This page is only for existing customers of the S3 Glacier service using Vaults and the original REST API from 2012.
If you're looking for archival storage solutions we suggest using the S3 Glacier storage classes in Amazon S3, S3 Glacier Instant Retrieval, S3 Glacier Flexible Retrieval, and S3 Glacier Deep Archive. To learn more about these storage options, see S3 Glacier storage classes
Vault Lock Policies
An Amazon S3 Glacier (S3 Glacier) vault can have one resource-based vault access policy and one Vault Lock policy attached to it. A Vault Lock policy is a vault access policy that you can lock. Using a Vault Lock policy can help you enforce regulatory and compliance requirements. Amazon S3 Glacier provides a set of API operations for you to manage the Vault Lock policies, see Locking a Vault by Using the S3 Glacier API.
As an example of a Vault Lock policy, suppose that you are required to retain archives for one year before you can delete them. To implement this requirement, you can create a Vault Lock policy that denies users permissions to delete an archive until the archive has existed for one year. You can test this policy before locking it down. After you lock the policy, the policy becomes immutable. For more information about the locking process, see Vault Lock Policies. If you want to manage other user permissions that can be changed, you can use the vault access policy (see Vault Access Policies).
You can use the S3 Glacier API, Amazon SDKs, Amazon CLI, or the S3 Glacier console to create and manage Vault Lock policies. For a list of S3 Glacier actions allowed for vault resource-based policies, see API Permissions Reference.
Examples
Example 1: Deny Deletion Permissions for Archives Less Than 365 Days Old
Suppose that you have a regulatory requirement to retain archives for up to one
year before you can delete them. You can enforce that requirement by implementing the
following Vault Lock policy. The policy denies the glacier:DeleteArchive
action on the examplevault vault if the archive being deleted is less than one year
old. The policy uses the S3 Glacier-specific condition key
ArchiveAgeInDays to enforce the one-year retention requirement.
{ "Version":"2012-10-17", "Statement":[ { "Sid": "deny-based-on-archive-age", "Principal": "*", "Effect": "Deny", "Action": "glacier:DeleteArchive", "Resource": [ "arn:aws-cn:glacier:us-west-2:123456789012:vaults/examplevault" ], "Condition": { "NumericLessThan" : { "glacier:ArchiveAgeInDays" : "365" } } } ] }
Example 2: Deny Deletion Permissions Based on a Tag
Suppose that you have a time-based retention rule that an archive can be deleted if it is less than a year old. At the same time, suppose that you need to place a legal hold on your archives to prevent deletion or modification for an indefinite duration during a legal investigation. In this case, the legal hold takes precedence over the time-based retention rule specified in the Vault Lock policy.
To put these two rules in place, the following example policy has two statements:
-
The first statement denies deletion permissions for everyone, locking the vault. This lock is performed by using the
LegalHoldtag. -
The second statement grants deletion permissions when the archive is less than 365 days old. But even when archives are less than 365 days old, no one can delete them when the condition in the first statement is met.
{ "Version":"2012-10-17", "Statement":[ { "Sid": "lock-vault", "Principal": "*", "Effect": "Deny", "Action": [ "glacier:DeleteArchive" ], "Resource": [ "arn:aws-cn:glacier:us-west-2:123456789012:vaults/examplevault" ], "Condition": { "StringLike": { "glacier:ResourceTag/LegalHold": [ "true", "" ] } } }, { "Sid": "you-can-delete-archive-less-than-1-year-old", "Principal": { "AWS": "arn:aws-cn:iam::123456789012:root" }, "Effect": "Allow", "Action": [ "glacier:DeleteArchive" ], "Resource": [ "arn:aws-cn:glacier:us-west-2:123456789012:vaults/examplevault" ], "Condition": { "NumericLessThan": { "glacier:ArchiveAgeInDays": "365" } } } ] }