SnapLock Compliance - FSx for ONTAP
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

SnapLock Compliance

Amazon FSx for NetApp ONTAP supports SnapLock Compliance volumes.

Using SnapLock Compliance

This section describes use cases and considerations for the Compliance retention mode.

Use cases for SnapLock Compliance

You might choose the Compliance retention mode for the following use cases.

  • You can use SnapLock Compliance to address government or industry-specific mandates such as SEC Rule 17a-4(f), FINRA Rule 4511, and CFTC Regulation 1.31. SnapLock Compliance on Amazon FSx for NetApp ONTAP was assessed for these mandates and regulations by Cohasset Associates. For more information, see the Compliance Assessment Report for Amazon FSx for NetApp ONTAP.

  • You can use SnapLock Compliance to complement or enhance a comprehensive data protection strategy to combat ransomware attacks.

Considerations for SnapLock Compliance

Here are some important items to consider about the Compliance retention mode.

  • After a file is transitioned to the write once, read many (WORM) state on a SnapLock Compliance volume, it can't be deleted before its retention period expires by any user.

  • A SnapLock Compliance volume can only be deleted when the retention periods of all WORM files on the volume have expired, and the WORM files have been deleted from the volume.

  • You can't rename a SnapLock Compliance volume after creation.

  • You can use SnapMirror to replicate WORM files, but the source volume and destination volume must have the same retention mode (for example, both must be Compliance).

  • A SnapLock Compliance volume can't be converted to a SnapLock Enterprise volume, and the reverse.

Creating a SnapLock Compliance volume

You can create a SnapLock Compliance volume with the Amazon FSx console, the Amazon CLI, the Amazon FSx API, and the ONTAP CLI and REST API.

To create a SnapLock compliance volume with the Amazon FSx API, use SnaplockType in the CreateSnaplockConfiguration.

The following procedure explains how to create a SnapLock Compliance volume on the Amazon FSx console.

To create a SnapLock Compliance volume on the Amazon FSx console
  1. Open the Amazon FSx console at https://console.amazonaws.cn/fsx/.

  2. Follow the procedure for creating a new volume in Creating volumes.

  3. In the Advanced section, for SnapLock Configuration, choose Enabled.

    Select the check box to acknowledge the warning about enabling SnapLock on the volume.

  4. For Retention mode, choose Compliance.

  5. For Audit log volume, choose between Enabled and Disabled.

    If you choose Enabled, make sure that the Junction path is set to /snaplock_audit_log.

    For more information, see SnapLock audit log volumes.

  6. For Retention period, enter values for Default retention, Minimum retention, and Maximum retention. Then choose a corresponding Unit for each.

    For more information, see Working with the retention period in SnapLock.

  7. For Autocommit, choose between Enabled and Disabled.

    If you choose Enabled, for Autocommit period, enter a value and choose a corresponding Autocommit unit.

    You can specify a value between 5 minutes and 10 years.

    For more information, see Autocommit.

  8. For Volume append mode, choose between Enabled and Disabled.

    For more information, see Volume-append mode.

  9. Follow the rest of the procedure for creating a new volume in Creating volumes.

  10. Choose Confirm to create the volume.