diff --git a/backend/audit/file_downloads.py b/backend/audit/file_downloads.py
index 0c57564c9a..c64668155f 100644
--- a/backend/audit/file_downloads.py
+++ b/backend/audit/file_downloads.py
@@ -28,7 +28,7 @@ def file_exists(filename):
         region_name=settings.AWS_S3_PRIVATE_REGION_NAME,
         aws_access_key_id=settings.AWS_PRIVATE_ACCESS_KEY_ID,
         aws_secret_access_key=settings.AWS_PRIVATE_SECRET_ACCESS_KEY,
-        endpoint_url=settings.AWS_S3_PRIVATE_ENDPOINT,
+        endpoint_url=settings.AWS_S3_PRIVATE_INTERNAL_ENDPOINT,
         config=Config(signature_version="s3v4"),
     )
 
diff --git a/backend/config/settings.py b/backend/config/settings.py
index a291be178a..a8b52f2af8 100644
--- a/backend/config/settings.py
+++ b/backend/config/settings.py
@@ -257,6 +257,9 @@
     )
 
     AWS_S3_ENDPOINT_URL = AWS_S3_PRIVATE_ENDPOINT
+
+    # when running locally, the internal endpoint (docker network) is different from the external endpoint (host network)
+    AWS_S3_PRIVATE_INTERNAL_ENDPOINT = AWS_S3_ENDPOINT_URL
     AWS_S3_PRIVATE_EXTERNAL_ENDPOINT = "http://localhost:9001"
 
     DISABLE_AUTH = env.bool("DISABLE_AUTH", default=False)
@@ -309,6 +312,9 @@
 
             AWS_S3_PRIVATE_ENDPOINT = s3_creds["endpoint"]
             AWS_S3_ENDPOINT_URL = f"https://{AWS_S3_PRIVATE_ENDPOINT}"
+
+            # in deployed environments, the internal & external endpoint URLs are the same
+            AWS_S3_PRIVATE_INTERNAL_ENDPOINT = AWS_S3_ENDPOINT_URL
             AWS_S3_PRIVATE_EXTERNAL_ENDPOINT = AWS_S3_ENDPOINT_URL
 
             AWS_PRIVATE_LOCATION = "static"