**This page is only for existing customers of the Amazon Glacier service using Vaults and the original REST API from 2012.**

If you're looking for archival storage solutions, we recommend using the Amazon Glacier storage classes in Amazon S3, S3 Glacier Instant Retrieval, S3 Glacier Flexible Retrieval, and S3 Glacier Deep Archive. To learn more about these storage options, see [Amazon Glacier storage classes](https://aws.amazon.com/s3/storage-classes/glacier/).

Amazon Glacier (original standalone vault-based service) is no longer accepting new customers. Amazon Glacier is a standalone service with its own APIs that stores data in vaults and is distinct from Amazon S3 and the Amazon S3 Glacier storage classes. Your existing data will remain secure and accessible in Amazon Glacier indefinitely. No migration is required. For low-cost, long-term archival storage, AWS recommends the [Amazon S3 Glacier storage classes](https://aws.amazon.com/s3/storage-classes/glacier/), which deliver a superior customer experience with S3 bucket-based APIs, full AWS Region availability, lower costs, and AWS service integration. If you want enhanced capabilities, consider migrating to Amazon S3 Glacier storage classes by using our [AWS Solutions Guidance for transferring data from Amazon Glacier vaults to Amazon S3 Glacier storage classes](https://aws.amazon.com/solutions/guidance/data-transfer-from-amazon-s3-glacier-vaults-to-amazon-s3/).

# Amazon Glacier Vault Lock
<a name="vault-lock"></a>

The following topics describe how to lock a vault in Amazon Glacier and how to use Vault Lock policies.

**Topics**
+ [Vault Locking Overview](#vault-lock-overview)
+ [Locking a Vault by Using the Amazon Glacier API](vault-lock-how-to-api.md)
+ [Locking a Vault using the AWS Command Line Interface](vault-lock-how-to-cli.md)
+ [Locking a Vault by Using the Amazon Glacier Console](vault-lock-walkthrough.md)

## Vault Locking Overview
<a name="vault-lock-overview"></a>

Amazon Glacier Vault Lock helps you to easily deploy and enforce compliance controls for individual Amazon Glacier vaults with a Vault Lock policy. You can specify controls such as "write once read many" (WORM) in a Vault Lock policy and lock the policy from future edits. 

**Important**  
After a Vault Lock policy is locked, the policy can no longer be changed or deleted.

Amazon Glacier enforces the controls set in the Vault Lock policy to help achieve your compliance objectives. For example, you can use Vault Lock policies to enforce data retention. You can deploy a variety of compliance controls in a Vault Lock policy by using the AWS Identity and Access Management (IAM) policy language. For more information about Vault Lock policies, see [Vault Lock Policies](vault-lock-policy.md).

A Vault Lock policy is different from a vault access policy. Both policies govern access controls to your vault. However, a Vault Lock policy can be locked to prevent future changes, which provides strong enforcement for your compliance controls. You can use the Vault Lock policy to deploy regulatory and compliance controls, which typically require tight controls on data access. 

**Important**  
We recommend that you first create a vault, complete a Vault Lock policy, and then upload your archives to the vault so that the policy will be applied to them. 

In contrast, you use a vault access policy to implement access controls that are not compliance related, temporary, and subject to frequent modification. You can use Vault lock and vault access policies together. For example, you can implement time-based data-retention rules in the Vault Lock policy (deny deletes), and grant read access to designated third parties or your business partners (allow reads) in your vault access policy.

Locking a vault takes two steps: 

1. Initiate the lock by attaching a Vault Lock policy to your vault, which sets the lock to an in-progress state and returns a lock ID. While the policy is in the in-progress state, you have 24 hours to validate your Vault Lock policy before the lock ID expires. To prevent your vault from exiting the in-progress state, you must complete the Vault Lock process within these 24 hours. Otherwise, your Vault Lock policy will be deleted.

1. Use the lock ID to complete the lock process. If the Vault Lock policy doesn't work as expected, you can stop the Vault Lock process and restart from the beginning. For information about how to use the Amazon Glacier API to lock a vault, see [Locking a Vault by Using the Amazon Glacier API](vault-lock-how-to-api.md).

# Locking a Vault by Using the Amazon Glacier API
<a name="vault-lock-how-to-api"></a>

To lock your vault with the Amazon Glacier API, you first call [Initiate Vault Lock (POST lock-policy)](api-InitiateVaultLock.md) with a Vault Lock policy that specifies the controls that you want to deploy. The `Initiate Vault Lock` operation attaches the policy to your vault, transitions the Vault Lock to the in-progress state, and returns a unique lock ID. After the Vault Lock enters the in-progress state, you have 24 hours to complete the lock by calling [Complete Vault Lock (POST lockId)](api-CompleteVaultLock.md) with the lock ID that was returned from the `Initiate Vault Lock` call. 

**Important**  
We recommend that you first create a vault, complete a Vault Lock policy, and then upload your archives to the vault so that the policy will be applied to them.
After the Vault Lock policy is locked, it cannot be changed or deleted.

If you don't complete the Vault Lock process within 24 hours after entering the in-progress state, your vault automatically exits the in-progress state, and the Vault Lock policy is removed. You can call `Initiate Vault Lock` again to install a new Vault Lock policy and transition into the in-progress state.

The in-progress state provides the opportunity to test your Vault Lock policy before you lock it. Your Vault Lock policy takes full effect during the in-progress state just as if the vault has been locked, except that you can remove the policy by calling [Abort Vault Lock (DELETE lock-policy)](api-AbortVaultLock.md). To fine-tune your policy, you can repeat the `Abort Vault Lock`/`Initiate Vault Lock` combination as many times as necessary to validate your Vault Lock policy changes.

After you validate the Vault Lock policy, you can call [Complete Vault Lock (POST lockId)](api-CompleteVaultLock.md) with the most recent lock ID to complete the vault locking process. Your vault transitions to a locked state, where the Vault Lock policy is unchangeable and can no longer be removed by calling `Abort Vault Lock`.

## Related Sections
<a name="related-sections-vault-lock-how-to-api"></a>

 
+ [Vault Lock Policies](vault-lock-policy.md)
+ [Abort Vault Lock (DELETE lock-policy)](api-AbortVaultLock.md)
+ [Complete Vault Lock (POST lockId)](api-CompleteVaultLock.md)
+ [Get Vault Lock (GET lock-policy)](api-GetVaultLock.md)
+ [Initiate Vault Lock (POST lock-policy)](api-InitiateVaultLock.md)

# Locking a Vault using the AWS Command Line Interface
<a name="vault-lock-how-to-cli"></a>

You can lock your vault using the AWS Command Line Interface. This will install a vault lock policy on the specified vault and return the lock ID. You must complete the vault locking process within 24 hours else the vault lock policy is removed from the vault.

## (Prerequisite) Setting Up the AWS CLI
<a name="Creating-Vaults-CLI-Setup"></a>

1. Download and configure the AWS CLI. For instructions, see the following topics in the *AWS Command Line Interface User Guide*: 

    [Installing the AWS Command Line Interface](https://docs.aws.amazon.com/cli/latest/userguide/installing.html) 

   [Configuring the AWS Command Line Interface](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html)

1. Verify your AWS CLI setup by entering the following commands at the command prompt. These commands don't provide credentials explicitly, so the credentials of the default profile are used.
   + Try using the help command.

     ```
     aws help
     ```
   + To get a list of Amazon Glacier vaults on the configured account, use the `list-vaults` command. Replace *123456789012* with your AWS account ID.

     ```
     aws glacier list-vaults --account-id 123456789012
     ```
   + To see the current configuration data for the AWS CLI, use the `aws configure list` command.

     ```
     aws configure list
     ```

1. Use the `initiate-vault-lock` to install a vault lock policy and sets the lock state of the vault lock to `InProgress`.

   ```
   aws glacier initiate-vault-lock --vault-name examplevault --account-id 111122223333 --policy file://lockconfig.json
   ```

1. The lock configuration is a JSON document as shown in the following example. Before using this command, replace the *VAULT\$1ARN* and *Principal* with the appropriate values for your use case. 

   To find the ARN of the vault you wish to lock, you can use the `list-vaults` command. 

   ```
   {"Policy":"{\"Version\":\"2012-10-17\",		 	 	 \"Statement\":[{\"Sid\":\"Define-vault-lock\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::111122223333:root\"},\"Action\":\"glacier:DeleteArchive\",\"Resource\":\"VAULT_ARN\",\"Condition\":{\"NumericLessThanEquals\":{\"glacier:ArchiveAgeinDays\":\"365\"}}}]}"}
   ```

1. After initiating the vault lock you should see the `lockId` returned. 

   ```
   {
       "lockId": "LOCK_ID"
   }
   ```

To complete the vault lock You must run `complete-vault-lock` within 24 hours else the vault lock policy is removed from the vault.

```
aws glacier complete-vault-lock --vault-name examplevault --account-id 111122223333 --lock-id LOCK_ID
```

## Related Sections
<a name="related-sections-vault-lock-how-to-cli"></a>
+ [initiate-vault-lock](https://docs.aws.amazon.com/cli/latest/reference/glacier/initiate-vault-lock.html) in the *AWS CLI Command Reference*
+ [list-vaults](https://docs.aws.amazon.com/cli/latest/reference/glacier/list-vaults.html) in the *AWS CLI Command Reference*
+ [complete-vault-lock](https://docs.aws.amazon.com/cli/latest/reference/glacier/complete-vault-lock.html) in the *AWS CLI Command Reference*
+ [Vault Lock Policies](vault-lock-policy.md)
+ [Abort Vault Lock (DELETE lock-policy)](api-AbortVaultLock.md)
+ [Complete Vault Lock (POST lockId)](api-CompleteVaultLock.md)
+ [Get Vault Lock (GET lock-policy)](api-GetVaultLock.md)
+ [Initiate Vault Lock (POST lock-policy)](api-InitiateVaultLock.md)

# Locking a Vault by Using the Amazon Glacier Console
<a name="vault-lock-walkthrough"></a>

Amazon Glacier Vault Lock helps you to easily deploy and enforce compliance controls for individual Amazon Glacier vaults with a Vault Lock policy. For more information about Amazon Glacier Vault Lock, see [Amazon Glacier Access Control with Vault Lock Policies](https://docs.aws.amazon.com/amazonglacier/latest/dev/vault-lock-policy.html). 

**Important**  
We recommend that you first create a vault, complete a Vault Lock policy, and then upload your archives to the vault so that the policy will be applied to them.
After the Vault Lock policy is locked, it cannot be changed or deleted.

**To initiate a Vault Lock policy on your vault by using the Amazon Glacier console**

You initiate the lock by attaching a Vault Lock policy to your vault, which sets the lock to an in-progress state and returns a lock ID. While the policy is in the in-progress state, you have 24 hours to validate your Vault Lock policy before the lock ID expires. 

1. Sign in to the AWS Management Console and open the Amazon Glacier console at [https://console.aws.amazon.com/glacier/home](https://console.aws.amazon.com/glacier/home).

1. Under **Select a Region**, select an AWS Region from the Region selector.

1. In the left navigation pane, choose **Vaults**.

1. On the **Vaults** page, choose **Create vault**.

1. Create a new vault.
**Important**  
We recommend that you first create a vault, complete a Vault Lock policy, and then upload your archives to the vault so that the policy will be applied to them. 

1.  Choose your new vault from the **Vaults** list.

1.  Choose the **Vault policies** tab.

1. In the **Vault Lock policy** section, choose **Initiate Vault Lock policy**. 

1. On the **Initiate Vault Lock policy** page, specify the record retention controls in your Vault Lock policy in text format in the standard text box.
**Note**  
You can specify the record retention controls in a Vault Lock policy in text format and initiate the Vault Lock by calling the `Initiate Vault Lock` API operation or through the interactive UI in the Amazon Glacier console. For information about formatting your Vault Lock policy, see [Amazon Glacier Vault Lock Policy Examples](https://docs.aws.amazon.com/amazonglacier/latest/dev/vault-lock-policy.html#vault-lock-policy-example-deny-delete-archive-age). 

1. Choose **Save changes**.

1. In the **Record Vault Lock ID** dialog box, copy your **Lock ID** and save it in a safe place. 
**Important**  
After the Vault Lock policy has been initiated, you have 24 hours to validate the policy and complete the lock process. To complete the lock process, you must provide the lock ID. If it's not provided within 24 hours, the lock ID expires and your in-progress policy is deleted.

1. After saving your lock ID in a safe place, choose **Close**.

1. Test your Vault Lock policy within the next 24 hours. If the policy is working as intended, choose **Complete Vault Lock policy**.

1. In the **Complete Vault Lock** dialog box, select the check box to acknowledge that completing the Vault Lock policy process is irreversible.

1. Enter your provided **Lock ID** in the text box.

1. Choose **Complete Vault Lock**.