Posted On: Jul 8, 2015

Amazon Glacier Vault Lock allows you to easily set compliance controls on individual Glacier vaults and enforce them via a lockable policy. You can specify controls such as “undeletable records” or “time-based data retention” in a Vault Lock policy and lock the policy from future edits. Once locked, the policy becomes immutable and Glacier will enforce the prescribed controls to help achieve your compliance objectives.

You can deploy a variety of compliance controls with Vault Lock using the AWS Identity and Access Management (IAM) policy language. You can also test the full effect of these controls and fine-tune them before you lock the policy down. A locked policy cannot be deleted or altered once set, making Vault Lock ideal for customers in regulated industries that require tight controls on how business records must be retained before they can be erased.

For customers in the Financial Services industry, Vault Lock provides added support for broker-dealers who must retain records in a non-erasable and non-rewritable format to satisfy regulatory requirements of SEC Rule 17a-4(f), FINRA Rule 4511, or CFTC Regulation 1.31. You can easily designate the records retention time frame to retain regulatory archives in the original form for the required duration, and also place legal holds to retain data indefinitely until the hold is removed.

You can set up a Vault Lock policy in the Glacier Console and share a locked policy with your compliance officer or an auditor to demonstrate compliance. To learn more, read the AWS blog, and visit Getting Started with Amazon Glacier Vault Lock.