On the Glacier Vault Lock lecture Faye mentions that once a lock policy is confirmed it cannot be changed or deleted. If the policy needs to change like in the scenario described below how can one achieve that? Is there anyway?
Scenario:
1. Company sets retention policy to keep all documents for 1 year.
2. The Vault Lock policy is updated to prevent deletion before 365 days.
3. Policy is confirmed.
4. Company changes their mind to instead set retention policy for 3 years.
How can I update that previously confirmed policy to ensure that no data is deleted before the new retention policy?
3 Answers
Looks like this isn’t currently possible once the vault has been locked, that’s the reason AWS gives us 24hrs before confirming the lock.
Glacier Vault Lock service is immutable by design — lets say you have to store Voice recordings for all stock trades for 7 years for Audits… This service because it can not change settings proves you did not delete records. Its all about a service that once set can’t change and forcing you to wait the 7 years before you can delete it. The Service is a specific response to client asks for a service to satisfy strict compliance requirements define in laws rules and regulations.
So if you want 3 year retention (No deletes) vs 7 create new Vault and then copy over files but the ones in the 7 year vault are in there for 7 years and not able to be deleted until 7 years pass 🙂
…. keeping files too long can be a legal liability so its good idea to get compliance exerts involved to be sure before setting the vault locks up. Interesting issue for the lawyers is if all the sudden a law changes and now says DON’T keep data for old time span for privacy reasons etc. and you can not comply with new lay by deleting your archives that adhere to the the old mandated retention schedule/lock 🙂
I understand that, but I guess AWS can’t support changing requirements. I’ll keep that in mind when proposing Glacier for my business.
Justin, it appears you are still misunderstanding or misinterpreting what a Vault Lock is intended for – it is behaving as expected in your scenario and it should not be flexible in this regard. The business needs to have their decisions final before implementing.