Embed Size (px)
Citation preview
Amazon Glacier Vault LockScott MullinsBusiness Development Manager, AWS World Wide Financial Services
Henry ZhangSenior Product Manager, Amazon Glacier
Agenda• Amazon Glacier Key Concepts• Using Vault Lock for SEC Rule 17a-4(f)• Q&A
Amazon Glacier is a low-cost storage service for infrequently accessed archival data with long-term retention requirements.
$0.01/GB per month 3-5 hour data retrieval FSI recordsMedical PACs images
High Res Media Assets
Amazon Glacier Benefits• Extremely low-cost archive storage service, starting at $0.01 GB/mo
• Allows you to retrieve data within 3-5 hours
• 99.999999999% of durability (7 orders of magnitude higher than 2 copies of tape)
• No data migration, no hardware/infrastructure investments
• Infinite scale and pay for what you use
• Access to on-demand compute resource on AWS
Key Concepts• Account – access AWS services, view billing/usage, manage security
• Vaults – container for archives, up to 1000 vaults per account
• Archives – files and records, write-once, 40TB max, unlimited archives
• Inventory – cold index of archive properties refreshed every 24 hours
Amazon Glacier – 3 ways to Access
• Direct Glacier API/SDK
• S3 lifecycle integration
• Third party tools and gateways
Amazon Glacier – Direct Glacier API/SDK
• Manage Glacier vaults directly• Access to MultipartUpload, Range Retrieval, and Data Retrieval Policies
Amazon Glacier – S3 Lifecycle Archival
• Seamlessly move data from Amazon S3 to Amazon Glacier• Automated lifecycle rules• Transition based on object age or pre-defined date
Amazon Glacier – Backup Software Integration
• CommVault – Native Integration with S3 and Glacier
• Deduplication & encryption• Single console management
Amazon S3 Amazon Glacier
Amazon Glacier – 3rd Party Tools and Gateways
• Consumer grade: less than $50
• Small Medium Business: $500 - $1,000
• Enterprise Grade Gateway (price varies)
Amazon Glacier Vault Lock allows you to easily set compliance controls on individual vaults and enforce them via a lockable policy.
Time-based retentionMFA Authentication
Controls govern all records in a Vault
Immutable policyTwo-step locking
Amazon Glacier Vault Lock for SEC Rule 17a-4(f)• Non-overwrite, non-erasable records
• Time-based retention with “ArchiveAgeInDays” control
• Policy lockdown (strong governance)
• Legal hold with vault-level tags
• Configure optional D3P and grant temporary access
Example Control: 1 year record retention
• Deny delete archive operation
• From anybody (root, administrators, users, business partners)
• When ArchiveAgeInDays is <= 365 days
Archive Age computed from the time an archive lands in a Vault.
Example Control: 1 year record retention
Two-step Locking
• InitiateVaultLock– Effectuates a retention policy for testing (in-progress state)– Returns a unique Lock ID (expires after 24 hours)
• AbortVaultLock– Deletes an in-progress policy– Ability to modify a policy before locking it down
• CompleteVaultLock– Locks down the vault with the appropriate Lock ID– Vault Lock cannot be aborted afterwards
Legal Hold with Vault Level Tags
• Set up a Legal Hold Tag– Configure a Vault Level Tag “LegalHold”– Set initial value to “False”
• Add compliance control for legal hold in a Vault Lock policy– Deny delete archive operation– From anybody (root, administrators, users, business partners)
– When LegalHold tag = “True”
• Place/lift legal hold by updating the tag value
Example Control: Legal Hold
Vault Lock Best Practices
• Map one Vault to a single retention range– Group regulatory data by retention: 1 year Vault, 6 year Vault, etc.
• Create new Vault and Lock it before storing production data– Enforce the full ArchiveAgeInDays on all new archives– Leave no “gap” on existing archives
• Thoroughly test a Vault Lock policy before locking it down (Abort/Initiate)
• Implement only the most restrictive controls with Vault Lock– Leave the flexible controls to Vault access policy
Vault Access Policy
• Can be updated/deleted
Vault Lock Policy
• Lockable/Immutable policy • Cannot be updated/deleted after
lock down
Use Vault Access Policy for
• Designate 3rd Party access • Grant temporary read permissions
when necessary
Use Vault Lock policy to
• Deploy regulatory controls such as records retention
• Enforce data access through multi-factor authentication only
Compliance/Governance Flexibility
Using Vault Lock policy with Vault access policy
Vault Lock in the Glacier Console
Vault Lock in the Glacier Console
Vault Lock in the Glacier Console
Vault Lock in the Glacier Console
Vault Lock in the Glacier Console
Vault Lock in the Glacier Console
Vault Lock in the Glacier Console
Vault Lock in the Glacier Console
Vault Lock in the Glacier Console
Vault Lock in the Glacier Console
Vault Lock in the Glacier Console
Vault Lock in the Glacier Console
Vault Lock in the Glacier Console
Vault Lock in the Glacier Console
Vault Lock in the Glacier Console
Vault Lock in the Glacier Console
Vault Lock in the Glacier Console
Amazon Glacier received a 3rd party assessment from Cohasset Associates on how Amazon Glacier
with Vault Lock can be used to meet the requirements of SEC 17a-4(f) and CFTC 1.31(b)-(c).
Thank you!Q&A
