本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
下列範例以先前建立信任政策的範例,以及設定 S3 批次操作和 S3 物件鎖定組態許可的範例為基礎。此範例示範如何對多個物件套用 S3 物件鎖定保留控管,並將retain until
date設定為 2025 年 1 月 30 日。它會建立使用資訊清單儲存貯體的批次操作任務,並在報告儲存貯體中報告結果。
若要使用下列範例,請以您自己的資訊取代 user input
placeholders
下列 AWS CLI 範例示範如何使用批次操作,將 S3 物件鎖定保留控管模式套用至多個物件。
範例 — 對多個物件套用 S3 物件鎖定保留控管,並將保留截止日期設定為 2025 年 1 月 30 日
export AWS_PROFILE='aws-user' export AWS_DEFAULT_REGION='us-west-2' export ACCOUNT_ID=123456789012export ROLE_ARN='arn:aws:iam::123456789012:role/batch_operations-objectlock' read -d ''OPERATION<<EOF { "S3PutObjectRetention": { "Retention": { "RetainUntilDate":"2025-01-30T00:00:00", "Mode":"GOVERNANCE" } } } EOF read -d ''MANIFEST<<EOF { "Spec": { "Format": "S3BatchOperations_CSV_20180820", "Fields": [ "Bucket", "Key" ] }, "Location": { "ObjectArn": "arn:aws:s3:::", "ETag": "amzn-s3-demo-manifest-bucket/governance-objects-manifest.csvYour-manifest-ETag" } } EOF read -d ''REPORT<<EOF { "Bucket": "arn:aws:s3:::amzn-s3-demo-completion-report-bucketT", "Format": "Report_CSV_20180820", "Enabled": true, "Prefix": "reports/governance-objects", "ReportScope": "AllTasks" } EOF aws \ s3control create-job \ --account-id "${ACCOUNT_ID}" \ --manifest "${MANIFEST//$'\n'}" \ --operation "${OPERATION//$'\n'/}" \ --report "${REPORT//$'\n'}" \ --priority10\ --role-arn "${ROLE_ARN}" \ --client-request-token "$(uuidgen)" \ --region "${AWS_DEFAULT_REGION}" \ --description "Put governance retention";
範例 — 略過多個物件的保留控管
下列範例以先前建立信任政策的範例,以及設定 S3 批次操作和 S3 物件鎖定組態許可的範例為基礎。其中顯示如何繞過多個物件的保留控管,並建立使用資訊清單儲存貯體的批次操作任務,以及在報告儲存貯體中報告結果。
export AWS_PROFILE='aws-user' read -d '' bypass_governance_permissions <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:BypassGovernanceRetention" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*" ] } ] } EOF aws iam put-role-policy --role-namebatch-operations-objectlock--policy-namebypass-governance-permissions--policy-document "${bypass_governance_permissions}" export AWS_PROFILE='aws-user' export AWS_DEFAULT_REGION='us-west-2' export ACCOUNT_ID=123456789012export ROLE_ARN='arn:aws:iam::123456789012:role/batch_operations-objectlock' read -d ''OPERATION<<EOF { "S3PutObjectRetention": { "BypassGovernanceRetention": true, "Retention": { } } } EOF read -d ''MANIFEST<<EOF { "Spec": { "Format": "S3BatchOperations_CSV_20180820", "Fields": [ "Bucket", "Key" ] }, "Location": { "ObjectArn": "arn:aws:s3:::", "ETag": "amzn-s3-demo-manifest-bucket/governance-objects-manifest.csvYour-manifest-ETag" } } EOF read -d '' REPORT <<EOF { "Bucket": "arn:aws:s3:::amzn-s3-demo-completion-report-bucket", "Format": "Report_CSV_20180820", "Enabled": true, "Prefix": "reports/batch_operations-governance", "ReportScope": "AllTasks" } EOF aws \ s3control create-job \ --account-id "${ACCOUNT_ID}" \ --manifest "${MANIFEST//$'\n'}" \ --operation "${OPERATION//$'\n'/}" \ --report "${REPORT//$'\n'}" \ --priority10\ --role-arn "${ROLE_ARN}" \ --client-request-token "$(uuidgen)" \ --region "${AWS_DEFAULT_REGION}" \ --description "Remove governance retention";
下列範例以先前建立信任政策的範例,以及設定 S3 批次操作和 S3 物件鎖定組態許可的範例為基礎。此範例示範如何對多個物件套用 S3 物件鎖定保留控管,並將retain until date設定為 2025 年 1 月 30 日。此範例會建立一個 Batch Operations 作業,使用資訊清單儲存貯體並在報告儲存貯體中報告結果。
範例 — 對多個物件套用 S3 物件鎖定保留控管,並將保留截止日期設定為 2025 年 1 月 30 日
public String createGovernanceRetentionJob(final AWSS3ControlClient awss3ControlClient) throws ParseException {
final String manifestObjectArn = "arn:aws:s3:::amzn-s3-demo-manifest-bucket/governance-objects-manifest.csv15ad5ba069e6bbc465c77bf83d541385";
final JobManifestLocation manifestLocation = new JobManifestLocation()
.withObjectArn(manifestObjectArn)
.withETag(manifestObjectVersionId);
final JobManifestSpec manifestSpec =
new JobManifestSpec()
.withFormat(JobManifestFormat.S3BatchOperations_CSV_20180820)
.withFields("Bucket", "Key");
final JobManifest manifestToPublicApi = new JobManifest()
.withLocation(manifestLocation)
.withSpec(manifestSpec);
final String jobReportBucketArn = "arn:aws:s3:::amzn-s3-demo-completion-report-bucket";
final String jobReportPrefix = "reports/governance-objects";
final JobReport jobReport = new JobReport()
.withEnabled(true)
.withReportScope(JobReportScope.AllTasks)
.withBucket(jobReportBucketArn)
.withPrefix(jobReportPrefix)
.withFormat(JobReportFormat.Report_CSV_20180820);
final SimpleDateFormat format = new SimpleDateFormat("dd/MM/yyyy");
final Date jan30th = format.parse("30/01/2025");
final JobOperation jobOperation = new JobOperation()
.withS3PutObjectRetention(new S3SetObjectRetentionOperation()
.withRetention(new S3Retention()
.withMode(S3ObjectLockRetentionMode.GOVERNANCE)
.withRetainUntilDate(jan30th)));
final String roleArn = "arn:aws:iam::123456789012:role/batch_operations-object-lock";
final Boolean requiresConfirmation = true;
final int priority = 10;
final CreateJobRequest request = new CreateJobRequest()
.withAccountId("123456789012")
.withDescription("Put governance retention")
.withManifest(manifestToPublicApi)
.withOperation(jobOperation)
.withPriority(priority)
.withRoleArn(roleArn)
.withReport(jobReport)
.withConfirmationRequired(requiresConfirmation);
final CreateJobResult result = awss3ControlClient.createJob(request);
return result.getJobId();
} 範例 — 略過多個物件的保留控管
下列範例以先前建立信任政策的範例,以及設定 S3 批次操作和 S3 物件鎖定組態許可的範例為基礎。此範例示範如何略過多個物件的保留控管,並建立一個 Batch Operations 作業,使用資訊清單儲存貯體並在報告儲存貯體中報告結果。
public void allowBypassGovernance() {
final String roleName = "batch_operations-object-lock";
final String bypassGovernancePermissions = "{" +
" \"Version\": \"2012-10-17\"," +
" \"Statement\": [" +
" {" +
" \"Effect\": \"Allow\"," +
" \"Action\": [" +
" \"s3:BypassGovernanceRetention\"" +
" ]," +
" \"Resource\": [" +
" \"arn:aws:s3:::amzn-s3-demo-manifest-bucket/*\"" +
" ]" +
" }" +
" ]" +
"}";
final AmazonIdentityManagement iam =
AmazonIdentityManagementClientBuilder.defaultClient();
final PutRolePolicyRequest putRolePolicyRequest = new PutRolePolicyRequest()
.withPolicyDocument(bypassGovernancePermissions)
.withPolicyName("bypass-governance-permissions")
.withRoleName(roleName);
final PutRolePolicyResult putRolePolicyResult = iam.putRolePolicy(putRolePolicyRequest);
}
public String createRemoveGovernanceRetentionJob(final AWSS3ControlClient awss3ControlClient) {
final String manifestObjectArn = "arn:aws:s3:::amzn-s3-demo-manifest-bucket/governance-objects-manifest.csv15ad5ba069e6bbc465c77bf83d541385";
final JobManifestLocation manifestLocation = new JobManifestLocation()
.withObjectArn(manifestObjectArn)
.withETag(manifestObjectVersionId);
final JobManifestSpec manifestSpec =
new JobManifestSpec()
.withFormat(JobManifestFormat.S3BatchOperations_CSV_20180820)
.withFields("Bucket", "Key");
final JobManifest manifestToPublicApi = new JobManifest()
.withLocation(manifestLocation)
.withSpec(manifestSpec);
final String jobReportBucketArn = "arn:aws:s3:::amzn-s3-demo-completion-report-bucket";
final String jobReportPrefix = "reports/batch_operations-governance";
final JobReport jobReport = new JobReport()
.withEnabled(true)
.withReportScope(JobReportScope.AllTasks)
.withBucket(jobReportBucketArn)
.withPrefix(jobReportPrefix)
.withFormat(JobReportFormat.Report_CSV_20180820);
final JobOperation jobOperation = new JobOperation()
.withS3PutObjectRetention(new S3SetObjectRetentionOperation()
.withRetention(new S3Retention()));
final String roleArn = "arn:aws:iam::123456789012:role/batch_operations-object-lock";
final Boolean requiresConfirmation = true;
final int priority = 10;
final CreateJobRequest request = new CreateJobRequest()
.withAccountId("123456789012")
.withDescription("Remove governance retention")
.withManifest(manifestToPublicApi)
.withOperation(jobOperation)
.withPriority(priority)
.withRoleArn(roleArn)
.withReport(jobReport)
.withConfirmationRequired(requiresConfirmation);
final CreateJobResult result = awss3ControlClient.createJob(request);
return result.getJobId();
} 