S3 Object Lock Flashcards
What does S3 Object Lock do? Why is it useful?
- protect objects in S3 from being overwritten or deleted for a fixed (or indefinite) amount of time
- Create storage using Write Once, Read Many (WORM) model
- good for regulatory requirements
What is the storage model associated with S3 Object Lock?
Write Once, Read Many (WORM)
What does WORM stand for?
Write Once, Read Many. (A compliant form of storage)
What are the two modes of S3 Object Lock? What is the main difference between the two?
Governance Mode and Compliance Mode:
- In governance mode, you cannot overwrite or delete an object version or alter its lock settings UNLESS you have special permissions.
- In compliance mode, NO user, not even the root user, can overwrite or delete an object or update its lock settings
Define and compare Retention Period vs. Legal Hold
Both protect an object version from being overwitten/deleted.
- Retention Period is a fixed amount of time.
- Legal Hold can be freely placed/removed by anyone with the ‘s3:PutObjectLegalHold’ Permission
What is S3 Glacier Vault Lock?
- Basically, S3 Object Lock for vaults in Glacier.
- easily deploy and enforce complaince controls for S3 Glacier Vaults with a Vault Lock policy.
- Specify controls (like WORM) in a vault lock policy and lock from future edits.
What is the best way to put an object lock on all objects in an S3 bucket?
S3 Object Locks can be configured to be bucket-wide, so just put one object lock on at the bucket level.
In S3 Glacier Vault Lock, once the policy is initially locked, can it be changed?
No