diff --git a/Dockerfile b/Dockerfile
index c6edf69..1a19acf 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -399,9 +399,17 @@ COPY --from=builder-build-platform /usr/lib/node_modules/ /usr/lib/node_modules/
 # correctly discovered by node.
 RUN ln -sv /usr/lib/node_modules/auspice/auspice.js /usr/local/bin/auspice
 
+# Setup a non-root user for optional use
+RUN useradd nextstrain \
+    --system \
+    --user-group \
+    --shell /bin/bash \
+    --home-dir /nextstrain \
+    --no-log-init
+
 # Add Nextstrain components
-COPY --from=builder-build-platform  /nextstrain /nextstrain
-COPY --from=builder-target-platform /nextstrain /nextstrain
+COPY --from=builder-build-platform  --chown=nextstrain:nextstrain /nextstrain /nextstrain
+COPY --from=builder-target-platform --chown=nextstrain:nextstrain /nextstrain /nextstrain
 
 # Add our entrypoints and helpers
 COPY entrypoint entrypoint-aws-batch drop-privs create-envd delete-envd /sbin/
@@ -411,14 +419,6 @@ RUN chmod a+rx /sbin/entrypoint* /sbin/drop-privs /sbin/{create,delete}-envd
 RUN chmod a+rwXt /nextstrain
 ENV HOME=/nextstrain
 
-# Setup a non-root user for optional use
-RUN useradd nextstrain \
-    --system \
-    --user-group \
-    --shell /bin/bash \
-    --home-dir /nextstrain \
-    --no-log-init
-
 # No nesting of runtimes, please.  Use the ambient runtime inside this runtime.
 ENV NEXTSTRAIN_HOME=/nextstrain
 RUN nextstrain check-setup --set-default ambient \
diff --git a/entrypoint-aws-batch b/entrypoint-aws-batch
index a56371c..7e693c2 100755
--- a/entrypoint-aws-batch
+++ b/entrypoint-aws-batch
@@ -8,7 +8,7 @@ set -x
 case "$NEXTSTRAIN_AWS_BATCH_WORKDIR_URL" in
     s3://*.zip)
         aws s3 cp --no-progress "$NEXTSTRAIN_AWS_BATCH_WORKDIR_URL" "$PWD.zip"
-        unzip "$PWD.zip"
+        unzip -: -o "$PWD.zip"
         ;;
     s3://*)
         # Note that this doesn't preserve file permissions/modes.