Locking a Vault using the Amazon Command Line Interface - Amazon S3 Glacier
(Prerequisite) Setting Up the Amazon CLIRelated Sections
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

This page is only for existing customers of the S3 Glacier service using Vaults and the original REST API from 2012.

If you're looking for archival storage solutions we suggest using the S3 Glacier storage classes in Amazon S3, S3 Glacier Instant Retrieval, S3 Glacier Flexible Retrieval, and S3 Glacier Deep Archive. To learn more about these storage options, see S3 Glacier storage classes and Long-term data storage using S3 Glacier storage classes in the Amazon S3 User Guide. These storage classes use the Amazon S3 API, are available in all regions, and can be managed within the Amazon S3 console. They offer features like Storage Cost Analysis, Storage Lens, security features including multiple encryption options, and more.

Locking a Vault using the Amazon Command Line Interface

You can lock your vault using the Amazon Command Line Interface. This will install a vault lock policy on the specified vault and return the lock ID. You must complete the vault locking process within 24 hours else the vault lock policy is removed from the vault.

(Prerequisite) Setting Up the Amazon CLI

  1. Download and configure the Amazon CLI. For instructions, see the following topics in the Amazon Command Line Interface User Guide:

    Installing the Amazon Command Line Interface

    Configuring the Amazon Command Line Interface

  2. Verify your Amazon CLI setup by entering the following commands at the command prompt. These commands don't provide credentials explicitly, so the credentials of the default profile are used.

    • Try using the help command.

      aws help

    • To get a list of S3 Glacier vaults on the configured account, use the list-vaults command. Replace 123456789012 with your Amazon Web Services account ID.

      aws glacier list-vaults --account-id 123456789012

    • To see the current configuration data for the Amazon CLI, use the aws configure list command.

      aws configure list

  1. Use the initiate-vault-lock to install a vault lock policy and sets the lock state of the vault lock to InProgress.

    aws glacier initiate-vault-lock --vault-name examplevault --account-id 111122223333 --policy file://lockconfig.json

  2. The lock configuration is a JSON document as shown in the following example. Before using this command, replace the VAULT_ARN and Principal with the appropriate values for your use case.

    To find the ARN of the vault you wish to lock, you can use the list-vaults command. 

    {"Policy":"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Define-vault-lock\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::111122223333:root\"},\"Action\":\"glacier:DeleteArchive\",\"Resource\":\"VAULT_ARN\",\"Condition\":{\"NumericLessThanEquals\":{\"glacier:ArchiveAgeinDays\":\"365\"}}}]}"}

  3. After initiating the vault lock you should see the lockId returned. 

    {
    "lockId": "LOCK_ID"
}

To complete the vault lock You must run complete-vault-lock within 24 hours else the vault lock policy is removed from the vault.

aws glacier complete-vault-lock --vault-name examplevault --account-id 111122223333 --lock-id LOCK_ID