9. S3 Lock Policies and Glacier Vault Lock

S3 Object Lock: We can use S3 Object Lock to store objects using a Write Once Read Many (WORM) model. It can help you to prevent objects from being deleted or modified for a fixed amount of time or indefinitely. So if you have got an object and you dont want somebody to be able to go in and modify it or change the data inside it or you dont want somebody be able to delete it, we can use S3 Object Lock. We can use S3 Object Lock to meet regulatory requirements that require WORM storage or add an extra layer of protection against object changes and deletion.
Like all other Object Lock settings, retention periods apply to individual object versions. Different versions of a single object can have different retention modes and periods.

S3 Object Lock Modes:
i) Governance Mode: Users cant overwrite or delete an object version or alter its lock settings unless they have special permissions. With governance mode, we protect objects against being deleted by most users, but we can still grant some users permission to alter the retention settings or delete the object if necessary.
ii) Compliance Mode: A protected object version cant be overwritten or deleted by any user, including the root user of AWS account. When an object is locked in Compliance mode, its retention mode cant be changed and its retention period cant be shortened. Compliance mode ensures an object version cant be overwritten or deleted for the duration of the retention period.

Retention Periods:
A retention period protects an object version for a fixed amount of time. When we place a retention period on an object version, S3 stores a timestamp in the object versions metadata to indicate when the retention period expires. After the retention period expires, the object version can be overwritten or deleted unless the user is placed a legal hold on the object version.
You can place a retention period on an object version either explicitly or through a bucket default setting. When you apply a retention period to an object version explicitly, you specify a Retain Until Date for the object version. Amazon S3 stores the Retain Until Date setting in the object version’s metadata and protects the object version until the retention period expires.

Legal Holds:
S3 Object Lock also enables to place a legal hold on an object version.  Like a retention period, a legal hold also prevents an object version from being overwritten or deleted. However, a legal hold doesnt have an associated retention period and remains in effect until removed. Legal holds can be freely placed and removed by any user who has the s3:PutObjectLegalHold permission.

Glacier Vault Lock:
S3 Glacier Vault Lock allows to easily deploy and enforce compliance controls for individual S3 Glacier vaults with a Vault Lock policy. We can specify controls such as WORM, in a Vault Lock Policy and lock the policy from future edits. Once locked, the policy can longer be changed.

Recap:
i) Use S3 Objects Lock to store objects using a write once, read many (WORM) model.
ii) Object locks can be on individual objects or applied across the bucket as a whole.
iii) Object locks come into two modes: Governance mode and Compliance mode
iv) With governance mode, users cant overwrite or delete an object version or alter its lock settings unless they have special permissions.
v) With compliance mode, a protected object version cant be overwritten or deleted by any user, including the root user in your aws account.
vi) S3 Glacier Vault Lock: Allows you to easily deploy and enforce compliance controls for individual S3 Glacier vaults with a Vault Lock Policy. You can specify controls such as WORM in a Vault Lock policy and lock the policy from future edits. Once locked, the policy can no longer be changed.

Questions:
i. A company uses Amazon S3 buckets for storing sensitive customer data. The company has defined different retention periods for different objects present in the Amazon S3 buckets, based on the compliance requirements. But, the retention rules do not seem to work as expected. Which of the following options represent a valid configuration for setting up retention periods for objects in Amazon S3 buckets? (Select two)
Answer: a. When you apply a retention period to an object version explicitly, you specify a ‘Retain Until Date’ for the object version
b. Different versions of a single object can have different retention modes and periods