Locking a Vault using the Amazon Command Line Interface - Amazon Glacier
(Prerequisite) Setting Up the Amazon CLIRelated Sections
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

This page is only for existing customers of the Amazon Glacier service using Vaults and the original REST API from 2012.

If you're looking for archival storage solutions, we recommend using the Amazon Glacier storage classes in Amazon S3, S3 Glacier Instant Retrieval, S3 Glacier Flexible Retrieval, and S3 Glacier Deep Archive. To learn more about these storage options, see Amazon Glacier storage classes.

Amazon Glacier (original standalone vault-based service) will no longer accept new customers starting December 15, 2025, with no impact to existing customers. Amazon Glacier is a standalone service with its own APIs that stores data in vaults and is distinct from Amazon S3 and the Amazon S3 Glacier storage classes. Your existing data will remain secure and accessible in Amazon Glacier indefinitely. No migration is required. For low-cost, long-term archival storage, Amazon recommends the Amazon S3 Glacier storage classes, which deliver a superior customer experience with S3 bucket-based APIs, full Amazon Web Services Region availability, lower costs, and Amazon service integration. If you want enhanced capabilities, consider migrating to Amazon S3 Glacier storage classes by using our Amazon Solutions Guidance for transferring data from Amazon Glacier vaults to Amazon S3 Glacier storage classes.

Locking a Vault using the Amazon Command Line Interface

You can lock your vault using the Amazon Command Line Interface. This will install a vault lock policy on the specified vault and return the lock ID. You must complete the vault locking process within 24 hours else the vault lock policy is removed from the vault.

(Prerequisite) Setting Up the Amazon CLI

  1. Download and configure the Amazon CLI. For instructions, see the following topics in the Amazon Command Line Interface User Guide:

    Installing the Amazon Command Line Interface

    Configuring the Amazon Command Line Interface

  2. Verify your Amazon CLI setup by entering the following commands at the command prompt. These commands don't provide credentials explicitly, so the credentials of the default profile are used.

    • Try using the help command.

      aws help

    • To get a list of Amazon Glacier vaults on the configured account, use the list-vaults command. Replace 123456789012 with your Amazon Web Services account ID.

      aws glacier list-vaults --account-id 123456789012

    • To see the current configuration data for the Amazon CLI, use the aws configure list command.

      aws configure list

  1. Use the initiate-vault-lock to install a vault lock policy and sets the lock state of the vault lock to InProgress.

    aws glacier initiate-vault-lock --vault-name examplevault --account-id 111122223333 --policy file://lockconfig.json

  2. The lock configuration is a JSON document as shown in the following example. Before using this command, replace the VAULT_ARN and Principal with the appropriate values for your use case.

    To find the ARN of the vault you wish to lock, you can use the list-vaults command. 

    {"Policy":"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Define-vault-lock\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::111122223333:root\"},\"Action\":\"glacier:DeleteArchive\",\"Resource\":\"VAULT_ARN\",\"Condition\":{\"NumericLessThanEquals\":{\"glacier:ArchiveAgeinDays\":\"365\"}}}]}"}

  3. After initiating the vault lock you should see the lockId returned. 

    {
    "lockId": "LOCK_ID"
}

To complete the vault lock You must run complete-vault-lock within 24 hours else the vault lock policy is removed from the vault.

aws glacier complete-vault-lock --vault-name examplevault --account-id 111122223333 --lock-id LOCK_ID