We can create a Vault Lock as follows:
- Go to the Glacier service in the console.
- Select our vault.
- Go to the Vault Lock tab.
- Click Create Vault Lock policy.
- Add the following policy statement:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid": "deny-delete-if-archive-age-less-than-year",
"Principal": "*",
"Effect": "Deny",
"Action": "glacier:DeleteArchive",
"Resource": [
"arn:aws:glacier:us-east-1:135301570106:vaults/mybackupvault"
],
"Condition": {
"NumericLessThan" : {
"glacier:ArchiveAgeInDays" : "365"
}
}
}
]
}
Replace my account ID of 135301570106 and the vault name of mybackupvault with your account ID and vault name. We can also click on Add a permission and generate the policy statement.
- Click Initiate Vault Lock. We should see the message shown in the following screenshot:
- Copy the Lock ID and store it safely. Click Close. We should see our policy details with the Vault Lock status reading In progress:
- After enough validation, and within 24 hours of initiating the Vault Lock process, click on Complete Vault Lock.
- Enter the Lock ID and select the checkbox for I acknowledge that the Vault Lock is configured as desired and that completing the Vault Lock process is irreversible.
- Click Complete Vault Lock. We should see the status of Vault Lock as Locked.