Certified Security - Specialty

Sign Up Free or Log In to participate!

What is your recommended approach?

Last week you created a Vault Lock Policy to prevent archived files from being deleted unless they are over 2 years old. But now your CTO has changed their mind and only wants to keep the archives for 1 year. What is your recommended approach?

1) Delete the Vault Lock completely and suggest using S3 lifecycle policies instead

2) Abort the Vault Lock and create a new one to fit the new requirement

3) Go back to the CTO and explain that once the Vault Lock is in place, it cannot be changed

4) Modify the Vault Lock and update the retention period to 1 year

I believe the remediation of this policy change would be #2, but the answer is #3 which is not really an approach to a policy change.  What am I  missing?


Aborting a vault lock is only possible for the 24 hours after the lock is put in place (when it’s not in the locked state). https://docs.aws.amazon.com/cli/latest/reference/glacier/abort-vault-lock.html

2 Answers

I agree, 3 is not a good answer, you can’t just tell the CTO too bad doesn’t work. But if you really scrutinize the wording of the other 3 answers they are not allowed by AWS limitations. 

1) Delete lock – Not possible

2) Abort lock – Same as delete, not possible

3) Say not possible – valid by aws rules, but in reality you wouldn’t say that to a CTO. You would just create a new vault with a new policy and remove the old vault once the files have expired.

4) Update lock – Still not possible

The reason why 3 is the correct answer is because after 24 hours, once the vault lock is in place, it cannot be aborted. The purpose is to provide strong enforcement for compliance controls on your data once they are set in place, which prevents people tampering with or accidentally deleting important data which should be kept for a certain time period.

You should definitely have a polite conversation with the CTO and explain to them that this is a feature of Glacier Vault Lock and it will not be technically possible to remove the Vault Lock Policy. (In practice, of course it would be better to have this conversation before applying the policy!) Vault Lock Policies should be carefully thought through, because if somebody changes their mind after the 24 hour period has elapsed, it will be too late to make changes.

The purpose of the question of course is to check whether you understand how vault policies work. 

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?