Amazon S3 Glacier Vault Lock.
S3 Glacier Vault Lock is a compliance and security
feature that allows
twtwch to enforce write-once-read-many (WORM) policies on
data stored in Amazon S3 Glacier or Glacier Deep Archive.
Once a Vault Lock policy is
in place and finalized, it cannot be changed, and even AWS account
administrators cannot delete or modify the protected data—which is
especially useful for regulatory and legal compliance (e.g., SEC Rule 17a-4,
HIPAA).
Key Features
|
Feature |
Description |
|
WORM enforcement |
Once data is written, it cannot be
altered or deleted. |
|
Vault Lock policy |
A custom policy that enforces
retention rules and access controls. |
|
Compliance |
Helps meet regulatory requirements
such as SEC, FINRA, HIPAA. |
|
Immutable |
Once locked, even AWS root cannot
delete or modify data early. |
S3 Glacier Vault vs. S3 Glacier Flexible
Retrieval (objects)
- Vault Lock
applies to Glacier Vaults, not individual objects.
- It's a different model from using S3 buckets
with S3 Object Lock (which is used in S3 Standard/IA/Glacier via S3
buckets).
How Vault Lock Works
- Initiate the Vault Lock:
- Propose a Vault Lock policy using InitiateVaultLock.
- Test it
(optional):
- twtech can test the policy during the in-progress
phase.
- Complete the lock:
- Use CompleteVaultLock to finalize the policy.
- After this, the policy is immutable.
Example – JSON Vault Lock Policy
# json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PreventDeletes",
"Effect": "Deny",
"Principal": "*",
"Action": "glacier:DeleteArchive",
"Resource": "*"
}
]
}
This denies everyone the ability to
delete archives from the vault.
Steps to Use Glacier Vault Lock
- Create a Vault
(via AWS CLI, SDK, or Console)
- Initiate the lock:
# bash
aws
glacier initiate-vault-lock --account-id - --vault-name twtech-vault
--policy file://policy.json
- Check Lock Status
(optional):
# bash
aws
glacier get-vault-lock --account-id - --vault-name twtech-vault
- Complete the lock:
# bash
aws
glacier complete-vault-lock --account-id - --vault-name twteeh-vault
--lock-id <twtech-lock-id>
Once completed, the Vault Lock is permanent.
Vault Lock vs. S3 Object Lock
|
Feature |
S3
Object Lock |
S3
Glacier Vault Lock |
|
Applies to |
Individual objects |
Entire vault |
|
Services |
S3 (Standard, IA, Glacier) |
Glacier only |
|
Use case |
Per-object WORM |
Vault-wide WORM |
|
Modifiable |
Configurable per object |
Immutable after lock |
twtech Considerations
- Once CompleteVaultLock is called, the lock cannot be reversed.
- The vault policy affects all archives in that vault.
- Pricing:
Retrievals and storage fees still apply under Glacier’s pricing model.
- Vault Lock does not encrypt data – use S3
encryption settings if needed.
No comments:
Post a Comment