Amazon S3 Glacier Vault Lock | Overview.

Amazon S3 Glacier Vault Lock - Overview.

Scope:

•  Intro,
•  Key Features,
•  S3 Glacier Vault vs. S3 Glacier Flexible Retrieval (objects),
•  How Vault Lock Works,
•  Sample – JSON Vault Lock Policy,
•  Steps to Use Glacier Vault Lock (Step-by-Step),
•  Considerations.

Intro:

• S3 Glacier Vault Lock is a compliance and security feature that allows twtwch to enforce write-once-read-many (WORM) policies on data stored in Amazon S3 Glacier or Glacier Deep Archive.
• Once twtech sets a Vault Lock policy, (place and finalized), it cannot be later changed.
• Even AWS account administrators cannot delete or modify the protected data.
• These benefits are especially useful for regulatory and legal compliance (e.g., SEC Rule 17a-4, HIPAA).

 Key Features

Feature	Description
WORM enforcement	Once data is written, it cannot be altered or deleted.
Vault Lock policy	A custom policy that enforces retention rules and access controls.
Compliance	Helps meet regulatory requirements such as SEC, FINRA, HIPAA.
Immutable	Once locked, even AWS root cannot delete or modify data early.

 S3 Glacier Vault vs. S3 Glacier Flexible Retrieval (objects)

• Vault Lock applies to Glacier Vaults, not individual objects.
• It's a different model from using S3 buckets with S3 Object Lock (which is used in S3 Standard/IA/Glacier via S3 buckets).

 How Vault Lock Works

1. Initiate the Vault Lock:
• Propose a Vault Lock policy using InitiateVaultLock.
2. Test it (optional):
• twtech can test the policy during the in-progress phase.
3. Complete the lock:
• Use CompleteVaultLock to finalize the policy.
• After this, the policy is immutable (Unchangeable).

Sample – JSON Vault Lock Policy

# json

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Sid": "twtechPreventDeletes",

      "Effect": "Deny",

      "Principal": "*",

      "Action": "glacier:DeleteArchive",

      "Resource": "*"

    }

  ]

}

NB:

• This denies everyone the ability to delete archives from the vault.

 Steps to Use Glacier Vault Lock

1.  Create a Vault (via AWS CLI, SDK, or Console)
2.  Initiate the lock:

#  bash

 

aws glacier initiate-vault-lock --account-id - --vault-name twtech-vault --policy file://policy.json

3. Check Lock Status (optional):

# bash

 

aws glacier get-vault-lock --account-id - --vault-name twtech-vault

4. Complete the lock:

# bash

 

aws glacier complete-vault-lock --account-id - --vault-name twteeh-vault --lock-id <twtech-lock-id>

NB:

• Once completed, the Vault Lock is permanent.

 Vault Lock vs. S3 Object Lock

Feature	S3 Object Lock	S3 Glacier Vault Lock
Applies to	Individual objects	Entire vault
Services	S3 (Standard, IA, Glacier)	Glacier only
Use case	Per-object WORM	Vault-wide WORM
Modifiable	Configurable per object	Immutable after lock

twtech  Considerations

• it is called, CompleteVaultLock, the lock cannot be reversed.
• The vault policy affects all archives in that vault.
• Pricing: Retrievals and storage fees still apply under Glacier’s pricing model.
• Vault Lock does not encrypt data – twtech uses S3 encryption settings if needed.
• Once completed, the Vault Lock is permanent (policy is immutable ... meaning Unchangeable).