S3 Object Lock

Question 1

What does S3 Object Lock do? Why is it useful?

Answer 1

• protect objects in S3 from being overwritten or deleted for a fixed (or indefinite) amount of time
• Create storage using Write Once, Read Many (WORM) model
• good for regulatory requirements

Question 2

What is the storage model associated with S3 Object Lock?

Answer 2

Write Once, Read Many (WORM)

Question 3

What does WORM stand for?

Answer 3

Write Once, Read Many. (A compliant form of storage)

Question 4

What are the two modes of S3 Object Lock? What is the main difference between the two?

Answer 4

Governance Mode and Compliance Mode:

• In governance mode, you cannot overwrite or delete an object version or alter its lock settings UNLESS you have special permissions.
• In compliance mode, NO user, not even the root user, can overwrite or delete an object or update its lock settings

Question 5

Define and compare Retention Period vs. Legal Hold

Answer 5

Both protect an object version from being overwitten/deleted.

• Retention Period is a fixed amount of time.
• Legal Hold can be freely placed/removed by anyone with the ‘s3:PutObjectLegalHold’ Permission

Question 6

What is S3 Glacier Vault Lock?

Answer 6

• Basically, S3 Object Lock for vaults in Glacier.
• easily deploy and enforce complaince controls for S3 Glacier Vaults with a Vault Lock policy.
• Specify controls (like WORM) in a vault lock policy and lock from future edits.

Question 7

What is the best way to put an object lock on all objects in an S3 bucket?

Answer 7

S3 Object Locks can be configured to be bucket-wide, so just put one object lock on at the bucket level.

Question 8

In S3 Glacier Vault Lock, once the policy is initially locked, can it be changed?

Answer 8

No