Amazon Glacier
Developer Guide (API Version 2012-06-01)

Amazon Glacier Access Control with Vault Lock Policies

An Amazon Glacier vault can have one resource-based vault access policy and one Vault Lock policy attached to it. A Vault Lock policy is a vault access policy that you can lock. Using a Vault Lock policy can help you enforce regulatory and compliance requirements. Amazon Glacier provides a set of API operations for you to manage the Vault Lock policies, see Locking a Vault by Using the Amazon Glacier API.

As an example of a Vault Lock policy, suppose that you are required to retain archives for one year before you can delete them. To implement this requirement, you can create a Vault Lock policy that denies users permissions to delete an archive until the archive has existed for one year. You can test this policy before locking it down. After you lock the policy, the policy becomes immutable. For more information about the locking process, see Amazon Glacier Vault Lock. If you want to manage other user permissions that can be changed, you can use the vault access policy (see Amazon Glacier Access Control with Vault Access Policies).

You can use the Amazon Glacier API, AWS SDKs, AWS CLI, or the Amazon Glacier console to create and manage Vault Lock policies. For a list of Amazon Glacier actions allowed for vault resource-based policies, see Amazon Glacier API Permissions: Actions, Resources, and Conditions Reference.

Example 1: Deny Deletion Permissions for Archives Less Than 365 Days Old

Suppose that you have a regulatory requirement to retain archives for up to one year before you can delete them. You can enforce that requirement by implementing the following Vault Lock policy. The policy denies the glacier:DeleteArchive action on the examplevault vault if the archive being deleted is less than one year old. The policy uses the Amazon Glacier-specific condition key ArchiveAgeInDays to enforce the one-year retention requirement.

{ "Version":"2012-10-17", "Statement":[ { "Sid": "deny-based-on-archive-age", "Principal": "*", "Effect": "Deny", "Action": "glacier:DeleteArchive", "Resource": [ "arn:aws:glacier:us-west-2:123456789012:vaults/examplevault" ], "Condition": { "NumericLessThan" : { "glacier:ArchiveAgeInDays" : "365" } } } ] }

Suppose that you have a time-based retention rule that an archive can be deleted if it is less than a year old. At the same time, suppose that you need to place a legal hold on your archives to prevent deletion or modification for an indefinite duration during a legal investigation. In this case, the legal hold takes precedence over the time-based retention rule specified in the Vault Lock policy.

To put these two rules in place, the following example policy has two statements:

  • The first statement denies deletion permissions to everyone, locking the vault. This lock is performed by using the LegalHold tag.

  • The second statement grants deletion permissions when the archive is less than 365 days old. But even when archives are less than 365 days old, no one can delete them because the vault has been locked by the first statement.

{ "Version":"2012-10-17", "Statement":[ { "Sid": "no-one-can-delete-any-archive-from-vault", "Principal": "*", "Effect": "Deny", "Action": [ "glacier:DeleteArchive" ], "Resource": [ "arn:aws:glacier:us-west-2:123456789012:vaults/examplevault" ], "Condition": { "StringLike": { "glacier:ResourceTag/LegalHold": [ "true", "" ] } } }, { "Sid": "you-can-delete-archive-less-than-1-year-old", "Principal": "*", "Effect": "Allow", "Action": [ "glacier:DeleteArchive" ], "Resource": [ "arn:aws:glacier:us-west-2:123456789012:vaults/examplevault" ], "Condition": { "NumericLessThan": { "glacier:ArchiveAgeInDays": "365" } } } ] }