SnapLock Enterprise - FSx for ONTAP

SnapLock Enterprise

Amazon FSx for NetApp ONTAP supports SnapLock Enterprise volumes.

Using SnapLock Enterprise

This section describes use cases and considerations for the Enterprise retention mode.

Use cases for SnapLock Enterprise

You might choose the Enterprise retention mode for the following use cases.

  • You can use SnapLock Enterprise to authorize only specific users to delete files.

  • You can use SnapLock Enterprise to advance your organization's data integrity and internal compliance.

  • You can use SnapLock Enterprise to test retention settings before using SnapLock Compliance.

Considerations for using SnapLock Enterprise

Here are some important items to consider about the Enterprise retention mode.

  • You can use SnapMirror to replicate WORM files, but the source volume and destination volume must have the same retention mode (for example, both must be Enterprise).

  • A SnapLock volume can't be converted from Enterprise to Compliance, or from Compliance to Enterprise.

  • SnapLock Enterprise doesn't support Legal Hold.

Privileged delete

One of the key differences between SnapLock Enterprise and SnapLock Compliance is that a SnapLock administrator can turn on privileged delete on a SnapLock Enterprise volume to allow a file to be deleted before the file's retention period expires. The SnapLock administrator is the only user who can delete files from a SnapLock Enterprise volume that has active retention policies placed on it. For more information, see SnapLock administrator.

You can turn on or turn off privileged delete with the Amazon FSx console, the AWS CLI, the Amazon FSx API, and the ONTAP CLI and REST API. To turn on privileged delete, you must first create a SnapLock audit log volume in the same SVM as the SnapLock volume. For more information, see SnapLock audit log volumes.

To turn on privileged delete with the Amazon FSx API, use PrivilegedDelete in the CreateSnaplockConfiguration.

The following procedure explains how to turn on privileged delete on the Amazon FSx console.

To turn on privileged delete on a SnapLock Enterprise volume on the Amazon FSx console
  1. Open the Amazon FSx console at https://console.aws.amazon.com/fsx/.

  2. Follow the procedure for creating a new volume in Creating volumes.

  3. In the Advanced section, for SnapLock Configuration, choose Enabled.

    Select the check box to acknowledge the warning about enabling SnapLock on the volume.

  4. For Retention mode, choose Enterprise.

  5. For Privileged Delete, choose Enabled.

  6. Follow the rest of the procedure for creating a new volume in Creating volumes.

  7. Choose Confirm to create the volume.

Note

You can't issue a privileged delete command to delete a write once, read many (WORM) file that has an expired retention period. You can issue a normal delete operation after the retention period expires.

You can opt to turn off privileged delete permanently, but this action is irreversible. If privileged delete is permanently turned off, you don't need to have a SnapLock audit log volume associated with the SnapLock Enterprise volume.

To permanently turn off privileged delete with the Amazon FSx API, use PrivilegedDelete in the CreateSnaplockConfiguration.

To permanently turn off privileged delete on a SnapLock Enterprise volume on the Amazon FSx console
  1. Open the Amazon FSx console at https://console.aws.amazon.com/fsx/.

  2. Follow the procedure for creating a new volume in Creating volumes.

  3. In the Advanced section, for SnapLock Configuration, choose Enabled.

    Select the check box to acknowledge the warning about enabling SnapLock on the volume.

  4. For Retention mode, choose Enterprise.

  5. For Privileged Delete, choose Permanently disabled.

  6. Follow the rest of the procedure for creating a new volume in Creating volumes.

  7. Choose Confirm to create the volume.

Creating a SnapLock Enterprise volume

You can create a SnapLock Enterprise volume with the Amazon FSx console, the AWS CLI, the Amazon FSx API, and the ONTAP CLI and REST API.

To create a SnapLock enterprise volume with the Amazon FSx API, use SnaplockType in the CreateSnaplockConfiguration.

To create a SnapLock Enterprise volume on the Amazon FSx console
  1. Open the Amazon FSx console at https://console.aws.amazon.com/fsx/.

  2. Follow the procedure for creating a new volume in Creating volumes.

  3. In the Advanced section, for SnapLock Configuration, choose Enabled.

    Select the check box to acknowledge the warning about enabling SnapLock on the volume.

  4. For Retention mode, choose Enterprise.

  5. For Audit log volume, choose between Enabled and Disabled.

    If you choose Enabled, make sure that the Junction path is set to /snaplock_audit_log.

    For more information, see SnapLock audit log volumes.

  6. For Retention period, enter values for Default retention, Minimum retention, and Maximum retention. Then choose a corresponding Unit for each.

    For more information, see Working with the retention period in SnapLock.

  7. For Autocommit, choose between Enabled and Disabled.

    If you choose Enabled, for Autocommit period, enter a value and choose a corresponding Autocommit unit.

    You can specify a value between 5 minutes and 10 years.

    For more information, see Autocommit.

  8. For Privileged Delete, choose between Enabled, Disabled, and Permanently disabled.

    For more information, see Privileged delete.

  9. For Volume append mode, choose between Enabled and Disabled.

    For more information, see Volume-append mode.

  10. Follow the rest of the procedure for creating a new volume in Creating volumes.

  11. Choose Confirm to create the volume.

Bypassing Enterprise mode

If you are using the Amazon FSx console or Amazon FSx API, you must have the IAM fsx:BypassSnapLockEnterpriseRetention permission to delete a SnapLock Enterprise volume that contains WORM files with active retention policies.

For more information, see Deleting SnapLock volumes.