Using S3 Batch Operations with S3 Object Lock retention compliance mode
The following example builds on the previous examples of creating a trust policy and
setting S3 Batch Operations and S3 Object Lock configuration permissions on your objects.
This example sets the retention mode to COMPLIANCE and the retain
until date to January 1, 2025. This example creates a job that targets
objects in the manifest bucket and reports the results in the reports bucket that you
identified.
To use the following examples, replace the user input
placeholders
The following Amazon CLI examples show how to use Batch Operations to apply S3 Object Lock retention compliance mode across multiple objects.
Example — Set S3 Object Lock retention compliance mode across multiple objects
export AWS_PROFILE='aws-user' export AWS_DEFAULT_REGION='us-west-2' export ACCOUNT_ID=123456789012export ROLE_ARN='arn:aws-cn:iam::123456789012:role/batch_operations-objectlock' read -d ''OPERATION<<EOF { "S3PutObjectRetention": { "Retention": { "RetainUntilDate":"2025-01-01T00:00:00", "Mode":"COMPLIANCE" } } } EOF read -d ''MANIFEST<<EOF { "Spec": { "Format": "S3BatchOperations_CSV_20180820", "Fields": [ "Bucket", "Key" ] }, "Location": { "ObjectArn": "arn:aws-cn:s3:::", "ETag": "amzn-s3-demo-manifest-bucket/compliance-objects-manifest.csvYour-manifest-ETag" } } EOF read -d ''REPORT<<EOF { "Bucket": "arn:aws-cn:s3:::ReportBucket", "Format": "Report_CSV_20180820", "Enabled": true, "Prefix": "", "ReportScope": "AllTasks" } EOF aws \ s3control create-job \ --account-id "${amzn-s3-demo-completion-report-bucket/compliance-objects-batch-operationsACCOUNT_ID}" \ --manifest "${MANIFEST//$'\n'}" \ --operation "${OPERATION//$'\n'/}" \ --report "${REPORT//$'\n'}" \ --priority 10 \ --role-arn "${ROLE_ARN}" \ --client-request-token "$(uuidgen)" \ --region "${AWS_DEFAULT_REGION}" \ --description "Set compliance retain-until to 1 Jul 2030";
Example — Extend the COMPLIANCE mode's retain until
date to January 15, 2025
The following example extends the COMPLIANCE mode's
retain until date to January 15, 2025.
export AWS_PROFILE='aws-user' export AWS_DEFAULT_REGION='us-west-2' export ACCOUNT_ID=123456789012export ROLE_ARN='arn:aws-cn:iam::123456789012:role/batch_operations-objectlock' read -d ''OPERATION<<EOF { "S3PutObjectRetention": { "Retention": { "RetainUntilDate":"2025-01-15T00:00:00", "Mode":"COMPLIANCE" } } } EOF read -d ''MANIFEST<<EOF { "Spec": { "Format": "S3BatchOperations_CSV_20180820", "Fields": [ "Bucket", "Key" ] }, "Location": { "ObjectArn": "arn:aws-cn:s3:::", "ETag": "amzn-s3-demo-manifest-bucket/compliance-objects-manifest.csvYour-manifest-ETag" } } EOF read -d ''REPORT<<EOF { "Bucket": "arn:aws-cn:s3:::amzn-s3-demo-completion-report-bucket", "Format": "Report_CSV_20180820", "Enabled": true, "Prefix": "reports/compliance-objects-batch_operations", "ReportScope": "AllTasks" } EOF aws \ s3control create-job \ --account-id "${ACCOUNT_ID}" \ --manifest "${MANIFEST//$'\n'}" \ --operation "${OPERATION//$'\n'/}" \ --report "${REPORT//$'\n'}" \ --priority 10 \ --role-arn "${ROLE_ARN}" \ --client-request-token "$(uuidgen)" \ --region "${AWS_DEFAULT_REGION}" \ --description "Extend compliance retention to 15 Jan 2025";
The following Amazon SDK for Java examples show how to use Batch Operations to apply S3 Object Lock retention compliance mode across multiple objects.
Example — Set the retention mode to COMPLIANCE and the retain until date to January 1, 2025
public String createComplianceRetentionJob(final AWSS3ControlClient awss3ControlClient) throws ParseException { final String manifestObjectArn = "arn:aws-cn:s3:::"; final String manifestObjectVersionId = "amzn-s3-demo-manifest-bucket/compliance-objects-manifest.csvyour-object-version-Id"; final JobManifestLocation manifestLocation = new JobManifestLocation() .withObjectArn(manifestObjectArn) .withETag(manifestObjectVersionId); final JobManifestSpec manifestSpec = new JobManifestSpec() .withFormat(JobManifestFormat.S3BatchOperations_CSV_20180820) .withFields("Bucket", "Key"); final JobManifest manifestToPublicApi = new JobManifest() .withLocation(manifestLocation) .withSpec(manifestSpec); final String jobReportBucketArn = "arn:aws-cn:s3:::amzn-s3-demo-completion-report-bucket"; final String jobReportPrefix = "reports/compliance-objects-bops"; final JobReport jobReport = new JobReport() .withEnabled(true) .withReportScope(JobReportScope.AllTasks) .withBucket(jobReportBucketArn) .withPrefix(jobReportPrefix) .withFormat(JobReportFormat.Report_CSV_20180820); final SimpleDateFormat format = new SimpleDateFormat("dd/MM/yyyy"); final Date janFirst = format.parse("01/01/2025"); final JobOperation jobOperation = new JobOperation() .withS3PutObjectRetention(new S3SetObjectRetentionOperation() .withRetention(new S3Retention() .withMode(S3ObjectLockRetentionMode.COMPLIANCE) .withRetainUntilDate(janFirst))); final String roleArn = "arn:aws-cn:iam::123456789012:role/batch_operations-object-lock"; final Boolean requiresConfirmation = true; final int priority =10; final CreateJobRequest request = new CreateJobRequest() .withAccountId("123456789012") .withDescription("Set compliance retain-until to 1 Jan 2025") .withManifest(manifestToPublicApi) .withOperation(jobOperation) .withPriority(priority) .withRoleArn(roleArn) .withReport(jobReport) .withConfirmationRequired(requiresConfirmation); final CreateJobResult result = awss3ControlClient.createJob(request); return result.getJobId(); }
Example — Extending the COMPLIANCE mode retain until
date
The following example extends the COMPLIANCE mode
retain until date to January 15, 2025.
public String createExtendComplianceRetentionJob(final AWSS3ControlClient awss3ControlClient) throws ParseException { final String manifestObjectArn = "arn:aws-cn:s3:::"; final String manifestObjectVersionId = "amzn-s3-demo-manifest-bucket/compliance-objects-manifest.csv15ad5ba069e6bbc465c77bf83d541385"; final JobManifestLocation manifestLocation = new JobManifestLocation() .withObjectArn(manifestObjectArn) .withETag(manifestObjectVersionId); final JobManifestSpec manifestSpec = new JobManifestSpec() .withFormat(JobManifestFormat.S3BatchOperations_CSV_20180820) .withFields("Bucket", "Key"); final JobManifest manifestToPublicApi = new JobManifest() .withLocation(manifestLocation) .withSpec(manifestSpec); final String jobReportBucketArn = "arn:aws-cn:s3:::amzn-s3-demo-completion-report-bucket"; final String jobReportPrefix = "reports/compliance-objects-batch_operations"; final JobReport jobReport = new JobReport() .withEnabled(true) .withReportScope(JobReportScope.AllTasks) .withBucket(jobReportBucketArn) .withPrefix(jobReportPrefix) .withFormat(JobReportFormat.Report_CSV_20180820); final SimpleDateFormat format = new SimpleDateFormat("dd/MM/yyyy"); final Date jan15th = format.parse("15/01/2025"); final JobOperation jobOperation = new JobOperation() .withS3PutObjectRetention(new S3SetObjectRetentionOperation() .withRetention(new S3Retention() .withMode(S3ObjectLockRetentionMode.COMPLIANCE) .withRetainUntilDate(jan15th))); final String roleArn = "arn:aws-cn:iam::123456789012:role/batch_operations-object-lock"; final Boolean requiresConfirmation = true; final int priority =10; final CreateJobRequest request = new CreateJobRequest() .withAccountId("123456789012") .withDescription("Extend compliance retention to 15 Jan 2025") .withManifest(manifestToPublicApi) .withOperation(jobOperation) .withPriority(priority) .withRoleArn(roleArn) .withReport(jobReport) .withConfirmationRequired(requiresConfirmation); final CreateJobResult result = awss3ControlClient.createJob(request); return result.getJobId(); }