Security - AWS Storage Services Overview

Security

By default, only you can access your Amazon S3 Glacier data. If other people need to access your data, you can set up data access control in Amazon S3 Glacier by using the AWS Identity and Access Management (IAM) service. To do so, simply create an IAM policy that specifies which account users have rights to operations on a given vault.

Amazon S3 Glacier uses server-side encryption to encrypt all data at rest. Amazon S3 Glacier handles key management and key protection for you by using one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES- 256). Customers who want to manage their own keys can encrypt data prior to uploading it.

Amazon S3 Glacier allows you to lock vaults where long-term records retention is mandated by regulations or compliance rules. You can set compliance controls on individual Amazon S3 Glacier vaults and enforce these by using lockable policies.

For example, you might specify controls such as “undeletable records” or “time- based data retention” in a Vault Lock policy and then lock the policy from future edits. After it’s locked, the policy becomes immutable, and Amazon S3 Glacier enforces the prescribed controls to help achieve your compliance objectives.

To help monitor data access, Amazon S3 Glacier is integrated with AWS CloudTrail, allowing any API calls made to Amazon S3 Glacier in your AWS account to be captured and stored in log files that are delivered to an Amazon S3 bucket that you specify.