS3Bucket.READONLY
+    )
+    messages = helpers.retrieve_messages(sqs, settings.IAM_QUEUE_NAME)
+    helpers.validate_task_with_sqs_messages(
+        messages, UserS3Bucket.__name__, users3bucket.id, settings.IAM_QUEUE_NAME
+    )
 
 
 @pytest.mark.django_db
-@patch("controlpanel.api.cluster.AWSRole.grant_folder_access")
-def test_aws_create_folder(grant_folder_access, user, bucket):
+@patch("controlpanel.api.models.users3bucket.tasks")
+def test_aws_create_folder(tasks, user, bucket):
     with patch.object(
         bucket.__class__, "is_folder", new_callable=PropertyMock(return_value=True)
     ):
-        user.users3buckets.create(
+        user_bucket = user.users3buckets.create(
             s3bucket=bucket,
             access_level=AccessToS3Bucket.READONLY,
+            current_user=user
         )
-        grant_folder_access.assert_called_with(
-            user.iam_role_name,
-            bucket.arn,
-            AccessToS3Bucket.READONLY,
+        tasks.S3BucketGrantToUser.assert_called_once_with(
+            user_bucket, user
         )
+        tasks.S3BucketGrantToUser.return_value.create_task.assert_called_once()
 
 
 @pytest.mark.django_db
-def test_delete_revoke_permissions(user, bucket, users3bucket):
+def test_delete_revoke_permissions(bucket, users3bucket):
     with patch(
-        "controlpanel.api.cluster.AWSRole.revoke_bucket_access"
-    ) as revoke_bucket_access_action:
+        "controlpanel.api.tasks.S3BucketRevokeUserAccess"
+    ) as revoke_user_access_task:
         users3bucket.delete()
-        revoke_bucket_access_action.assert_called_with(
-            user.iam_role_name,
-            bucket.arn,
-        )
-        # TODO get policy from call and assert bucket ARN removed
+        revoke_user_access_task.assert_called_once_with(users3bucket, None)
+        revoke_user_access_task.return_value.create_task.assert_called_once()
diff --git a/tests/api/tasks/__init__.py b/tests/api/tasks/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/tests/api/tasks/test_base.py b/tests/api/tasks/test_base.py
new file mode 100644
index 000000000..bf2f386c7
--- /dev/null
+++ b/tests/api/tasks/test_base.py
@@ -0,0 +1,60 @@
+# Standard library
+from unittest.mock import MagicMock, patch
+
+# Third-party
+import pytest
+
+# First-party/Local
+from controlpanel.api.models import Task
+from controlpanel.api.tasks.handlers.base import BaseModelTaskHandler, BaseTaskHandler
+
+
+@pytest.mark.parametrize("handler_cls, args", [
+    (BaseTaskHandler, (None,)),
+    (BaseModelTaskHandler, (1, 1)),
+])
+@patch("controlpanel.api.tasks.handlers.base.BaseTaskHandler.handle")
+def test_completed_task_handle_not_run(handle, handler_cls, args):
+    completed_task = MagicMock(spec=Task, completed=True)
+    base_task_handler = handler_cls()
+
+    with patch.object(base_task_handler, "get_task_obj", return_value=completed_task):
+        base_task_handler.run(*args)
+
+    handle.assert_not_called()
+
+
+@pytest.mark.parametrize("handler_cls, args", [
+    (BaseTaskHandler, (None,)),
+    (BaseModelTaskHandler, (1, 1)),
+])
+@patch("controlpanel.api.tasks.handlers.base.BaseTaskHandler.handle")
+@patch(
+    "controlpanel.api.tasks.handlers.base.BaseModelTaskHandler.get_object",
+    new=MagicMock,
+)
+def test_uncompleted_task_handle_is_run(handle, handler_cls, args):
+    completed_task = MagicMock(spec=Task, completed=False)
+    base_task_handler = handler_cls()
+
+    with patch.object(base_task_handler, "get_task_obj", return_value=completed_task):
+        base_task_handler.run(*args)
+
+    handle.assert_called_once()
+
+
+@pytest.mark.parametrize("handler_cls, args", [
+    (BaseTaskHandler, (None,)),
+    (BaseModelTaskHandler, (1, 1)),
+])
+@patch("controlpanel.api.tasks.handlers.base.BaseTaskHandler.handle")
+@patch(
+    "controlpanel.api.tasks.handlers.base.BaseModelTaskHandler.get_object",
+    new=MagicMock,
+)
+def test_no_task_obj_handle_is_run(handle, handler_cls, args):
+    base_task_handler = handler_cls()
+    with patch.object(base_task_handler, "get_task_obj", return_value=None):
+        base_task_handler.run(*args)
+
+    handle.assert_called_once()
diff --git a/tests/api/tasks/test_create_app_auth_settings.py b/tests/api/tasks/test_create_app_auth_settings.py
new file mode 100644
index 000000000..f2f5acfce
--- /dev/null
+++ b/tests/api/tasks/test_create_app_auth_settings.py
@@ -0,0 +1,63 @@
+# Standard library
+from unittest.mock import PropertyMock, patch
+
+# Third-party
+import pytest
+from model_mommy import mommy
+
+# First-party/Local
+from controlpanel.api.models import App
+from controlpanel.api.tasks.handlers import create_app_auth_settings
+
+
+@pytest.mark.django_db
+@patch("controlpanel.api.tasks.handlers.base.BaseModelTaskHandler.complete")
+@patch("controlpanel.api.tasks.handlers.app.cluster")
+def test_cluster_not_called_without_valid_app(cluster, complete, users):
+    with pytest.raises(App.DoesNotExist):
+        create_app_auth_settings(1, users["superuser"].pk)
+        cluster.App.assert_not_called()
+        # should not be complete as we want to try it again
+        complete.assert_not_called()
+
+
+@pytest.mark.django_db
+@patch("controlpanel.api.tasks.handlers.base.BaseModelTaskHandler.complete")
+@patch("controlpanel.api.tasks.handlers.app.cluster")
+@patch("controlpanel.api.models.user.User.github_api_token", new=PropertyMock(return_value=None))  # noqa
+def test_cluster_not_called_without_github_api_token(cluster, complete, users):
+    app = mommy.make("api.App")
+
+    user = users["superuser"]
+    create_app_auth_settings(
+        app.pk, user.pk, "envs", "disable_authentication", "connections",
+    )
+
+    # role should not be created
+    cluster.App.assert_not_called()
+    # task should be complete so that it does not run again, as user not valid
+    complete.assert_called_once()
+
+
+@pytest.mark.django_db
+@patch("controlpanel.api.tasks.handlers.base.BaseModelTaskHandler.complete")
+@patch("controlpanel.api.tasks.handlers.app.cluster")
+@patch("controlpanel.api.models.user.User.github_api_token", new=PropertyMock(return_value="dummy-token"))  # noqa
+def test_valid_app_and_user(cluster, complete, users):
+    app = mommy.make("api.App")
+
+    create_app_auth_settings(
+        app.pk,
+        users["superuser"].pk,
+        ["test"],
+        False,
+        ["email"],
+    )
+
+    cluster.App.assert_called_once_with(app, "dummy-token")
+    cluster.App.return_value.create_auth_settings.assert_called_once_with(
+        env_name="test",
+        disable_authentication=False,
+        connections=["email"]
+    )
+    complete.assert_called_once()
diff --git a/tests/api/tasks/test_create_app_aws_role.py b/tests/api/tasks/test_create_app_aws_role.py
new file mode 100644
index 000000000..a882a9845
--- /dev/null
+++ b/tests/api/tasks/test_create_app_aws_role.py
@@ -0,0 +1,37 @@
+# Standard library
+from unittest.mock import patch
+
+# Third-party
+import pytest
+from model_mommy import mommy
+
+# First-party/Local
+from controlpanel.api.models import App
+from controlpanel.api.tasks.handlers import (
+    create_app_auth_settings,
+    create_app_aws_role,
+)
+
+
+@pytest.mark.django_db
+@patch("controlpanel.api.tasks.handlers.base.BaseModelTaskHandler.complete")
+@patch("controlpanel.api.tasks.handlers.app.cluster")
+def test_cluster_not_called_without_valid_app(cluster, complete, users):
+    with pytest.raises(App.DoesNotExist):
+        create_app_aws_role(1, users["superuser"].pk)
+        cluster.App.assert_not_called()
+        # should not be complete as we want to try it again
+        complete.assert_not_called()
+
+
+@pytest.mark.django_db
+@patch("controlpanel.api.tasks.handlers.base.BaseModelTaskHandler.complete")
+@patch("controlpanel.api.tasks.handlers.app.cluster")
+def test_valid_app_and_user(cluster, complete, users):
+    app = mommy.make("api.App")
+
+    create_app_aws_role(app.pk, users["superuser"].pk)
+
+    cluster.App.assert_called_once_with(app)
+    cluster.App.return_value.create_iam_role.assert_called_once()
+    complete.assert_called_once()
diff --git a/tests/api/tasks/test_s3.py b/tests/api/tasks/test_s3.py
new file mode 100644
index 000000000..b8134dd01
--- /dev/null
+++ b/tests/api/tasks/test_s3.py
@@ -0,0 +1,137 @@
+# Standard library
+from unittest.mock import MagicMock, patch
+
+# Third-party
+import pytest
+from model_mommy import mommy
+
+# First-party/Local
+from controlpanel.api.models import AppS3Bucket, S3Bucket, UserS3Bucket
+from controlpanel.api.tasks.handlers import (
+    create_s3bucket,
+    grant_app_s3bucket_access,
+    grant_user_s3bucket_access,
+    revoke_all_access_s3bucket,
+    revoke_app_s3bucket_access,
+    revoke_user_s3bucket_access,
+)
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize("task_method, model", [
+    (create_s3bucket, S3Bucket),
+    (grant_app_s3bucket_access, AppS3Bucket),
+    (grant_user_s3bucket_access, UserS3Bucket),
+])
+@patch("controlpanel.api.tasks.handlers.base.BaseTaskHandler.complete")
+def test_exception_raised_when_called_without_valid_app(
+    complete, users, task_method, model
+):
+    with pytest.raises(model.DoesNotExist):
+        task_method(1, users["superuser"].pk)
+
+        complete.assert_not_called()
+
+
+@pytest.mark.django_db
+@patch("controlpanel.api.tasks.handlers.base.BaseTaskHandler.complete")
+@patch("controlpanel.api.models.s3bucket.cluster")
+def test_bucket_created(cluster, complete, users):
+    s3bucket = mommy.make("api.S3Bucket", bucket_owner="APP")
+
+    create_s3bucket(
+        s3bucket.pk, users["superuser"].pk, bucket_owner=s3bucket.bucket_owner
+    )
+
+    cluster.S3Bucket.assert_called_once_with(s3bucket)
+    cluster.S3Bucket.return_value.create.assert_called_once_with(
+        owner=s3bucket.bucket_owner
+    )
+    complete.assert_called_once()
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize("task_method, model_class, cluster_class", [
+    (grant_app_s3bucket_access, "api.AppS3Bucket", "App"),
+    (grant_user_s3bucket_access, "api.UserS3Bucket", "User"),
+])
+@patch("controlpanel.api.tasks.handlers.base.BaseTaskHandler.complete")
+@patch("controlpanel.api.tasks.handlers.s3.cluster")
+def test_access_granted(
+    cluster, complete, users, task_method, model_class, cluster_class
+):
+    obj = mommy.make(model_class)
+
+    task_method(obj.pk, users["superuser"].pk)
+
+    cluster_obj = getattr(cluster, cluster_class)
+    cluster_obj.assert_called_once()
+    cluster_obj.return_value.grant_bucket_access.assert_called_once()
+    complete.assert_called_once()
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize("bucket_name, is_folder", [
+    ("example-bucket", False),
+    ("example-bucket/folder", True),
+])
+@patch("controlpanel.api.tasks.handlers.base.BaseTaskHandler.complete")
+@patch("controlpanel.api.tasks.handlers.s3.cluster")
+def test_revoke_user_access(cluster, complete, bucket_name, is_folder):
+    user_bucket_access = mommy.make("api.UserS3Bucket", s3bucket__name=bucket_name)
+    s3bucket = user_bucket_access.s3bucket
+    bucket_identifier = s3bucket.name if is_folder else s3bucket.arn
+    revoke_user_s3bucket_access(
+        bucket_identifier=bucket_identifier,
+        bucket_user_pk=user_bucket_access.user.pk,
+        is_folder=is_folder
+    )
+
+    cluster.User.assert_called_once_with(user_bucket_access.user)
+    if is_folder:
+        cluster.User.return_value.revoke_folder_access.assert_called_once_with(
+            bucket_identifier
+        )
+    else:
+        cluster.User.return_value.revoke_bucket_access.assert_called_once_with(
+            bucket_identifier
+        )
+
+    complete.assert_called_once()
+
+
+@pytest.mark.django_db
+@patch("controlpanel.api.tasks.handlers.base.BaseTaskHandler.complete")
+@patch("controlpanel.api.tasks.handlers.s3.cluster")
+def test_revoke_app_access(cluster, complete):
+    app_bucket_access = mommy.make("api.AppS3Bucket")
+    revoke_app_s3bucket_access(
+        bucket_arn=app_bucket_access.s3bucket.arn,
+        app_pk=app_bucket_access.app.pk,
+    )
+
+    cluster.App.assert_called_once_with(app_bucket_access.app)
+    cluster.App.return_value.revoke_bucket_access.assert_called_once_with(
+        app_bucket_access.s3bucket.arn
+    )
+    complete.assert_called_once()
+
+
+@pytest.mark.django_db
+@patch("controlpanel.api.models.UserS3Bucket.revoke_bucket_access", new=MagicMock())
+@patch("controlpanel.api.models.AppS3Bucket.revoke_bucket_access", new=MagicMock())
+@patch("controlpanel.api.models.PolicyS3Bucket.revoke_bucket_access", new=MagicMock())
+@patch("controlpanel.api.tasks.handlers.base.BaseTaskHandler.complete")
+def test_revoke_all_access(complete, users):
+    bucket = mommy.make("api.S3Bucket")
+    user_access = mommy.make("api.UserS3Bucket", s3bucket=bucket)
+    app_access = mommy.make("api.AppS3Bucket", s3bucket=bucket)
+    policy_access = mommy.make("api.PolicyS3Bucket", s3bucket=bucket)
+    task = mommy.make("api.Task", user_id=users["superuser"].pk)
+
+    revoke_all_access_s3bucket(bucket.pk, task.user_id)
+
+    user_access.revoke_bucket_access.assert_called_once()
+    app_access.revoke_bucket_access.assert_called_once()
+    policy_access.revoke_bucket_access.assert_called_once()
+    complete.assert_called_once()
diff --git a/tests/api/test_auth0.py b/tests/api/test_auth0.py
index b314ecb37..3d6695c70 100644
--- a/tests/api/test_auth0.py
+++ b/tests/api/test_auth0.py
@@ -6,6 +6,7 @@
 import mock
 import pytest
 from django.conf import settings
+from auth0.v3 import exceptions
 
 # First-party/Local
 from controlpanel.api import auth0
@@ -599,5 +600,35 @@ def _clean_string(content):
     expected["options"]["scripts"]["fetchUserProfile"] = _clean_string(
         expected["options"]["scripts"]["fetchUserProfile"]
     )
-
     assert actual_arg == expected
+
+
+def test_create_custom_connection_with_allowed_error(ExtendedAuth0):
+    with patch.object(ExtendedAuth0.connections, "create") as connection_create:
+        connection_create.side_effect = exceptions.Auth0Error(
+            409, 409, 'The connection name existed already')
+        ExtendedAuth0.connections.create_custom_connection(
+            "auth0_nomis",
+            input_values={
+                "name": "test_nomis_connection",
+                "client_id": "test_nomis_connection_id",
+                "client_secret": "WNXFkM3FCTXJhUWs0Q1NwcKFu",
+            },
+        )
+        connection_create.assert_called_once_with(mock.ANY)
+
+
+def test_create_custom_connection_with_notallowed_error(ExtendedAuth0):
+    with patch.object(ExtendedAuth0.connections, "create") as connection_create:
+        connection_create.side_effect = exceptions.Auth0Error(
+            400, 400, 'Error')
+        with pytest.raises(auth0.Auth0Error, match="400: Error"):
+            ExtendedAuth0.connections.create_custom_connection(
+                "auth0_nomis",
+                input_values={
+                    "name": "test_nomis_connection",
+                    "client_id": "test_nomis_connection_id",
+                    "client_secret": "WNXFkM3FCTXJhUWs0Q1NwcKFu",
+                },
+            )
+        connection_create.assert_called_once_with(mock.ANY)
diff --git a/tests/api/test_aws.py b/tests/api/test_aws.py
index 610cc7e9e..4722cb4a6 100644
--- a/tests/api/test_aws.py
+++ b/tests/api/test_aws.py
@@ -1,13 +1,14 @@
 # Standard library
 import json
 import uuid
-from unittest.mock import MagicMock, patch
+import hashlib
+from unittest.mock import MagicMock, call, patch
 
 # Third-party
 import pytest
 
 # First-party/Local
-from controlpanel.api import aws, cluster
+from controlpanel.api import aws
 from controlpanel.api.cluster import BASE_ASSUME_ROLE_POLICY, User
 from tests.api.fixtures.aws import *
 
@@ -62,6 +63,10 @@ def eks_assume_role(stmt, user):
     )
 
 
+def md5_hash(string):
+    return hashlib.md5(string.encode()).hexdigest()
+
+
 @pytest.fixture
 def roles(iam):
     role_names = [
@@ -827,77 +832,122 @@ def test_aws_folder_exists(new_folder, existing_folder, expected, root_folder_bu
 
 
 @pytest.mark.parametrize(
-    "access_level",
-    ["readwrite", "readonly"]
+    "access_level, root_folder_path, paths",
+    [
+        ("readwrite", "test-bucket/user-folder", None),
+        ("readonly", "test-bucket/user-folder", None),
+        ("readwrite", "test-bucket/user-folder", []),
+        ("readonly", "test-bucket/user-folder", []),
+        ("readwrite", "test-bucket/user-folder", ["/public"]),
+        ("readonly", "test-bucket/user-folder", ["/public"]),
+        ("readwrite", "test-bucket/user-folder", ["/public", "/another"]),
+        ("readonly", "test-bucket/user-folder", ["/public", "/another"]),
+    ]
 )
-def test_grant_folder_access(access_level, roles):
-    bucket_arn = "arn:aws:s3:::test-bucket/user-folder"
-    with patch("controlpanel.api.aws.S3AccessPolicy.grant_folder_list_access") as grant_folder_list_access, \
-            patch("controlpanel.api.aws.S3AccessPolicy.grant_object_access") as grant_object_access:
+def test_role_grant_folder_access(access_level, roles, root_folder_path, paths):
+    with patch("controlpanel.api.aws.S3AccessPolicy.grant_folder_access") as grant_folder_access, \
+            patch("controlpanel.api.aws.S3AccessPolicy.revoke_folder_access") as revoke_access:  # noqa
         aws.AWSRole().grant_folder_access(
             'test_user_normal-user',
-            bucket_arn,
-            access_level
+            root_folder_path,
+            access_level,
+            paths,
+        )
+        revoke_access.assert_called_once_with(root_folder_path=root_folder_path)
+        grant_folder_access.assert_called_once_with(
+            root_folder_path=root_folder_path,
+            access_level=access_level,
+            paths=paths
+        )
+
+
+@pytest.mark.parametrize(
+    "access_level, root_folder_path, paths",
+    [
+        ("readwrite", "test-bucket/user-folder", None),
+        ("readonly", "test-bucket/user-folder", None),
+        ("readwrite", "test-bucket/user-folder", []),
+        ("readonly", "test-bucket/user-folder", []),
+        ("readwrite", "test-bucket/user-folder", ["/public"]),
+        ("readonly", "test-bucket/user-folder", ["/public"]),
+        ("readwrite", "test-bucket/user-folder", ["/public", "/another"]),
+        ("readonly", "test-bucket/user-folder", ["/public", "/another"]),
+    ]
+)
+def test_policy_grant_folder_access(group, access_level, root_folder_path, paths):
+    with patch("controlpanel.api.aws.S3AccessPolicy.grant_folder_access") as grant_folder_access, \
+            patch("controlpanel.api.aws.S3AccessPolicy.revoke_folder_access") as revoke_access:  # noqa
+        aws.AWSPolicy().grant_folder_access(
+            group.arn,
+            root_folder_path,
+            access_level,
+            paths,
         )
-        grant_folder_list_access.assert_called_once_with(bucket_arn)
-        grant_object_access.assert_called_once_with(
-            bucket_arn, access_level
+        revoke_access.assert_called_once_with(root_folder_path=root_folder_path)
+        grant_folder_access.assert_called_once_with(
+            root_folder_path=root_folder_path,
+            access_level=access_level,
+            paths=paths
         )
 
 
-def test_grant_folder_list_access():
+@pytest.fixture
+def s3_access_policy():
     mock_policy = MagicMock()
     mock_policy.policy_document = {}
+    return aws.S3AccessPolicy(mock_policy)
 
-    policy = aws.S3AccessPolicy(mock_policy)
 
-    bucket_name_arn = "arn:aws:s3:::test-bucket"
+def test_s3_access_policy_grant_folder_access(s3_access_policy):
+    bucket_name = "test-bucket"
+    bucket_hash = md5_hash(bucket_name)
     folder_name = "user-folder"
-    bucket_and_folder_arn = f"{bucket_name_arn}/{folder_name}"
-    policy.grant_folder_list_access(bucket_and_folder_arn)
+    root_folder_path = f"{bucket_name}/{folder_name}"
+    bucket_arn = f"arn:aws:s3:::{bucket_name}"
+    s3_access_policy.grant_folder_access(
+        root_folder_path=root_folder_path,
+        access_level="readonly",
+    )
 
-    assert policy.statements["rootFolderBucketMeta"]["Resource"] == [bucket_name_arn]
-    assert policy.statements["listFolder"]["Resource"] == [bucket_name_arn]
-    assert policy.statements["listFolder"]["Condition"] == {
+    assert s3_access_policy.statements["rootFolderBucketMeta"]["Resource"] == [bucket_arn]  # noqa
+    assert f"{bucket_arn}/{folder_name}/*" in s3_access_policy.statements["readonly"]["Resource"]  # noqa
+    assert s3_access_policy.statements[f"listFolder{bucket_hash}"]["Resource"] == [bucket_arn]
+    assert s3_access_policy.statements[f"listFolder{bucket_hash}"]["Condition"] == {
         "StringEquals": {
-            "s3:prefix": ["", folder_name, f"{folder_name}/"],
+            "s3:prefix": ["", folder_name],
             "s3:delimiter": ["/"]
         }
     }
-    assert policy.statements["listSubFolders"]["Resource"] == [bucket_name_arn]
-    assert policy.statements["listSubFolders"]["Condition"] == {
+    assert s3_access_policy.statements[f"listSubFolders{bucket_hash}"]["Resource"] == [bucket_arn]
+    assert s3_access_policy.statements[f"listSubFolders{bucket_hash}"]["Condition"] == {
         "StringLike": {
             "s3:prefix": [f"{folder_name}/*"],
         }
     }
 
     # now test granting access to another folder
-
-    # create new object with old policy document
-    mock_policy = MagicMock()
-    mock_policy.policy_document = policy.policy_document
-    policy = aws.S3AccessPolicy(mock_policy)
-
     folder_name_2 = "user-folder-2"
-    bucket_and_folder_arn = f"{bucket_name_arn}/{folder_name_2}"
-    policy.grant_folder_list_access(bucket_and_folder_arn)
+    s3_access_policy.grant_folder_access(
+        root_folder_path=f"{bucket_name}/{folder_name_2}",
+        access_level="readonly",
+    )
+
     # make sure that the policy has not been overwritten, and contains both folders
-    assert policy.statements["rootFolderBucketMeta"]["Resource"] == [bucket_name_arn]
-    assert policy.statements["listFolder"]["Resource"] == [bucket_name_arn]
-    assert policy.statements["listFolder"]["Condition"] == {
+    assert s3_access_policy.statements["rootFolderBucketMeta"]["Resource"] == [bucket_arn]  # noqa
+    assert f"{bucket_arn}/{folder_name_2}/*" in s3_access_policy.statements["readonly"]["Resource"]  # noqa
+    assert s3_access_policy.statements[f"listFolder{bucket_hash}"]["Resource"] == [bucket_arn]
+    assert s3_access_policy.statements[f"listFolder{bucket_hash}"]["Condition"] == {
         "StringEquals": {
             "s3:prefix": [
                 "",
                 folder_name,
-                f"{folder_name}/",
                 folder_name_2,
-                f"{folder_name_2}/",
             ],
             "s3:delimiter": ["/"]
         }
     }
-    assert policy.statements["listSubFolders"]["Resource"] == [bucket_name_arn]
-    assert policy.statements["listSubFolders"]["Condition"] == {
+    assert s3_access_policy.statements[f"listSubFolders{bucket_hash}"]["Resource"] == [bucket_arn]
+    assert s3_access_policy.statements[f"listSubFolders{bucket_hash}"]["Condition"] == {
         "StringLike": {
             "s3:prefix": [
                 f"{folder_name}/*",
@@ -907,6 +957,81 @@ def test_grant_folder_list_access():
     }
 
 
+def test_s3_access_policy_grant_folder_access_to_paths(s3_access_policy):
+    """
+    See docstring on grant_folder_list_access method for full explanation of
+    required permissions
+    """
+    bucket_name = "test-bucket"
+    bucket_hash = md5_hash(bucket_name)
+    folder_name = "user-folder"
+    root_folder_path = f"{bucket_name}/{folder_name}"
+    allowed_path = "/public/folder"
+    bucket_arn = f"arn:aws:s3:::{bucket_name}"
+    s3_access_policy.grant_folder_access(
+        root_folder_path=root_folder_path,
+        access_level="readonly",
+        paths=[allowed_path],
+    )
+
+    assert s3_access_policy.statements["rootFolderBucketMeta"]["Resource"] == [bucket_arn]  # noqa
+    assert f"{bucket_arn}/{folder_name}{allowed_path}/*" in s3_access_policy.statements["readonly"]["Resource"]  # noqa
+    assert s3_access_policy.statements[f"listFolder{bucket_hash}"]["Resource"] == [bucket_arn]
+    assert s3_access_policy.statements[f"listFolder{bucket_hash}"]["Condition"] == {
+        "StringEquals": {
+            "s3:prefix": [
+                "",
+                "user-folder",
+                "user-folder/",
+                "user-folder/public",
+                "user-folder/public/",
+                "user-folder/public/folder",
+            ],
+            "s3:delimiter": ["/"]
+        }
+    }
+    assert s3_access_policy.statements[f"listSubFolders{bucket_hash}"]["Resource"] == [bucket_arn]
+    # only designated folder should use the wildcard
+    assert s3_access_policy.statements[f"listSubFolders{bucket_hash}"]["Condition"] == {
+        "StringLike": {
+            "s3:prefix": [f"{folder_name}{allowed_path}/*"],
+        }
+    }
+
+    # add another path, check new folder added correctly with no duplicates
+    another_path = "/another"
+    s3_access_policy.grant_folder_access(
+        root_folder_path=root_folder_path,
+        access_level="readonly",
+        paths=[another_path]
+    )
+    assert s3_access_policy.statements[f"listFolder{bucket_hash}"]["Resource"] == [bucket_arn]
+    assert f"{bucket_arn}/{folder_name}{another_path}/*" in s3_access_policy.statements["readonly"]["Resource"]  # noqa
+    assert s3_access_policy.statements[f"listFolder{bucket_hash}"]["Condition"] == {
+        "StringEquals": {
+            "s3:prefix": [
+                "",
+                "user-folder",
+                "user-folder/",
+                "user-folder/public",
+                "user-folder/public/",
+                "user-folder/public/folder",
+                "user-folder/another"
+            ],
+            "s3:delimiter": ["/"]
+        }
+    }
+    assert s3_access_policy.statements[f"listSubFolders{bucket_hash}"]["Resource"] == [bucket_arn]
+    assert s3_access_policy.statements[f"listSubFolders{bucket_hash}"]["Condition"] == {
+        "StringLike": {
+            "s3:prefix": [
+                f"{folder_name}{allowed_path}/*",
+                f"{folder_name}{another_path}/*"
+            ],
+        }
+    }
+
+
 def test_base_s3_access_sids():
     expected = [
         'list',
@@ -917,3 +1042,72 @@ def test_base_s3_access_sids():
         'rootFolderBucketMeta',
     ]
     assert aws.S3AccessPolicy(MagicMock()).base_s3_access_sids == expected
+
+
+def test_revoke_folder_access(s3_access_policy):
+    with patch.object(s3_access_policy, "remove_prefix") as remove_prefix, \
+            patch.object(s3_access_policy, "remove_resource") as remove_resource:
+        root_folder_path = "test-bucket/folder"
+        arn = f"arn:aws:s3:::{root_folder_path}"
+        s3_access_policy.revoke_folder_access(root_folder_path=root_folder_path)
+        remove_prefix.assert_has_calls(
+            [
+                call(root_folder_path=root_folder_path, sid="listFolder", condition="StringEquals"),
+                call(root_folder_path=root_folder_path, sid="listSubFolders", condition="StringLike"),
+            ],
+            any_order=True,
+        )
+        remove_resource.assert_has_calls(
+            [
+                call(arn=arn, sid="readonly"),
+                call(arn=arn, sid="readwrite"),
+            ]
+        )
+
+
+def test_revoke_access_removes_prefixes(s3_access_policy):
+    # grant access to the folder, so that it can be revoked later
+    bucket_name = "test-bucket"
+    bucket_hash = md5_hash(bucket_name)
+    root_folder_path = "test-bucket/user-folder"
+    s3_access_policy.grant_folder_access(root_folder_path, "readwrite")
+
+    assert s3_access_policy.statements[f"listFolder{bucket_hash}"].get("Resource", None) is not None
+    assert s3_access_policy.statements[f"listSubFolders{bucket_hash}"].get("Resource", None) is not None
+    assert s3_access_policy.statements[f"listFolder{bucket_hash}"]["Condition"]["StringEquals"]["s3:prefix"] != [""]  # noqa
+    assert s3_access_policy.statements[f"listSubFolders{bucket_hash}"]["Condition"]["StringLike"]["s3:prefix"] != []  # noqa
+
+    s3_access_policy.revoke_folder_access(root_folder_path=root_folder_path)
+
+    assert s3_access_policy.statements[f"listFolder{bucket_hash}"].get("Resource", None) is None
+    assert s3_access_policy.statements[f"listFolder{bucket_hash}"]["Condition"] == {
+        "StringEquals": {
+            "s3:prefix": [""],
+            "s3:delimiter": ["/"]
+        }
+    }
+    assert s3_access_policy.statements[f"listSubFolders{bucket_hash}"].get("Resource", None) is None
+    assert s3_access_policy.statements[f"listSubFolders{bucket_hash}"]["Condition"] == {
+        "StringLike": {
+            "s3:prefix": [],
+        }
+    }
+
+
+def test_revoke_access_doesnt_remove_prefixes(s3_access_policy):
+    bucket_name = "test-bucket"
+    bucket_hash = md5_hash(bucket_name)
+    s3_access_policy.grant_folder_access("test-bucket/my-folder", "readwrite")
+
+    assert s3_access_policy.statements[f"listFolder{bucket_hash}"].get("Resource", None) is not None
+    assert s3_access_policy.statements[f"listSubFolders{bucket_hash}"].get("Resource", None) is not None
+    assert s3_access_policy.statements[f"listFolder{bucket_hash}"]["Condition"]["StringEquals"]["s3:prefix"] != [""]  # noqa
+    assert s3_access_policy.statements[f"listSubFolders{bucket_hash}"]["Condition"]["StringLike"]["s3:prefix"] != []  # noqa
+
+    # now revoke access
+    s3_access_policy.revoke_folder_access("another-bucket/my-folder")
+
+    assert s3_access_policy.statements[f"listFolder{bucket_hash}"].get("Resource", None) is not None
+    assert s3_access_policy.statements[f"listSubFolders{bucket_hash}"].get("Resource", None) is not None
+    assert s3_access_policy.statements[f"listFolder{bucket_hash}"]["Condition"]["StringEquals"]["s3:prefix"] != [""]  # noqa
+    assert s3_access_policy.statements[f"listSubFolders{bucket_hash}"]["Condition"]["StringLike"]["s3:prefix"] != []  # noqa
diff --git a/tests/api/test_pagination.py b/tests/api/test_pagination.py
index 288945fa9..4bfd4721f 100644
--- a/tests/api/test_pagination.py
+++ b/tests/api/test_pagination.py
@@ -22,7 +22,7 @@ def login_superuser(client, superuser):
     ],
 )
 @pytest.mark.django_db
-def test_pagination(client, urlparams, page_size, next, prev):
+def test_pagination(client, urlparams, page_size, next, prev, sqs):
     mommy.make("api.App", DEFAULT_PAGE_SIZE + 20)
     app_list_url = reverse("app-list")
 
diff --git a/tests/api/views/test_app.py b/tests/api/views/test_app.py
index 2bd90230b..bb6a50432 100644
--- a/tests/api/views/test_app.py
+++ b/tests/api/views/test_app.py
@@ -164,7 +164,7 @@ def test_delete(client, app, authz):
         assert response.status_code == status.HTTP_404_NOT_FOUND
 
 
-def test_create(client, users):
+def test_create(client, users, sqs, helpers):
     data = {"name": "bar", "repo_url": "https://example.com/bar.git"}
     response = client.post(reverse("app-list"), data)
     assert response.status_code == status.HTTP_201_CREATED
@@ -172,6 +172,10 @@ def test_create(client, users):
     assert response.data["created_by"] == users["superuser"].auth0_id
     assert response.data["repo_url"] == "https://example.com/bar"
 
+    app = App.objects.get(repo_url="https://example.com/bar")
+    messages = helpers.retrieve_messages(sqs)
+    helpers.validate_task_with_sqs_messages(messages, App.__name__, app.id)
+
 
 def test_update(client, app):
     data = {"name": "foo", "repo_url": "http://foo.com.git"}
diff --git a/tests/api/views/test_apps3bucket.py b/tests/api/views/test_apps3bucket.py
index 494370baf..fd52cd79a 100644
--- a/tests/api/views/test_apps3bucket.py
+++ b/tests/api/views/test_apps3bucket.py
@@ -4,6 +4,7 @@
 
 # Third-party
 import pytest
+from django.conf import settings
 from model_mommy import mommy
 from rest_framework import status
 from rest_framework.reverse import reverse
@@ -60,68 +61,50 @@ def test_detail(client, apps3buckets):
 
 def test_delete(client, apps3buckets):
     with patch(
-        "controlpanel.api.aws.AWSRole.revoke_bucket_access"
+        "controlpanel.api.models.AppS3Bucket.revoke_bucket_access"
     ) as revoke_bucket_access:
         response = client.delete(reverse("apps3bucket-detail", (apps3buckets[1].id,)))
         assert response.status_code == status.HTTP_204_NO_CONTENT
 
-        revoke_bucket_access.assert_called_with(
-            apps3buckets[1].iam_role_name,
-            apps3buckets[1].s3bucket.arn,
-        )
-        # TODO get policy document JSON from call and assert bucket ARN not present
+        revoke_bucket_access.assert_called_once()
 
         response = client.get(reverse("apps3bucket-detail", (apps3buckets[1].id,)))
         assert response.status_code == status.HTTP_404_NOT_FOUND
 
 
-def test_create(client, apps, buckets):
-    with patch(
-        "controlpanel.api.aws.AWSRole.grant_bucket_access"
-    ) as grant_bucket_access:
-        data = {
-            "app": apps[1].id,
-            "s3bucket": buckets[3].id,
-            "access_level": AppS3Bucket.READONLY,
-        }
-        response = client.post(reverse("apps3bucket-list"), data)
-        assert response.status_code == status.HTTP_201_CREATED
-
-        apps3bucket = AppS3Bucket.objects.get(app=apps[1], s3bucket=buckets[3])
-
-        grant_bucket_access.assert_called_with(
-            apps[1].iam_role_name,
-            buckets[3].arn,
-            AppS3Bucket.READONLY,
-            apps3bucket.resources,
-        )
-        # TODO get policy from call and check for presence of bucket ARN
+def test_create(client, apps, buckets, sqs, helpers):
+    data = {
+        "app": apps[1].id,
+        "s3bucket": buckets[3].id,
+        "access_level": AppS3Bucket.READONLY,
+    }
+    response = client.post(reverse("apps3bucket-list"), data)
+    assert response.status_code == status.HTTP_201_CREATED
+    apps3bucket = AppS3Bucket.objects.get(app=apps[1], s3bucket=buckets[3])
+    iam_messages = helpers.retrieve_messages(sqs, settings.IAM_QUEUE_NAME)
+    helpers.validate_task_with_sqs_messages(
+        iam_messages, AppS3Bucket.__name__, apps3bucket.id, settings.IAM_QUEUE_NAME
+    )
 
 
-def test_update(client, apps, apps3buckets, buckets):
-    with patch(
-        "controlpanel.api.aws.AWSRole.grant_bucket_access"
-    ) as grant_bucket_access:
-        data = {
-            "app": apps[1].id,
-            "s3bucket": buckets[1].id,
-            "access_level": AppS3Bucket.READWRITE,
-        }
-        response = client.put(
-            reverse("apps3bucket-detail", (apps3buckets[1].id,)),
-            json.dumps(data),
-            content_type="application/json",
-        )
-        assert response.status_code == status.HTTP_200_OK
-        assert response.data["access_level"] == data["access_level"]
-
-        grant_bucket_access.assert_called_with(
-            apps[1].iam_role_name,
-            buckets[1].arn,
-            AppS3Bucket.READWRITE,
-            apps3buckets[1].resources,
-        )
-        # TODO get policy from call and check for presence of bucket ARN
+def test_update(client, apps, apps3buckets, buckets, sqs, helpers):
+    data = {
+        "app": apps[1].id,
+        "s3bucket": buckets[1].id,
+        "access_level": AppS3Bucket.READWRITE,
+    }
+    response = client.put(
+        reverse("apps3bucket-detail", (apps3buckets[1].id,)),
+        json.dumps(data),
+        content_type="application/json",
+    )
+    assert response.status_code == status.HTTP_200_OK
+    assert response.data["access_level"] == data["access_level"]
+    apps3bucket = AppS3Bucket.objects.get(app=apps[1], s3bucket=buckets[1])
+    iam_messages = helpers.retrieve_messages(sqs, settings.IAM_QUEUE_NAME)
+    helpers.validate_task_with_sqs_messages(
+        iam_messages, AppS3Bucket.__name__, apps3bucket.id, settings.IAM_QUEUE_NAME
+    )
 
 
 def test_update_bad_requests(client, apps, apps3buckets, buckets):
diff --git a/tests/api/views/test_customer.py b/tests/api/views/test_customer.py
index 668c568c5..18041bdba 100644
--- a/tests/api/views/test_customer.py
+++ b/tests/api/views/test_customer.py
@@ -216,3 +216,14 @@ def test_no_exist_auth0_clients_on_customers_page(client, app, users, ExtendedAu
 
         assert response.status_code == 200
         assert error_msg in str(response.content)
+
+
+def test_no_auth0_customers_page(client, app, users, ExtendedAuth0):
+    app.app_conf = None
+    app.save()
+    message = "No need to manage the customers of the app on Control pane"
+    client.force_login(users["superuser"])
+    response = client.get(reverse("appcustomers-page", args=(app.id, 1)))
+
+    assert response.status_code == 200
+    assert message in str(response.content)
diff --git a/tests/api/views/test_s3bucket.py b/tests/api/views/test_s3bucket.py
index 58941b8dc..00e3baa85 100644
--- a/tests/api/views/test_s3bucket.py
+++ b/tests/api/views/test_s3bucket.py
@@ -5,12 +5,13 @@
 # Third-party
 import pytest
 from botocore.exceptions import ClientError
+from django.conf import settings
 from model_mommy import mommy
 from rest_framework import status
 from rest_framework.reverse import reverse
 
 # First-party/Local
-from controlpanel.api.models import UserS3Bucket
+from controlpanel.api.models import S3Bucket, UserS3Bucket
 from tests.api.fixtures.es import BUCKET_HITS_AGGREGATION
 
 
@@ -53,6 +54,9 @@ def test_detail(client, bucket):
         "created_by",
         "is_data_warehouse",
         "location_url",
+        "is_deleted",
+        "deleted_by",
+        "deleted_at",
     }
     assert set(response.data) == expected_s3bucket_fields
 
@@ -94,26 +98,35 @@ def test_delete(client, bucket):
     assert response.status_code == status.HTTP_404_NOT_FOUND
 
 
-def test_create(client, superuser):
-    with patch("controlpanel.api.aws.AWSBucket.create") as create_bucket:
-        data = {"name": "test-bucket-123"}
-        response = client.post(reverse("s3bucket-list"), data)
-        assert response.status_code == status.HTTP_201_CREATED
+def test_create(client, superuser, sqs, helpers):
+    data = {"name": "test-bucket-123"}
+    response = client.post(reverse("s3bucket-list"), data)
+    assert response.status_code == status.HTTP_201_CREATED
 
-        assert response.data["created_by"] == superuser.auth0_id
-        assert not response.data["is_data_warehouse"]
+    assert response.data["created_by"] == superuser.auth0_id
+    assert not response.data["is_data_warehouse"]
 
-        create_bucket.assert_called()
+    # create_bucket.assert_called()
 
-        users3bucket = UserS3Bucket.objects.get(
-            user_id=superuser.auth0_id,
-            s3bucket_id=response.data["id"],
-        )
+    bucket = S3Bucket.objects.get(id=response.data["id"])
+    users3bucket = UserS3Bucket.objects.get(
+        user_id=superuser.auth0_id,
+        s3bucket_id=response.data["id"],
+    )
 
-        assert users3bucket.user.auth0_id == superuser.auth0_id
-        assert response.data["id"] == users3bucket.s3bucket.id
-        assert UserS3Bucket.READWRITE == users3bucket.access_level
-        assert users3bucket.is_admin
+    assert users3bucket.user.auth0_id == superuser.auth0_id
+    assert response.data["id"] == users3bucket.s3bucket.id
+    assert UserS3Bucket.READWRITE == users3bucket.access_level
+    assert users3bucket.is_admin
+
+    s3_messages = helpers.retrieve_messages(sqs, queue_name=settings.S3_QUEUE_NAME)
+    helpers.validate_task_with_sqs_messages(
+        s3_messages, S3Bucket.__name__, bucket.id, queue_name=settings.S3_QUEUE_NAME
+    )
+    iam_messages = helpers.retrieve_messages(sqs, queue_name=settings.IAM_QUEUE_NAME)
+    helpers.validate_task_with_sqs_messages(
+        iam_messages, UserS3Bucket.__name__, users3bucket.id, queue_name=settings.IAM_QUEUE_NAME
+    )
 
 
 EXISTING_BUCKET_NAME = object()
diff --git a/tests/api/views/test_users3bucket.py b/tests/api/views/test_users3bucket.py
index 0155044a8..92c8071a5 100644
--- a/tests/api/views/test_users3bucket.py
+++ b/tests/api/views/test_users3bucket.py
@@ -4,6 +4,7 @@
 
 # Third-party
 import pytest
+from django.conf import settings
 from rest_framework import status
 from rest_framework.reverse import reverse
 
@@ -44,72 +45,57 @@ def test_detail(client, users3buckets):
     assert response.data["access_level"] == "readonly"
 
 
-def test_create(client, buckets, users):
-    with patch(
-        "controlpanel.api.aws.AWSRole.grant_bucket_access"
-    ) as grant_bucket_access:
-        data = {
-            "user": users["other_user"].auth0_id,
-            "s3bucket": buckets[1].id,
-            "access_level": AppS3Bucket.READONLY,
-        }
-        response = client.post(reverse("users3bucket-list"), data)
-        assert response.status_code == status.HTTP_201_CREATED
-
-        users3bucket = UserS3Bucket.objects.get(
-            user=users["other_user"], s3bucket=buckets[1]
-        )
-
-        grant_bucket_access.assert_called_with(
-            users["other_user"].iam_role_name,
-            buckets[1].arn,
-            AppS3Bucket.READONLY,
-            users3bucket.resources,
-        )
-        # TODO get policy from call and assert bucket ARN exists
+def test_create(client, buckets, users, sqs, helpers):
+    data = {
+        "user": users["other_user"].auth0_id,
+        "s3bucket": buckets[1].id,
+        "access_level": AppS3Bucket.READONLY,
+    }
+    response = client.post(reverse("users3bucket-list"), data)
+    assert response.status_code == status.HTTP_201_CREATED
+
+    users3bucket = UserS3Bucket.objects.get(
+        user=users["other_user"], s3bucket=buckets[1]
+    )
+    messages = helpers.retrieve_messages(sqs, settings.IAM_QUEUE_NAME)
+    helpers.validate_task_with_sqs_messages(
+        messages, UserS3Bucket.__name__, users3bucket.id, settings.IAM_QUEUE_NAME
+    )
 
 
 def test_delete(client, users3buckets):
     with patch(
-        "controlpanel.api.aws.AWSRole.revoke_bucket_access"
+        "controlpanel.api.models.UserS3Bucket.revoke_bucket_access"
     ) as revoke_bucket_access:
         response = client.delete(reverse("users3bucket-detail", (users3buckets[1].id,)))
         assert response.status_code == status.HTTP_204_NO_CONTENT
 
-        revoke_bucket_access.assert_called_with(
-            users3buckets[1].user.iam_role_name,
-            users3buckets[1].s3bucket.arn,
-        )
-        # TODO get policy from call and assert bucket ARN not contained
+        revoke_bucket_access.assert_called_once()
 
         response = client.get(reverse("users3bucket-detail", (users3buckets[1].id,)))
         assert response.status_code == status.HTTP_404_NOT_FOUND
 
 
-def test_update(client, buckets, users, users3buckets):
-    with patch(
-        "controlpanel.api.aws.AWSRole.grant_bucket_access"
-    ) as grant_bucket_access:
-        data = {
-            "user": users["normal_user"].auth0_id,
-            "s3bucket": buckets[1].id,
-            "access_level": UserS3Bucket.READWRITE,
-        }
-        response = client.put(
-            reverse("users3bucket-detail", (users3buckets[1].id,)),
-            json.dumps(data),
-            content_type="application/json",
-        )
-        assert response.status_code == status.HTTP_200_OK
-        assert response.data["access_level"] == data["access_level"]
-
-        grant_bucket_access.assert_called_with(
-            users["normal_user"].iam_role_name,
-            buckets[1].arn,
-            UserS3Bucket.READWRITE,
-            users3buckets[1].resources,
-        )
-        # TODO get policy and assert ARN present in correct place
+def test_update(client, buckets, users, users3buckets, sqs, helpers):
+    data = {
+        "user": users["normal_user"].auth0_id,
+        "s3bucket": buckets[1].id,
+        "access_level": UserS3Bucket.READWRITE,
+    }
+    response = client.put(
+        reverse("users3bucket-detail", (users3buckets[1].id,)),
+        json.dumps(data),
+        content_type="application/json",
+    )
+    assert response.status_code == status.HTTP_200_OK
+    assert response.data["access_level"] == data["access_level"]
+    messages = helpers.retrieve_messages(sqs, settings.IAM_QUEUE_NAME)
+    users3bucket = UserS3Bucket.objects.get(
+        user=users["normal_user"], s3bucket=buckets[1]
+    )
+    helpers.validate_task_with_sqs_messages(
+        messages, UserS3Bucket.__name__, users3bucket.id, settings.IAM_QUEUE_NAME
+    )
 
 
 @pytest.mark.parametrize(
diff --git a/tests/conftest.py b/tests/conftest.py
index e65e9348e..d6452e085 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -116,3 +116,47 @@ def users(db, superuser, iam, managed_policy, airflow_dev_policy, airflow_prod_p
             auth0_id="github|user_3",
         ),
     }
+
+
+class Helpers:
+
+    @staticmethod
+    def validate_task_with_sqs_messages(
+        messages, entity_class, entity_id, queue_name=settings.DEFAULT_QUEUE,
+    ):
+        from controlpanel.api.models import Task
+        tasks_created = Task.objects.filter(
+            entity_class=entity_class, entity_id=entity_id, queue_name=queue_name
+        )
+        found_tasks_cnt = 0
+        tasks_cnt = 0
+        for task in tasks_created:
+            tasks_cnt += 1
+            for message in messages:
+                print(tasks_cnt, task.task_id, message["headers"]["id"])
+                if str(task.task_id) == message["headers"]["id"]:
+                    found_tasks_cnt += 1
+                    assert message["headers"]["task"] == task.task_name
+        assert len(message) > 0
+        assert tasks_cnt > 0
+        assert tasks_cnt == found_tasks_cnt
+
+    @staticmethod
+    def retrieve_messages(sqs, queue_name=settings.DEFAULT_QUEUE):
+        from controlpanel.api.message_broker import CeleryTaskMessage
+        queue = sqs.get_queue_by_name(QueueName=queue_name)
+        messages = queue.receive_messages(
+                MessageAttributeNames=['All'],
+                MaxNumberOfMessages=10
+            )
+        decoded_messages = []
+        for message in messages:
+            valid, message_body = CeleryTaskMessage.validate_message(message.body)
+            assert valid
+            decoded_messages.append(message_body)
+        return decoded_messages
+
+
+@pytest.fixture
+def helpers():
+    return Helpers
diff --git a/tests/frontend/test_forms.py b/tests/frontend/test_forms.py
index 544a463e3..db5510598 100644
--- a/tests/frontend/test_forms.py
+++ b/tests/frontend/test_forms.py
@@ -3,6 +3,7 @@
 
 # Third-party
 import pytest
+from django.core.exceptions import ValidationError
 
 # First-party/Local
 from controlpanel.api import aws
@@ -228,6 +229,28 @@ def test_create_new_datasource_folder_exists(root_folder_bucket):
     assert "Folder 'test-folder' already exists" in form.errors["name"]
 
 
+@pytest.mark.parametrize(
+    "path, expected_error",
+    [
+        ("noslash", "Enter paths prefixed with a forward slash"),
+        ("/trailingslash/", "Enter paths without a trailing forward slash"),
+        ("/valid", None),
+    ]
+)
+def test_grant_access_form_clean_paths(path, expected_error):
+    data = {
+        "paths": [path]
+    }
+    form = forms.GrantAccessForm()
+    form.cleaned_data = data
+
+    if expected_error:
+        with pytest.raises(ValidationError, match=expected_error):
+            form.clean_paths()
+    else:
+        assert form.clean_paths() == [path]
+
+
 def test_create_app_form_clean_repo_url():
     """
     Ensure the various states of a GitHub repository result in a valid form or
diff --git a/tests/frontend/views/test_app.py b/tests/frontend/views/test_app.py
index e3d6b207c..6c34ac3e9 100644
--- a/tests/frontend/views/test_app.py
+++ b/tests/frontend/views/test_app.py
@@ -482,9 +482,7 @@ def test_delete_customer_by_email(client, app, users, side_effect, expected_mess
 
 
 def test_github_error1_on_app_detail(client, app, users,):
-    with patch('django.conf.settings.features.app_migration.enabled') as feature_flag, \
-            patch("controlpanel.api.cluster.App.get_deployment_envs") as get_envs:
-        feature_flag.return_value = True
+    with patch("controlpanel.api.cluster.App.get_deployment_envs") as get_envs:
         error_msg = "Testing github error"
         get_envs.side_effect = requests.exceptions.HTTPError(error_msg)
         client.force_login(users["superuser"])
@@ -494,9 +492,7 @@ def test_github_error1_on_app_detail(client, app, users,):
 
 
 def test_github_error2_on_app_detail(client, app, users, repos):
-    with patch('django.conf.settings.features.app_migration.enabled') as feature_flag, \
-            patch("controlpanel.api.cluster.App.get_env_secrets") as get_secrets:
-        feature_flag.return_value = True
+    with patch("controlpanel.api.cluster.App.get_env_secrets") as get_secrets:
         error_msg = "Testing github secret error"
         get_secrets.side_effect = requests.exceptions.HTTPError(error_msg)
         client.force_login(users["superuser"])
@@ -506,10 +502,8 @@ def test_github_error2_on_app_detail(client, app, users, repos):
 
 
 def test_github_error3_on_app_detail(client, app, users, repos):
-    with patch('django.conf.settings.features.app_migration.enabled') as feature_flag, \
-            patch("controlpanel.api.cluster.App.get_env_secrets") as get_secrets, \
+    with patch("controlpanel.api.cluster.App.get_env_secrets") as get_secrets, \
             patch("controlpanel.api.cluster.App.get_env_vars") as get_env_vars:
-        feature_flag.return_value = True
         error_msg = "Testing github env error"
         get_secrets.return_value = [{"name": "testing_github_secret"}]
         get_env_vars.side_effect = requests.exceptions.HTTPError(error_msg)
@@ -520,49 +514,43 @@ def test_github_error3_on_app_detail(client, app, users, repos):
 
 
 def test_app_detail_display_all_envs(client, app, users, repos):
-    with patch('django.conf.settings.features.app_migration.enabled') as feature_flag:
-        feature_flag.return_value = True
-        client.force_login(users["superuser"])
-        response = detail(client, app)
-        assert response.status_code == 200
-
-        key_words_for_checks = [
-            "Deployment settings under dev_env",
-            "Deployment settings under prod_env",
-            cluster.App.IP_RANGES,
-            cluster.App.AUTH0_CLIENT_ID,
-            cluster.App.AUTH0_CLIENT_SECRET,
-            cluster.App.AUTH0_DOMAIN,
-            cluster.App.AUTH0_CONNECTIONS,
-            cluster.App.AUTHENTICATION_REQUIRED,
-            cluster.App.AUTH0_PASSWORDLESS,
-        ]
-        for key_word in key_words_for_checks:
-            assert key_word in str(response.content)
+    client.force_login(users["superuser"])
+    response = detail(client, app)
+    assert response.status_code == 200
+
+    key_words_for_checks = [
+        "Deployment settings under dev_env",
+        "Deployment settings under prod_env",
+        cluster.App.IP_RANGES,
+        cluster.App.AUTH0_CLIENT_ID,
+        cluster.App.AUTH0_CLIENT_SECRET,
+        cluster.App.AUTH0_DOMAIN,
+        cluster.App.AUTH0_CONNECTIONS,
+        cluster.App.AUTHENTICATION_REQUIRED,
+        cluster.App.AUTH0_PASSWORDLESS,
+    ]
+    for key_word in key_words_for_checks:
+        assert key_word in str(response.content)
 
 
 def test_app_detail_with_missing_auth_client(client, users, repos_for_missing_auth):
-    with patch('django.conf.settings.features.app_migration.enabled') as feature_flag:
-        feature_flag.return_value = True
-        app = mommy.make("api.App")
-        app.repo_url = "https://github.com/github_org/testing_repo_with_auth"
-        app.save()
+    app = mommy.make("api.App")
+    app.repo_url = "https://github.com/github_org/testing_repo_with_auth"
+    app.save()
 
-        client.force_login(users["superuser"])
-        response = detail(client, app)
-        btn_text = "Create auth0 client"
-        assert response.status_code == 200
-        assert btn_text in str(response.content)
+    client.force_login(users["superuser"])
+    response = detail(client, app)
+    btn_text = "Create auth0 client"
+    assert response.status_code == 200
+    assert btn_text in str(response.content)
 
 
 def test_app_detail_with_auth_client_redundant(client, users, app, repos_for_redundant_auth):
-    with patch('django.conf.settings.features.app_migration.enabled') as feature_flag:
-        feature_flag.return_value = True
-        client.force_login(users["superuser"])
-        response = detail(client, app)
-        btn_text = "Remove auth0 client"
-        assert response.status_code == 200
-        assert btn_text in str(response.content)
+    client.force_login(users["superuser"])
+    response = detail(client, app)
+    btn_text = "Remove auth0 client"
+    assert response.status_code == 200
+    assert btn_text in str(response.content)
 
 
 @pytest.fixture
@@ -585,17 +573,6 @@ def app_being_migrated(users):
     return app
 
 
-def test_app_description_display_old_app_info(client, app_being_migrated, users):
-    with patch('django.conf.settings.features.app_migration.enabled') as feature_flag:
-        feature_flag.return_value = True
-        client.force_login(users["superuser"])
-        response = detail(client, app_being_migrated)
-        assert response.status_code == 200
-        assert app_being_migrated.migration_info["app_name"] in str(response.content)
-        assert app_being_migrated.migration_info["repo_url"] in str(response.content)
-        assert app_being_migrated.migration_info["app_url"] in str(response.content)
-
-
 def get_auth_settings(content, env_name):
     soup = BeautifulSoup(content, "html.parser")
     setting_panel = soup.find("section", {"class": f"{env_name}-settings-panel"})
@@ -610,92 +587,86 @@ def locate_setting_ui(settings, setting_name):
 
 
 def test_app_detail_with_auth_on(client, app, users, repos_with_auth):
-    with patch('django.conf.settings.features.app_migration.enabled') as feature_flag:
-        feature_flag.return_value = True
-        client.force_login(users["superuser"])
-        response = detail(client, app)
-        assert response.status_code == 200
-        auth_settings = get_auth_settings(response.content, 'dev_env')
-        settings_for_checks = [
-            {"n": cluster.App.IP_RANGES,
-             "v": app.env_allowed_ip_ranges_names('dev_env'),
-             "e": True},
-            {"n": cluster.App.AUTH0_CLIENT_ID,
-             "v": settings.SECRET_DISPLAY_VALUE,
-             "e": False},
-            {"n": cluster.App.AUTH0_CLIENT_SECRET,
-             "v": settings.SECRET_DISPLAY_VALUE,
-             "e": False},
-            {"n": cluster.App.AUTH0_CONNECTIONS, "v": "[]", "e": True},
-            {"n": cluster.App.AUTH0_DOMAIN, "v": "http://testing", "e": False},
-            {"n": cluster.App.AUTH0_PASSWORDLESS, "v": "False", "e": False},
-            {"n": cluster.App.AUTHENTICATION_REQUIRED, "v": "True", "e": True},
-        ]
-        for item in settings_for_checks:
-            auth_item_ui = locate_setting_ui(auth_settings, item['n'])
-            if not auth_item_ui:
-                continue
-            assert item['v'] in auth_item_ui.text
-            if item['e']:
-                assert 'Edit' in auth_item_ui.text
-            else:
-                assert 'Edit' not in auth_item_ui.text
+    client.force_login(users["superuser"])
+    response = detail(client, app)
+    assert response.status_code == 200
+    auth_settings = get_auth_settings(response.content, 'dev_env')
+    settings_for_checks = [
+        {"n": cluster.App.IP_RANGES,
+         "v": app.env_allowed_ip_ranges_names('dev_env'),
+         "e": True},
+        {"n": cluster.App.AUTH0_CLIENT_ID,
+         "v": settings.SECRET_DISPLAY_VALUE,
+         "e": False},
+        {"n": cluster.App.AUTH0_CLIENT_SECRET,
+         "v": settings.SECRET_DISPLAY_VALUE,
+         "e": False},
+        {"n": cluster.App.AUTH0_CONNECTIONS, "v": "[]", "e": True},
+        {"n": cluster.App.AUTH0_DOMAIN, "v": "http://testing", "e": False},
+        {"n": cluster.App.AUTH0_PASSWORDLESS, "v": "False", "e": False},
+        {"n": cluster.App.AUTHENTICATION_REQUIRED, "v": "True", "e": True},
+    ]
+    for item in settings_for_checks:
+        auth_item_ui = locate_setting_ui(auth_settings, item['n'])
+        if not auth_item_ui:
+            continue
+        assert item['v'] in auth_item_ui.text
+        if item['e']:
+            assert 'Edit' in auth_item_ui.text
+        else:
+            assert 'Edit' not in auth_item_ui.text
 
 
 def test_app_detail_with_auth_off(client, app, users, repos_for_no_auth):
-    with patch('django.conf.settings.features.app_migration.enabled') as feature_flag:
-        feature_flag.return_value = True
-        client.force_login(users["superuser"])
-        response = detail(client, app)
-        assert response.status_code == 200
+    client.force_login(users["superuser"])
+    response = detail(client, app)
+    assert response.status_code == 200
+
+    settings_no_displayed = [
+        cluster.App.AUTH0_DOMAIN,
+        cluster.App.AUTH0_CLIENT_ID,
+        cluster.App.AUTH0_CLIENT_SECRET,
+        cluster.App.AUTH0_CONNECTIONS,
+        cluster.App.AUTH0_PASSWORDLESS,
+    ]
 
-        settings_no_displayed = [
-            cluster.App.AUTH0_DOMAIN,
-            cluster.App.AUTH0_CLIENT_ID,
-            cluster.App.AUTH0_CLIENT_SECRET,
-            cluster.App.AUTH0_CONNECTIONS,
-            cluster.App.AUTH0_PASSWORDLESS,
-        ]
-
-        auth_settings = get_auth_settings(response.content, 'dev_env')
-        for item in settings_no_displayed:
-            auth_item_ui = locate_setting_ui(auth_settings, item)
-            assert auth_item_ui is None
-
-        settings_for_checks = [
-            {"n": cluster.App.IP_RANGES,
-             "v": app.env_allowed_ip_ranges_names('dev_env'),
-             "e": True},
-            {"n": cluster.App.AUTHENTICATION_REQUIRED, "v": "False", "e": True},
-        ]
-        for item in settings_for_checks:
-            auth_item_ui = locate_setting_ui(auth_settings, item['n'])
-            if not auth_item_ui:
-                continue
-            assert item['v'] in auth_item_ui.text
-            assert 'Edit' in auth_item_ui.text
+    auth_settings = get_auth_settings(response.content, 'dev_env')
+    for item in settings_no_displayed:
+        auth_item_ui = locate_setting_ui(auth_settings, item)
+        assert auth_item_ui is None
+
+    settings_for_checks = [
+        {"n": cluster.App.IP_RANGES,
+         "v": app.env_allowed_ip_ranges_names('dev_env'),
+         "e": True},
+        {"n": cluster.App.AUTHENTICATION_REQUIRED, "v": "False", "e": True},
+    ]
+    for item in settings_for_checks:
+        auth_item_ui = locate_setting_ui(auth_settings, item['n'])
+        if not auth_item_ui:
+            continue
+        assert item['v'] in auth_item_ui.text
+        assert 'Edit' in auth_item_ui.text
 
 
 def test_app_detail_with_self_define_settings(client, app, users, repos):
-    with patch('django.conf.settings.features.app_migration.enabled') as feature_flag:
-        feature_flag.return_value = True
-        client.force_login(users["superuser"])
-        response = detail(client, app)
-        assert response.status_code == 200
+    client.force_login(users["superuser"])
+    response = detail(client, app)
+    assert response.status_code == 200
 
-        auth_settings = get_auth_settings(response.content, 'dev_env')
-        settings_for_checks = [
-            {"n": "PARAM_SECRET", "v": settings.SECRET_DISPLAY_VALUE},
-            {"n": "PARAM_VAR", "v": "test_var"},
-        ]
-        for item in settings_for_checks:
-            auth_item_ui = locate_setting_ui(auth_settings, item['n'])
-            if not auth_item_ui:
-                continue
-            setting_link = auth_item_ui.findAll("a")[0]["href"]
-            assert f"{settings.APP_SELF_DEFINE_SETTING_PREFIX}{item['n']}" in setting_link
-            assert item['v'] in auth_item_ui.text
-            assert 'Edit' in auth_item_ui.text
+    auth_settings = get_auth_settings(response.content, 'dev_env')
+    settings_for_checks = [
+        {"n": "PARAM_SECRET", "v": settings.SECRET_DISPLAY_VALUE},
+        {"n": "PARAM_VAR", "v": "test_var"},
+    ]
+    for item in settings_for_checks:
+        auth_item_ui = locate_setting_ui(auth_settings, item['n'])
+        if not auth_item_ui:
+            continue
+        setting_link = auth_item_ui.findAll("a")[0]["href"]
+        assert f"{settings.APP_SELF_DEFINE_SETTING_PREFIX}{item['n']}" in setting_link
+        assert item['v'] in auth_item_ui.text
+        assert 'Edit' in auth_item_ui.text
 
 
 @pytest.mark.parametrize(
@@ -706,36 +677,34 @@ def test_app_detail_with_self_define_settings(client, app, users, repos):
     ],
 )
 def test_app_settings_permission(client, app, users, repos_with_auth, user, can_edit_connections):
-    with patch('django.conf.settings.features.app_migration.enabled') as feature_flag:
-        feature_flag.return_value = True
-        client.force_login(users[user])
-        response = detail(client, app)
-        assert response.status_code == 200
-        auth_settings = get_auth_settings(response.content, 'dev_env')
-        settings_for_checks = [
-            {"n": cluster.App.IP_RANGES,
-             "v": app.env_allowed_ip_ranges_names('dev_env'),
-             "e": True},
-            {"n": cluster.App.AUTH0_CLIENT_ID,
-             "v": settings.SECRET_DISPLAY_VALUE,
-             "e": False},
-            {"n": cluster.App.AUTH0_CLIENT_SECRET,
-             "v": settings.SECRET_DISPLAY_VALUE,
-             "e": False},
-            {"n": cluster.App.AUTH0_CONNECTIONS, "v": "[]", "e": can_edit_connections},
-            {"n": cluster.App.AUTH0_DOMAIN, "v": "http://testing", "e": False},
-            {"n": cluster.App.AUTH0_PASSWORDLESS, "v": "False", "e": False},
-            {"n": cluster.App.AUTHENTICATION_REQUIRED, "v": "True", "e": True},
-        ]
-        for item in settings_for_checks:
-            auth_item_ui = locate_setting_ui(auth_settings, item['n'])
-            if not auth_item_ui:
-                continue
-            assert item['v'] in auth_item_ui.text
-            if item['e']:
-                assert 'Edit' in auth_item_ui.text
-            else:
-                assert 'Edit' not in auth_item_ui.text
+    client.force_login(users[user])
+    response = detail(client, app)
+    assert response.status_code == 200
+    auth_settings = get_auth_settings(response.content, 'dev_env')
+    settings_for_checks = [
+        {"n": cluster.App.IP_RANGES,
+         "v": app.env_allowed_ip_ranges_names('dev_env'),
+         "e": True},
+        {"n": cluster.App.AUTH0_CLIENT_ID,
+         "v": settings.SECRET_DISPLAY_VALUE,
+         "e": False},
+        {"n": cluster.App.AUTH0_CLIENT_SECRET,
+         "v": settings.SECRET_DISPLAY_VALUE,
+         "e": False},
+        {"n": cluster.App.AUTH0_CONNECTIONS, "v": "[]", "e": can_edit_connections},
+        {"n": cluster.App.AUTH0_DOMAIN, "v": "http://testing", "e": False},
+        {"n": cluster.App.AUTH0_PASSWORDLESS, "v": "False", "e": False},
+        {"n": cluster.App.AUTHENTICATION_REQUIRED, "v": "True", "e": True},
+    ]
+    for item in settings_for_checks:
+        auth_item_ui = locate_setting_ui(auth_settings, item['n'])
+        if not auth_item_ui:
+            continue
+        assert item['v'] in auth_item_ui.text
+        if item['e']:
+            assert 'Edit' in auth_item_ui.text
+        else:
+            assert 'Edit' not in auth_item_ui.text
 
 
 def test_register_app_with_creating_datasource(client, users):
diff --git a/tests/frontend/views/test_datasource.py b/tests/frontend/views/test_datasource.py
index 99951ef52..2f4a892ac 100644
--- a/tests/frontend/views/test_datasource.py
+++ b/tests/frontend/views/test_datasource.py
@@ -3,7 +3,8 @@
 
 # Third-party
 import pytest
-from django.urls import reverse
+from django.conf import settings
+from django.urls import reverse, reverse_lazy
 from model_mommy import mommy
 from rest_framework import status
 
@@ -101,9 +102,10 @@ def list_all(client, *args):
     return client.get(reverse("list-all-datasources"))
 
 
-def detail(client, buckets, *args):
+def detail(client, buckets, *args, bucket=None):
+    bucket = bucket or buckets["warehouse1"]
     return client.get(
-        reverse("manage-datasource", kwargs={"pk": buckets["warehouse1"].id})
+        reverse("manage-datasource", kwargs={"pk": bucket.id})
     )
 
 
@@ -115,9 +117,10 @@ def create(client, *args, **kwargs):
     return client.post(reverse("create-datasource") + "?type=warehouse", data)
 
 
-def delete(client, buckets, *args):
-    return client.delete(
-        reverse("delete-datasource", kwargs={"pk": buckets["warehouse1"].id})
+def delete(client, buckets, *args, bucket=None):
+    bucket = bucket or buckets["warehouse1"]
+    return client.post(
+        reverse("delete-datasource", kwargs={"pk": bucket.id})
     )
 
 
@@ -175,13 +178,14 @@ def revoke_access(client, users3buckets, *args):
     )
 
 
-def grant_access(client, users3buckets, users, *args):
+def grant_access(client, users3buckets, users, **kwargs):
     data = {
         "access_level": UserS3Bucket.READWRITE,
         "is_admin": False,
         "entity_id": users["other_user"].auth0_id,
         "entity_type": "user",
     }
+    data.update(**kwargs)
     return client.post(
         reverse(
             "grant-datasource-access",
@@ -212,23 +216,24 @@ def test_access_permissions(client, users3buckets, users, view, user, expected_s
 
 
 @pytest.mark.parametrize(
-    "view,user,expected_count",
+    "view,user,expected_count,show_deleted",
     [
-        (list_warehouse, "superuser", 0),
-        (list_warehouse, "normal_user", 0),
-        (list_warehouse, "bucket_viewer", 1),
-        (list_warehouse, "bucket_admin", 2),
-        (list_app_data, "superuser", 0),
-        (list_app_data, "normal_user", 0),
-        (list_app_data, "bucket_viewer", 1),
-        (list_app_data, "bucket_admin", 2),
-        (list_all, "superuser", 5),
+        (list_warehouse, "superuser", 0, False),
+        (list_warehouse, "normal_user", 0, False),
+        (list_warehouse, "bucket_viewer", 1, False),
+        (list_warehouse, "bucket_admin", 2, False),
+        (list_app_data, "superuser", 0, False),
+        (list_app_data, "normal_user", 0, False),
+        (list_app_data, "bucket_viewer", 1, False),
+        (list_app_data, "bucket_admin", 2, False),
+        (list_all, "superuser", 5, True),
     ],
 )
-def test_list(client, buckets, users, view, user, expected_count):
+def test_list(client, buckets, users, view, user, expected_count, show_deleted):
     client.force_login(users[user])
     response = view(client, buckets, users)
     assert len(response.context_data["object_list"]) == expected_count
+    assert ("deleted_datasources" in response.context_data) is show_deleted
 
 
 @pytest.mark.parametrize(
@@ -273,7 +278,11 @@ def test_list_other_datasources_admins(client, buckets, users):
     assert other_datasources_admins[buckets["other"].id] == []
 
 
-def test_bucket_creator_has_readwrite_and_admin_access(client, users):
+@patch("controlpanel.api.models.users3bucket.tasks.S3BucketGrantToUser")
+@patch("controlpanel.api.models.s3bucket.tasks.S3BucketCreate")
+def test_bucket_creator_has_readwrite_and_admin_access(
+    create_bucket_task, grant_user_task, client, users
+):
     user = users["normal_user"]
     client.force_login(user)
     create(client)
@@ -281,48 +290,67 @@ def test_bucket_creator_has_readwrite_and_admin_access(client, users):
     ub = user.users3buckets.all()[0]
     assert ub.access_level == UserS3Bucket.READWRITE
     assert ub.is_admin
+    create_bucket_task.assert_called_once()
+    grant_user_task.assert_called_once()
 
 
 @pytest.mark.parametrize(
-    "enabled, form_class",
+    "folders_enabled, datasource_type, form_class",
     [
-        (False, CreateDatasourceForm),
-        (True, CreateDatasourceFolderForm),
+        (False, "", CreateDatasourceForm),
+        (False, "webapp", CreateDatasourceForm),
+        (True, "webapp", CreateDatasourceForm),
+        (True, "", CreateDatasourceFolderForm),
     ]
 )
-def test_create_get_form_class(enabled, form_class):
+def test_create_get_form_class(rf, folders_enabled, datasource_type, form_class):
+    request = rf.get(f"/?type={datasource_type}")
     with patch("django.conf.settings.features.s3_folders") as s3_folders:
-        s3_folders.enabled = enabled
+        s3_folders.enabled = folders_enabled
         view = CreateDatasource()
+        view.request = request
 
         assert view.get_form_class() == form_class
 
 
+@patch("controlpanel.api.models.users3bucket.tasks.S3BucketGrantToUser")
+@patch("controlpanel.api.models.s3bucket.tasks.S3BucketCreate")
 @patch("django.conf.settings.features.s3_folders.enabled", True)
-def test_create_folders(client, users, root_folder_bucket):
+@pytest.mark.parametrize("user", ["superuser", "normal_user", "other_user"])
+def test_create_folders(
+    create_bucket_task, grant_user_task, user, client, users, root_folder_bucket
+):
     """
     Check that all users can create a folder datasource
     """
-    for _, user in users.items():
-        client.force_login(user)
-        folder_name = f"test-{user.username}-folder"
-        response = create(client, name=folder_name)
-
-        # redirect expected on success
-        assert response.status_code == 302
-        assert user.users3buckets.filter(
-            s3bucket__name=f"{root_folder_bucket.name}/{folder_name}"
-        ).exists()
-
-        # create another folder to catch any errors updating IAM policy
-        folder_name = f"test-{user.username}-folder-2"
-        response = create(client, name=folder_name)
+    user = users[user]
+    client.force_login(user)
+    folder_name = f"test-{user.username}-folder"
+    response = create(client, name=folder_name)
 
-        # redirect expected on success
-        assert response.status_code == 302
-        assert user.users3buckets.filter(
-            s3bucket__name=f"{root_folder_bucket.name}/{folder_name}"
-        ).exists()
+    # redirect expected on success
+    assert response.status_code == 302
+    assert user.users3buckets.filter(
+        s3bucket__name=f"{root_folder_bucket.name}/{folder_name}"
+    ).exists()
+    # make sure tasks are sent
+    create_bucket_task.assert_called_once()
+    grant_user_task.assert_called_once()
+
+    # create another folder to catch any errors updating IAM policy
+    create_bucket_task.reset_mock()
+    grant_user_task.reset_mock()
+    folder_name = f"test-{user.username}-folder-2"
+    response = create(client, name=folder_name)
+
+    # redirect expected on success
+    assert response.status_code == 302
+    assert user.users3buckets.filter(
+        s3bucket__name=f"{root_folder_bucket.name}/{folder_name}"
+    ).exists()
+    # tasks to create are sent again for the second folder
+    create_bucket_task.assert_called_once()
+    grant_user_task.assert_called_once()
 
 
 @patch("django.conf.settings.features.s3_folders.enabled", False)
@@ -350,3 +378,84 @@ def test_create_folder_name_greater_than_63_succeeds(client, users, root_folder_
     assert S3Bucket.objects.filter(
         name=f"{root_folder_bucket.name}/{name}"
     ).exists() is True
+
+
+@pytest.mark.parametrize(
+    "kwargs",
+    [
+        {"paths": ["/invalidpath/"]},
+        {"entity_id": ""},
+    ]
+)
+def test_grant_access_invalid_form(client, users3buckets, users, kwargs):
+    """
+    Regression test to check that the page renders when the form is invalid
+    """
+    client.force_login(users["superuser"])
+    response = grant_access(client, users3buckets, users, **kwargs)
+
+    assert response.status_code == 200
+    assert response.context_data["form"].is_valid() is False
+
+
+@pytest.mark.parametrize(
+    "bucket, success_url",
+    [
+        ("warehouse1", reverse_lazy("list-warehouse-datasources")),
+        ("app_data1", reverse_lazy("list-webapp-datasources")),
+    ]
+)
+def test_delete_calls_soft_delete(
+    client, buckets, users, bucket, success_url, sqs, helpers,
+):
+    admin = users["bucket_admin"]
+    bucket = buckets[bucket]
+
+    client.force_login(admin)
+    response = delete(client, buckets, bucket=bucket)
+    bucket.refresh_from_db()
+
+    assert bucket.pk is not None
+    assert bucket.is_deleted is True
+    assert bucket.deleted_by == admin
+    assert bucket.deleted_at is not None
+    assert response.url == success_url
+
+    messages = helpers.retrieve_messages(sqs, queue_name=settings.S3_QUEUE_NAME)
+    helpers.validate_task_with_sqs_messages(
+        messages, S3Bucket.__name__, bucket.id, queue_name=settings.S3_QUEUE_NAME,
+    )
+
+
+@pytest.mark.parametrize(
+    "user, bucket, expected_status",
+    [
+        ("superuser", "app_data1", status.HTTP_200_OK),
+        ("superuser", "app_data2", status.HTTP_200_OK),
+        ("superuser", "warehouse1", status.HTTP_200_OK),
+        ("superuser", "warehouse2", status.HTTP_200_OK),
+        ("superuser", "other", status.HTTP_200_OK),
+        ("bucket_viewer", "app_data1", status.HTTP_404_NOT_FOUND),
+        ("bucket_viewer", "app_data2", status.HTTP_404_NOT_FOUND),
+        ("bucket_viewer", "warehouse1", status.HTTP_404_NOT_FOUND),
+        ("bucket_viewer", "warehouse2", status.HTTP_404_NOT_FOUND),
+        ("bucket_viewer", "other", status.HTTP_404_NOT_FOUND),
+        ("bucket_admin", "app_data1", status.HTTP_404_NOT_FOUND),
+        ("bucket_admin", "app_data2", status.HTTP_404_NOT_FOUND),
+        ("bucket_admin", "warehouse1", status.HTTP_404_NOT_FOUND),
+        ("bucket_admin", "warehouse2", status.HTTP_404_NOT_FOUND),
+        ("bucket_admin", "other", status.HTTP_404_NOT_FOUND),
+
+    ]
+)
+def test_detail_for_deleted_datasource(
+    client, buckets, users, user, bucket, expected_status
+):
+    user = users[user]
+    bucket = buckets[bucket]
+    bucket.soft_delete(deleted_by=user)
+
+    client.force_login(user)
+    response = detail(client, user, bucket=bucket)
+
+    assert response.status_code == expected_status