Vault Lock Policies - Amazon S3 Glacier

If you're new to archival storage in Amazon Simple Storage Service (Amazon S3), we recommend that you start by learning more about the S3 Glacier storage classes in Amazon S3, S3 Glacier Instant Retrieval, S3 Glacier Flexible Retrieval, and S3 Glacier Deep Archive. For more information, see S3 Glacier storage classes and Storage classes for archiving objects in the Amazon S3 User Guide.

Vault Lock Policies

An Amazon S3 Glacier (S3 Glacier) vault can have one resource-based vault access policy and one Vault Lock policy attached to it. A Vault Lock policy is a vault access policy that you can lock. Using a Vault Lock policy can help you enforce regulatory and compliance requirements. Amazon S3 Glacier provides a set of API operations for you to manage the Vault Lock policies, see Locking a Vault by Using the S3 Glacier API.

As an example of a Vault Lock policy, suppose that you are required to retain archives for one year before you can delete them. To implement this requirement, you can create a Vault Lock policy that denies users permissions to delete an archive until the archive has existed for one year. You can test this policy before locking it down. After you lock the policy, the policy becomes immutable. For more information about the locking process, see Vault Lock Policies. If you want to manage other user permissions that can be changed, you can use the vault access policy (see Vault Access Policies).

You can use the S3 Glacier API, Amazon SDKs, AWS CLI, or the S3 Glacier console to create and manage Vault Lock policies. For a list of S3 Glacier actions allowed for vault resource-based policies, see API Permissions Reference.

Example 1: Deny Deletion Permissions for Archives Less Than 365 Days Old

Suppose that you have a regulatory requirement to retain archives for up to one year before you can delete them. You can enforce that requirement by implementing the following Vault Lock policy. The policy denies the glacier:DeleteArchive action on the examplevault vault if the archive being deleted is less than one year old. The policy uses the S3 Glacier-specific condition key ArchiveAgeInDays to enforce the one-year retention requirement.

{ "Version":"2012-10-17", "Statement":[ { "Sid": "deny-based-on-archive-age", "Principal": "*", "Effect": "Deny", "Action": "glacier:DeleteArchive", "Resource": [ "arn:aws:glacier:us-west-2:123456789012:vaults/examplevault" ], "Condition": { "NumericLessThan" : { "glacier:ArchiveAgeInDays" : "365" } } } ] }

Suppose that you have a time-based retention rule that an archive can be deleted if it is less than a year old. At the same time, suppose that you need to place a legal hold on your archives to prevent deletion or modification for an indefinite duration during a legal investigation. In this case, the legal hold takes precedence over the time-based retention rule specified in the Vault Lock policy.

To put these two rules in place, the following example policy has two statements:

  • The first statement denies deletion permissions for everyone, locking the vault. This lock is performed by using the LegalHold tag.

  • The second statement grants deletion permissions when the archive is less than 365 days old. But even when archives are less than 365 days old, no one can delete them when the condition in the first statement is met.

{ "Version":"2012-10-17", "Statement":[ { "Sid": "lock-vault", "Principal": "*", "Effect": "Deny", "Action": [ "glacier:DeleteArchive" ], "Resource": [ "arn:aws:glacier:us-west-2:123456789012:vaults/examplevault" ], "Condition": { "StringLike": { "glacier:ResourceTag/LegalHold": [ "true", "" ] } } }, { "Sid": "you-can-delete-archive-less-than-1-year-old", "Principal": { "AWS": "arn:aws:iam::123456789012:root" }, "Effect": "Allow", "Action": [ "glacier:DeleteArchive" ], "Resource": [ "arn:aws:glacier:us-west-2:123456789012:vaults/examplevault" ], "Condition": { "NumericLessThan": { "glacier:ArchiveAgeInDays": "365" } } } ] }