Enabling S3 Object Lock using S3 Batch Operations - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Enabling S3 Object Lock using S3 Batch Operations

You can use Amazon S3 Batch Operations with S3 Object Lock to manage retention or enable a legal hold for many Amazon S3 objects at once. You specify the list of target objects in your manifest and submit it to Batch Operations for completion. For more information, see S3 Object Lock retention and S3 Object Lock legal hold.

The following examples show how to create an Amazon Identity and Access Management (IAM) role with S3 Batch Operations permissions and update the role permissions to create jobs that enable Object Lock. You must also have a CSV manifest that identifies the objects for your S3 Batch Operations job. For more information, see Specifying a manifest.

To use the following examples, replace the user input placeholders with your own information.

  1. Create an IAM role and assign S3 Batch Operations permissions to run.

    This step is required for all S3 Batch Operations jobs.

    export AWS_PROFILE='aws-user' read -d '' batch_operations_trust_policy <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "batchoperations.s3.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] } EOF aws iam create-role --role-name batch_operations-objectlock \ --assume-role-policy-document "${batch_operations_trust_policy}"
  2. Set up S3 Batch Operations with S3 Object Lock to run.

    In this step, you allow the role to do the following:

    1. Run Object Lock on the S3 bucket that contains the target objects that you want Batch Operations to run on.

    2. Read the S3 bucket where the manifest CSV file and the objects are located.

    3. Write the results of the S3 Batch Operations job to the reporting bucket.

    read -d '' batch_operations_permissions <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetBucketObjectLockConfiguration", "Resource": [ "arn:aws-cn:s3:::{{amzn-s3-demo-manifest-bucket}}" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:GetBucketLocation" ], "Resource": [ "arn:aws-cn:s3:::{{amzn-s3-demo-manifest-bucket}}/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetBucketLocation" ], "Resource": [ "arn:aws-cn:s3:::{{amzn-s3-demo-completion-report-bucket}}/*" ] } ] } EOF aws iam put-role-policy --role-name batch_operations-objectlock \ --policy-name object-lock-permissions \ --policy-document "${batch_operations_permissions}"

The following examples show how to create an IAM role with S3 Batch Operations permissions, and update the role permissions to create jobs that enable Object Lock by using the Amazon SDK for Java. You must also have a CSV manifest identifying the objects for your S3 Batch Operations job. For more information, see Specifying a manifest.

Perform the following steps:

  1. Create an IAM role and assign S3 Batch Operations permissions to run. This step is required for all S3 Batch Operations jobs.

  2. Set up S3 Batch Operations with S3 Object Lock to run.

    You allow the role to do the following:

    1. Run Object Lock on the S3 bucket that contains the target objects that you want Batch Operations to run on.

    2. Read the S3 bucket where the manifest CSV file and the objects are located.

    3. Write the results of the S3 Batch Operations job to the reporting bucket.

public void createObjectLockRole() { final String roleName = "batch_operations-object-lock"; final String trustPolicy = "{" + " \"Version\": \"2012-10-17\", " + " \"Statement\": [ " + " { " + " \"Effect\": \"Allow\", " + " \"Principal\": { " + " \"Service\": [" + " \"batchoperations.s3.amazonaws.com\"" + " ]" + " }, " + " \"Action\": \"sts:AssumeRole\" " + " } " + " ]" + "}"; final String bopsPermissions = "{" + " \"Version\": \"2012-10-17\"," + " \"Statement\": [" + " {" + " \"Effect\": \"Allow\"," + " \"Action\": \"s3:GetBucketObjectLockConfiguration\"," + " \"Resource\": [" + " \"arn:aws-cn:s3:::amzn-s3-demo-manifest-bucket\"" + " ]" + " }," + " {" + " \"Effect\": \"Allow\"," + " \"Action\": [" + " \"s3:GetObject\"," + " \"s3:GetObjectVersion\"," + " \"s3:GetBucketLocation\"" + " ]," + " \"Resource\": [" + " \"arn:aws-cn:s3:::amzn-s3-demo-manifest-bucket/*\"" + " ]" + " }," + " {" + " \"Effect\": \"Allow\"," + " \"Action\": [" + " \"s3:PutObject\"," + " \"s3:GetBucketLocation\"" + " ]," + " \"Resource\": [" + " \"arn:aws-cn:s3:::amzn-s3-demo-completion-report-bucket/*\"" + " ]" + " }" + " ]" + "}"; final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); final CreateRoleRequest createRoleRequest = new CreateRoleRequest() .withAssumeRolePolicyDocument(bopsPermissions) .withRoleName(roleName); final CreateRoleResult createRoleResult = iam.createRole(createRoleRequest); final PutRolePolicyRequest putRolePolicyRequest = new PutRolePolicyRequest() .withPolicyDocument(bopsPermissions) .withPolicyName("batch_operations-permissions") .withRoleName(roleName); final PutRolePolicyResult putRolePolicyResult = iam.putRolePolicy(putRolePolicyRequest); }