This page is only for existing customers of the S3 Glacier service using Vaults and the original REST API from 2012.
If you're looking for archival storage solutions we suggest using the S3 Glacier storage classes in Amazon S3, S3 Glacier Instant Retrieval, S3 Glacier Flexible Retrieval, and S3 Glacier Deep Archive. To learn more about these storage options, see S3 Glacier storage classes
Locking a Vault using the Amazon Command Line Interface
You can lock your vault using the Amazon Command Line Interface. This will install a vault lock policy on the specified vault and return the lock ID. You must complete the vault locking process within 24 hours else the vault lock policy is removed from the vault.
(Prerequisite) Setting Up the Amazon CLI
-
Download and configure the Amazon CLI. For instructions, see the following topics in the Amazon Command Line Interface User Guide:
-
Verify your Amazon CLI setup by entering the following commands at the command prompt. These commands don't provide credentials explicitly, so the credentials of the default profile are used.
-
Try using the help command.
aws help
-
To get a list of S3 Glacier vaults on the configured account, use the
list-vaults
command. Replace123456789012
with your Amazon Web Services account ID.aws glacier list-vaults --account-id
123456789012
-
To see the current configuration data for the Amazon CLI, use the
aws configure list
command.aws configure list
-
-
Use the
initiate-vault-lock
to install a vault lock policy and sets the lock state of the vault lock toInProgress
.aws glacier initiate-vault-lock --vault-name
examplevault
--account-id111122223333
--policy file://lockconfig.json -
The lock configuration is a JSON document as shown in the following example. Before using this command, replace the
VAULT_ARN
andPrincipal
with the appropriate values for your use case.To find the ARN of the vault you wish to lock, you can use the
list-vaults
command.{"Policy":"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Define-vault-lock\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::
111122223333:root
\"},\"Action\":\"glacier:DeleteArchive\",\"Resource\":\"VAULT_ARN
\",\"Condition\":{\"NumericLessThanEquals\":{\"glacier:ArchiveAgeinDays\":\"365\"}}}]}"} -
After initiating the vault lock you should see the
lockId
returned.{ "lockId": "
LOCK_ID
" }
To complete the vault lock You must run complete-vault-lock
within 24 hours else the vault lock policy
is removed from the vault.
aws glacier complete-vault-lock --vault-name
examplevault
--account-id111122223333
--lock-idLOCK_ID
Related Sections
-
initiate-vault-lock in the Amazon CLI Command Reference
-
list-vaults in the Amazon CLI Command Reference
-
complete-vault-lock in the Amazon CLI Command Reference