Chapter 5.7 - S3 Object Lock and Glacier Vault Lock

Question 1

What model does S3 Object Lock use to store objects?

Answer 1

Write Once, Read Many (WORM)

Question 2

Can S3 Object Lock be implemented on individual objects, entire buckets, or both?

Answer 2

Both

Question 3

Name and describe the two modes in which S3 Object Lock can be implemented:

Answer 3

Governance Mode:
Users can’t overwrite or delete an object version or alter its lock settings unless they have special permissions

Compliance Mode:
A protected object version can’t be overwritten or deleted by ANY user, including the root user in the AWS account

Question 4

How does the S3 Object Lock Retention Period work?

Answer 4

Protects an object version for a fixed amount of time.

Timestamp is stored in the objects version’s metadata.

After the retention period expires, the object version can be overwritten or deleted unless you also placed a legal hold on the object version.

Question 5

What does an S3 Object Lock Legal Hold do?

Answer 5

Prevents an object version from being overwritten or deleted but does not have an associated retention period, therefore it remains in place until it is removed.

Only users who have the appropriate permission may place or remove a legal hold:
s3 : PutObjectLegalHold

Question 6

What are the characteristics of S3 Glacier Vault Lock?

Answer 6

Easily deploy and enforce compliance controls for individual S3 Glacier vaults with a vault lock policy
You can specify controls, such as WORM, in a vault lock policy and lock the policy from future edits. Once locked, the policy can no longer be changed.