S3 Glacier Vault Lock & S3 Object Lock (WORM Model)

In this lesson, we explored Amazon S3 Glacier Vault Lock and S3 Object Lock, two powerful features designed to enforce WORM (Write Once, Read Many) compliance for data protection and legal retention.

1. What is S3 Glacier Vault Lock?

📌 S3 Glacier Vault Lock allows you to enforce a WORM (Write Once, Read Many) model on entire Glacier Vaults by applying a Vault Lock Policy that cannot be modified once locked.

Key Features

• ✅ Prevents object deletion & modification permanently.
• ✅ Even administrators and AWS cannot bypass the lock.
• ✅ Ideal for compliance & legal retention (e.g., financial records, medical records).

How Glacier Vault Lock Works?

1️⃣ Create a Vault Lock Policy on an S3 Glacier Vault.

2️⃣ Lock the policy permanently (after a test period).

3️⃣ Once locked, the policy cannot be modified or deleted.

⚠️ Important: Once the Vault Lock Policy is enforced, data cannot be removed—even by the root user!

2. What is S3 Object Lock?

📌 S3 Object Lock is a similar WORM feature but operates at the object level (instead of the entire bucket like Glacier Vault Lock).

How S3 Object Lock Works?

1️⃣ Enable versioning on the S3 bucket (mandatory).

2️⃣ Apply Object Lock settings per object version.