Q: How do I use Amazon Glacier?

Amazon Glacier provides a simple, standards-based REST web services interface as well as Java and .NET SDKs. The Amazon Web Services Management console can be used to quickly set up Amazon Glacier. Data can then be uploaded and retrieved programmatically. For more information about using Amazon Glacier with the Amazon CLI, go to Amazon CLI Reference for Amazon Glacier. To install the Amazon CLI, go to Amazon Command Line Interface.

Q: What is Vault Lock?

Vault Lock allows you to easily deploy and enforce compliance controls on individual Glacier vaults via a lockable policy (Vault Lock policy). Once locked, the Vault Lock policy becomes immutable and Glacier will enforce the prescribed controls to help achieve your compliance objectives. To learn more, please read Amazon Glacier Vault Lock in the Amazon Glacier developer’s guide.

Q: What type of compliance controls can I deploy with Vault Lock?

You can deploy a variety of compliance controls in a Vault Lock policy using the Amazon Identity and Access Management (Amazon IAM) policy language. For example, you can easily set up “Write Once Read Many” (WORM) or time-based records retention for regulatory archives. 

Q: How does Vault Lock enforce my compliance controls?

Vault Lock enforces your compliance controls via a lockable policy (Vault Lock policy). Once locked, the Vault Lock policy becomes immutable and Glacier will only allow operations on your data that are explicitly permitted by the compliance controls you specified. Vault Lock also ensures that a locked policy cannot be deleted or altered until there are no more archives to protect in the vault. Learn more about locking a vault for compliance in the Amazon Glacier developer’s guide.

Q: How is a Vault Lock policy different than a vault access policy?

Both policies govern access controls to your vault, however, a Vault Lock policy can be made immutable and provides strong enforcement for your compliance controls. You can use the Vault Lock policy to deploy regulatory and compliance controls that are typically restrictive and are “set and forget” in nature. In conjunction, you can use the vault access policy to implement access controls that are not compliance related, temporary, and subject to frequent modification. The two policies can be used in tandem to achieve governance and flexibility.

Q: What Amazon Web Services electronic storage services have been assessed based on financial services regulations?

For customers in the financial services industry, Vault Lock provides added support for broker-dealers who must retain records in a non-erasable and non-rewritable format to satisfy regulatory requirements of SEC Rule 17a-4(f), FINRA Rule 4511, or CFTC Regulation 1.31. You can easily designate the records retention time frame to retain regulatory archives in the original form for the required duration, and also place legal holds to retain data indefinitely until the hold is removed.

Q: What Amazon Web Services documentation supports the SEC 17a-4(f)(2)(i) and CFTC 1.31(c) requirement for notifying my regulator?

Provide notification to your regulator or “Designated Examining Authority (DEA)” of your choice to use Amazon Glacier for electronic storage along with a copy of the Cohasset Assessment. For the purposes of these requirements, Amazon Web Services is not a designated third party (D3P). Be sure to select a D3P and include this information in your notification to your DEA.

Q: What other controls can be applied with Amazon Glacier Vault Lock?

In certain situations, you may be faced with the need to place a legal hold on your compliance archives for an indefinite period of time. A legal hold can be initiated on a Glacier Vault by creating a vault access policy that denies the use of Glacier’s Delete functions if the vault is tagged in a particular way. In addition to time-based retention and legal hold, Glacier Vault Lock can be used to implement a variety of compliance controls which can be made immutable for strong governance, such as enforcing Multifactor Authentication on all data access/read activities to a vault with classified information.