Use S3 Batch Operations with S3 Object Lock retention governance mode - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Use S3 Batch Operations with S3 Object Lock retention governance mode

The following example builds on the previous example of creating a trust policy, and setting S3 Batch Operations and S3 Object Lock configuration permissions. It shows how to apply S3 Object Lock retention governance with the retain until date of January 30, 2025, across multiple objects. It creates a Batch Operations job that uses the manifest bucket and reports the results in the reports bucket.

Example Apply S3 Object Lock retention governance across multiple objects with the retain until date of January 30, 2020

export AWS_PROFILE='aws-user' export AWS_DEFAULT_REGION='us-west-2' export ACCOUNT_ID=123456789012 export ROLE_ARN='arn:aws:iam::123456789012:role/bops-objectlock' read -d '' OPERATION <<EOF { "S3PutObjectRetention": { "Retention": { "RetainUntilDate":"2025-01-30T00:00:00", "Mode":"GOVERNANCE" } } } EOF read -d '' MANIFEST <<EOF { "Spec": { "Format": "S3BatchOperations_CSV_20180820", "Fields": [ "Bucket", "Key" ] }, "Location": { "ObjectArn": "arn:aws:s3:::ManifestBucket/governance-objects-manifest.csv", "ETag": "Your-manifest-ETag" } } EOF read -d '' REPORT <<EOF { "Bucket": "arn:aws:s3:::ReportBucketT", "Format": "Report_CSV_20180820", "Enabled": true, "Prefix": "reports/governance-objects", "ReportScope": "AllTasks" } EOF aws \ s3control create-job \ --account-id "${ACCOUNT_ID}" \ --manifest "${MANIFEST//$'\n'}" \ --operation "${OPERATION//$'\n'/}" \ --report "${REPORT//$'\n'}" \ --priority 10 \ --role-arn "${ROLE_ARN}" \ --client-request-token "$(uuidgen)" \ --region "${AWS_DEFAULT_REGION}" \ --description "Put governance retention";

Example Bypass retention governance across multiple objects

The following example builds on the previous example of creating a trust policy, and setting S3 Batch Operations and S3 Object Lock configuration permissions. It shows how to bypass retention governance across multiple objects and creates a Batch Operations job that uses the manifest bucket and reports the results in the reports bucket.

export AWS_PROFILE='aws-user' read -d '' bypass_governance_permissions <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:BypassGovernanceRetention" ], "Resource": [ "arn:aws:s3:::ManifestBucket/*" ] } ] } EOF aws iam put-role-policy --role-name bops-objectlock --policy-name bypass-governance-permissions --policy-document "${bypass_governance_permissions}" export AWS_PROFILE='aws-user' export AWS_DEFAULT_REGION='us-west-2' export ACCOUNT_ID=123456789012 export ROLE_ARN='arn:aws:iam::123456789012:role/bops-objectlock' read -d '' OPERATION <<EOF { "S3PutObjectRetention": { "BypassGovernanceRetention": true, "Retention": { } } } EOF read -d '' MANIFEST <<EOF { "Spec": { "Format": "S3BatchOperations_CSV_20180820", "Fields": [ "Bucket", "Key" ] }, "Location": { "ObjectArn": "arn:aws:s3:::ManifestBucket/governance-objects-manifest.csv", "ETag": "Your-manifest-ETag" } } EOF read -d '' REPORT <<EOF { "Bucket": "arn:aws:s3:::REPORT_BUCKET", "Format": "Report_CSV_20180820", "Enabled": true, "Prefix": "reports/bops-governance", "ReportScope": "AllTasks" } EOF aws \ s3control create-job \ --account-id "${ACCOUNT_ID}" \ --manifest "${MANIFEST//$'\n'}" \ --operation "${OPERATION//$'\n'/}" \ --report "${REPORT//$'\n'}" \ --priority 10 \ --role-arn "${ROLE_ARN}" \ --client-request-token "$(uuidgen)" \ --region "${AWS_DEFAULT_REGION}" \ --description "Remove governance retention";

The following example builds on the previous example of creating a trust policy, and setting S3 Batch Operations and S3 Object Lock configuration permissions. It shows how to apply S3 Object Lock retention governance with the retain until date set to January 30, 2020 across multiple objects. It creates a Batch Operations job that uses the manifest bucket and reports the results in the reports bucket.

Example Apply S3 Object Lock retention governance across multiple objects with the retain until date of January 30, 2020

public String createGovernanceRetentionJob(final AWSS3ControlClient awss3ControlClient) throws ParseException { final String manifestObjectArn = "arn:aws:s3:::ManifestBucket/governance-objects-manifest.csv"; final String manifestObjectVersionId = "15ad5ba069e6bbc465c77bf83d541385"; final JobManifestLocation manifestLocation = new JobManifestLocation() .withObjectArn(manifestObjectArn) .withETag(manifestObjectVersionId); final JobManifestSpec manifestSpec = new JobManifestSpec() .withFormat(JobManifestFormat.S3BatchOperations_CSV_20180820) .withFields("Bucket", "Key"); final JobManifest manifestToPublicApi = new JobManifest() .withLocation(manifestLocation) .withSpec(manifestSpec); final String jobReportBucketArn = "arn:aws:s3:::ReportBucket"; final String jobReportPrefix = "reports/governance-objects"; final JobReport jobReport = new JobReport() .withEnabled(true) .withReportScope(JobReportScope.AllTasks) .withBucket(jobReportBucketArn) .withPrefix(jobReportPrefix) .withFormat(JobReportFormat.Report_CSV_20180820); final SimpleDateFormat format = new SimpleDateFormat("dd/MM/yyyy"); final Date jan30th = format.parse("30/01/2020"); final JobOperation jobOperation = new JobOperation() .withS3PutObjectRetention(new S3SetObjectRetentionOperation() .withRetention(new S3Retention() .withMode(S3ObjectLockRetentionMode.GOVERNANCE) .withRetainUntilDate(jan30th))); final String roleArn = "arn:aws:iam::123456789012:role/bops-object-lock"; final Boolean requiresConfirmation = true; final int priority = 10; final CreateJobRequest request = new CreateJobRequest() .withAccountId("123456789012") .withDescription("Put governance retention") .withManifest(manifestToPublicApi) .withOperation(jobOperation) .withPriority(priority) .withRoleArn(roleArn) .withReport(jobReport) .withConfirmationRequired(requiresConfirmation); final CreateJobResult result = awss3ControlClient.createJob(request); return result.getJobId(); }

Example Bypass retention governance across multiple objects

The following example builds on the previous example of creating a trust policy, and setting S3 Batch Operations and S3 Object Lock configuration permissions. It shows how to bypass retention governance across multiple objects and creates a Batch Operations job that uses the manifest bucket and reports the results in the reports bucket.

public void allowBypassGovernance() { final String roleName = "bops-object-lock"; final String bypassGovernancePermissions = "{" + " \"Version\": \"2012-10-17\"," + " \"Statement\": [" + " {" + " \"Effect\": \"Allow\"," + " \"Action\": [" + " \"s3:BypassGovernanceRetention\"" + " ]," + " \"Resource\": [" + " \"arn:aws:s3:::ManifestBucket/*\"" + " ]" + " }" + " ]" + "}"; final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); final PutRolePolicyRequest putRolePolicyRequest = new PutRolePolicyRequest() .withPolicyDocument(bypassGovernancePermissions) .withPolicyName("bypass-governance-permissions") .withRoleName(roleName); final PutRolePolicyResult putRolePolicyResult = iam.putRolePolicy(putRolePolicyRequest); } public String createRemoveGovernanceRetentionJob(final AWSS3ControlClient awss3ControlClient) { final String manifestObjectArn = "arn:aws:s3:::ManifestBucket/governance-objects-manifest.csv"; final String manifestObjectVersionId = "15ad5ba069e6bbc465c77bf83d541385"; final JobManifestLocation manifestLocation = new JobManifestLocation() .withObjectArn(manifestObjectArn) .withETag(manifestObjectVersionId); final JobManifestSpec manifestSpec = new JobManifestSpec() .withFormat(JobManifestFormat.S3BatchOperations_CSV_20180820) .withFields("Bucket", "Key"); final JobManifest manifestToPublicApi = new JobManifest() .withLocation(manifestLocation) .withSpec(manifestSpec); final String jobReportBucketArn = "arn:aws:s3:::ReportBucket"; final String jobReportPrefix = "reports/bops-governance"; final JobReport jobReport = new JobReport() .withEnabled(true) .withReportScope(JobReportScope.AllTasks) .withBucket(jobReportBucketArn) .withPrefix(jobReportPrefix) .withFormat(JobReportFormat.Report_CSV_20180820); final JobOperation jobOperation = new JobOperation() .withS3PutObjectRetention(new S3SetObjectRetentionOperation() .withRetention(new S3Retention())); final String roleArn = "arn:aws:iam::123456789012:role/bops-object-lock"; final Boolean requiresConfirmation = true; final int priority = 10; final CreateJobRequest request = new CreateJobRequest() .withAccountId("123456789012") .withDescription("Remove governance retention") .withManifest(manifestToPublicApi) .withOperation(jobOperation) .withPriority(priority) .withRoleArn(roleArn) .withReport(jobReport) .withConfirmationRequired(requiresConfirmation); final CreateJobResult result = awss3ControlClient.createJob(request); return result.getJobId(); }