AWS September Webinar Series - Meet Regulatory Storage Requirements with Amazon Glacier Vault Lock

Amazon Glacier Vault LockScott MullinsBusiness Development Manager, AWS World Wide Financial Services

Henry ZhangSenior Product Manager, Amazon Glacier

Agenda• Amazon Glacier Key Concepts• Using Vault Lock for SEC Rule 17a-4(f)• Q&A

Amazon Glacier is a low-cost storage service for infrequently accessed archival data with long-term retention requirements.

$0.01/GB per month 3-5 hour data retrieval FSI recordsMedical PACs images

High Res Media Assets

Amazon Glacier Benefits• Extremely low-cost archive storage service, starting at $0.01 GB/mo

• Allows you to retrieve data within 3-5 hours

• 99.999999999% of durability (7 orders of magnitude higher than 2 copies of tape)

• No data migration, no hardware/infrastructure investments

• Infinite scale and pay for what you use

• Access to on-demand compute resource on AWS

Key Concepts• Account – access AWS services, view billing/usage, manage security

• Vaults – container for archives, up to 1000 vaults per account

• Archives – files and records, write-once, 40TB max, unlimited archives

• Inventory – cold index of archive properties refreshed every 24 hours

Amazon Glacier – 3 ways to Access

• Direct Glacier API/SDK

• S3 lifecycle integration

• Third party tools and gateways

Amazon Glacier – Direct Glacier API/SDK

• Manage Glacier vaults directly• Access to MultipartUpload, Range Retrieval, and Data Retrieval Policies

Amazon Glacier – S3 Lifecycle Archival

• Seamlessly move data from Amazon S3 to Amazon Glacier• Automated lifecycle rules• Transition based on object age or pre-defined date

Amazon Glacier – Backup Software Integration

• CommVault – Native Integration with S3 and Glacier

• Deduplication & encryption• Single console management

Amazon S3 Amazon Glacier

Amazon Glacier – 3rd Party Tools and Gateways

• Consumer grade: less than $50

• Small Medium Business: $500 - $1,000

• Enterprise Grade Gateway (price varies)

Amazon Glacier Vault Lock allows you to easily set compliance controls on individual vaults and enforce them via a lockable policy.

Time-based retentionMFA Authentication

Controls govern all records in a Vault

Immutable policyTwo-step locking

Amazon Glacier Vault Lock for SEC Rule 17a-4(f)• Non-overwrite, non-erasable records

• Time-based retention with “ArchiveAgeInDays” control

• Policy lockdown (strong governance)

• Legal hold with vault-level tags

• Configure optional D3P and grant temporary access

Example Control: 1 year record retention

• Deny delete archive operation

• From anybody (root, administrators, users, business partners)

• When ArchiveAgeInDays is <= 365 days

Archive Age computed from the time an archive lands in a Vault.

Example Control: 1 year record retention

Two-step Locking

• InitiateVaultLock– Effectuates a retention policy for testing (in-progress state)– Returns a unique Lock ID (expires after 24 hours)

• AbortVaultLock– Deletes an in-progress policy– Ability to modify a policy before locking it down

• CompleteVaultLock– Locks down the vault with the appropriate Lock ID– Vault Lock cannot be aborted afterwards

Legal Hold with Vault Level Tags

• Set up a Legal Hold Tag– Configure a Vault Level Tag “LegalHold”– Set initial value to “False”

• Add compliance control for legal hold in a Vault Lock policy– Deny delete archive operation– From anybody (root, administrators, users, business partners)

– When LegalHold tag = “True”

• Place/lift legal hold by updating the tag value

Example Control: Legal Hold

Vault Lock Best Practices

• Map one Vault to a single retention range– Group regulatory data by retention: 1 year Vault, 6 year Vault, etc.

• Create new Vault and Lock it before storing production data– Enforce the full ArchiveAgeInDays on all new archives– Leave no “gap” on existing archives

• Thoroughly test a Vault Lock policy before locking it down (Abort/Initiate)

• Implement only the most restrictive controls with Vault Lock– Leave the flexible controls to Vault access policy

Vault Access Policy

• Can be updated/deleted

Vault Lock Policy

• Lockable/Immutable policy • Cannot be updated/deleted after

lock down

Use Vault Access Policy for

• Designate 3rd Party access • Grant temporary read permissions

when necessary

Use Vault Lock policy to

• Deploy regulatory controls such as records retention

• Enforce data access through multi-factor authentication only

Compliance/Governance Flexibility

Using Vault Lock policy with Vault access policy

Vault Lock in the Glacier Console

Vault Lock in the Glacier Console

Vault Lock in the Glacier Console

Vault Lock in the Glacier Console

Vault Lock in the Glacier Console

Vault Lock in the Glacier Console

Vault Lock in the Glacier Console

Vault Lock in the Glacier Console

Vault Lock in the Glacier Console

Vault Lock in the Glacier Console

Vault Lock in the Glacier Console

Vault Lock in the Glacier Console

Vault Lock in the Glacier Console

Vault Lock in the Glacier Console

Vault Lock in the Glacier Console

Vault Lock in the Glacier Console

Vault Lock in the Glacier Console

Amazon Glacier received a 3rd party assessment from Cohasset Associates on how Amazon Glacier

with Vault Lock can be used to meet the requirements of SEC 17a-4(f) and CFTC 1.31(b)-(c).

Thank you!Q&A