# Glacier

Amazon S3 Glacier and S3 Glacier Deep Archive are **low-cost, secure, and durable storage** solutions for long-term data archiving and compliance requirements. Glacier Vault Lock **enforces write-once-read-many (WORM)** policies, ensuring **immutable storage** for compliance-driven data retention.

\
✔ **Data Retention & Compliance** – Glacier Vault Lock ensures audit logs cannot be altered or deleted before the retention period expires.\
✔ **Data Access & Governance** – Controls access to archived logs using IAM policies and encryption.\
✔ **Implementing Data Protection Policies** – Enforces regulatory compliance (e.g., HIPAA, PCI DSS, SEC Rule 17a-4).

***

### **🔹 Key Features of Amazon S3 Glacier & Glacier Vault**

| **Feature**                      | **Description**                                                                     |
| -------------------------------- | ----------------------------------------------------------------------------------- |
| **Glacier Vault Lock**           | Enforces compliance retention rules, preventing data deletion or modification.      |
| **Glacier Access Policies**      | Uses IAM policies to control who can retrieve and manage data.                      |
| **Glacier Retrieval Tiers**      | Provides different retrieval speeds (Expedited, Standard, Bulk).                    |
| **Glacier Deep Archive**         | 10x lower cost than Glacier for ultra-long-term storage (retrieval in 12–48 hours). |
| **S3 Object Lock (for Glacier)** | Ensures WORM protection on individual objects stored in Glacier.                    |

***

### **🔹 SecureCart Use Case: Archiving Compliance Logs with Glacier Vault**

SecureCart, an **e-commerce company**, must store **security audit logs** for **5 years** per **compliance regulations**.

#### **Challenges:**

🔸 Logs must be **protected from unauthorized deletion**.\
🔸 Logs must remain **immutable** for compliance.\
🔸 The solution must be **cost-effective**.

#### **✅ SecureCart’s Solution with Amazon S3 Glacier Vault Lock**

✔ **Stored audit logs in an Amazon S3 Glacier Vault** for low-cost archiving.\
✔ **Enabled Glacier Vault Lock** to enforce WORM (Write-Once, Read-Many) compliance.\
✔ **Configured IAM access policies** to restrict retrieval permissions.\
✔ **Implemented lifecycle policies** to transition older logs from S3 to Glacier.

***

### **🔹 Glacier Vault Lock: How It Works**

Glacier Vault Lock **prevents deletion and modification** of data by enforcing compliance policies.

#### **🔹 Steps to Enable Vault Lock for SecureCart’s Compliance Logs**

1️⃣ **Create an S3 Glacier Vault** to store audit logs.\
2️⃣ **Apply Vault Lock policy** (e.g., retention = 5 years, no delete allowed).\
3️⃣ **Confirm and finalize** the Vault Lock policy (after confirmation, it **cannot be changed**).\
4️⃣ **Use IAM policies** to grant read-only access to security teams.\
5️⃣ **Configure lifecycle policies** to **move logs from S3 to Glacier** automatically.

***

### **✅ Best Practices for Using Amazon S3 Glacier for Compliance**

✔ **Use Glacier Vault Lock** for regulatory compliance (WORM storage).\
✔ **Apply IAM policies** to control access to archived logs.\
✔ **Use Object Lock in S3** before transitioning to Glacier for additional protection.\
✔ **Set up automated lifecycle policies** to transition data efficiently.\
✔ **Use Expedited retrieval only when necessary** to minimize costs.

***

### **⚠️ Common Mistakes & How to Avoid Them**

| **Mistake**                                 | **Impact**                                                               | **Solution**                                               |
| ------------------------------------------- | ------------------------------------------------------------------------ | ---------------------------------------------------------- |
| **Not using Vault Lock**                    | Logs can be accidentally deleted before compliance requirements are met. | Enable **Glacier Vault Lock** for immutability.            |
| **Granting excessive IAM permissions**      | Unauthorized users may retrieve or delete data.                          | Restrict access using **least privilege IAM policies**.    |
| **Not finalizing Vault Lock policies**      | Policies can be changed, reducing compliance enforcement.                | Always **finalize Vault Lock policies** after configuring. |
| **Using Expedited Retrieval for bulk data** | High retrieval costs.                                                    | Use **Bulk Retrieval for cost-efficient access**.          |

***

### **🔹 Summary**

✔ **Amazon S3 Glacier is a cost-effective solution for long-term data retention and compliance.**\
✔ **Glacier Vault Lock ensures immutable storage for regulatory requirements.**\
✔ **SecureCart uses Glacier Vault Lock to store security logs for 5 years securely.**\
✔ **Best practices include using IAM policies, Vault Lock, and lifecycle policies for automation.**


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://awsinpractice.itassist.com/study-group/aws-certified-solutions-architect-associate/domain-1-design-secure-architectures/task-statement-1.3-determine-appropriate-data-security-controls/glacier.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.