Locking a Vault using the Amazon Command Line Interface - Amazon S3 Glacier
(Prerequisite) Setting Up the Amazon CLIRelated Sections
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

If you're new to archival storage in Amazon Simple Storage Service (Amazon S3), we recommend that you start by learning more about the S3 Glacier storage classes in Amazon S3, S3 Glacier Instant Retrieval, S3 Glacier Flexible Retrieval, and S3 Glacier Deep Archive. For more information, see S3 Glacier storage classes and Storage classes for archiving objects in the Amazon S3 User Guide.

Locking a Vault using the Amazon Command Line Interface

You can lock your vault using the Amazon Command Line Interface. This will install a vault lock policy on the specified vault and return the lock ID. You must complete the vault locking process within 24 hours else the vault lock policy is removed from the vault.

(Prerequisite) Setting Up the Amazon CLI

  1. Download and configure the Amazon CLI. For instructions, see the following topics in the Amazon Command Line Interface User Guide:

    Installing the Amazon Command Line Interface

    Configuring the Amazon Command Line Interface

  2. Verify your Amazon CLI setup by entering the following commands at the command prompt. These commands don't provide credentials explicitly, so the credentials of the default profile are used.

    • Try using the help command.

      aws help

    • To get a list of S3 Glacier vaults on the configured account, use the list-vaults command. Replace 123456789012 with your Amazon Web Services account ID.

      aws glacier list-vaults --account-id 123456789012

    • To see the current configuration data for the Amazon CLI, use the aws configure list command.

      aws configure list

  1. Use the initiate-vault-lock to install a vault lock policy and sets the lock state of the vault lock to InProgress.

    aws glacier initiate-vault-lock --vault-name examplevault --account-id 111122223333 --policy file://lockconfig.json

  2. The lock configuration is a JSON document as shown in the following example. Before using this command, replace the VAULT_ARN and Principal with the appropriate values for your use case.

    To find the ARN of the vault you wish to lock, you can use the list-vaults command. 

    {"Policy":"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Define-vault-lock\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::111122223333:root\"},\"Action\":\"glacier:DeleteArchive\",\"Resource\":\"VAULT_ARN\",\"Condition\":{\"NumericLessThanEquals\":{\"glacier:ArchiveAgeinDays\":\"365\"}}}]}"}

  3. After initiating the vault lock you should see the lockId returned. 

    {
    "lockId": "LOCK_ID"
}

To complete the vault lock You must run complete-vault-lock within 24 hours else the vault lock policy is removed from the vault.

aws glacier complete-vault-lock --vault-name examplevault --account-id 111122223333 --lock-id LOCK_ID