# Glacier

Amazon S3 Glacier and S3 Glacier Deep Archive are **low-cost, secure, and durable storage** solutions for long-term data archiving and compliance requirements. Glacier Vault Lock **enforces write-once-read-many (WORM)** policies, ensuring **immutable storage** for compliance-driven data retention.

\
✔ **Data Retention & Compliance** – Glacier Vault Lock ensures audit logs cannot be altered or deleted before the retention period expires.\
✔ **Data Access & Governance** – Controls access to archived logs using IAM policies and encryption.\
✔ **Implementing Data Protection Policies** – Enforces regulatory compliance (e.g., HIPAA, PCI DSS, SEC Rule 17a-4).

***

### **🔹 Key Features of Amazon S3 Glacier & Glacier Vault**

| **Feature**                      | **Description**                                                                     |
| -------------------------------- | ----------------------------------------------------------------------------------- |
| **Glacier Vault Lock**           | Enforces compliance retention rules, preventing data deletion or modification.      |
| **Glacier Access Policies**      | Uses IAM policies to control who can retrieve and manage data.                      |
| **Glacier Retrieval Tiers**      | Provides different retrieval speeds (Expedited, Standard, Bulk).                    |
| **Glacier Deep Archive**         | 10x lower cost than Glacier for ultra-long-term storage (retrieval in 12–48 hours). |
| **S3 Object Lock (for Glacier)** | Ensures WORM protection on individual objects stored in Glacier.                    |

***

### **🔹 SecureCart Use Case: Archiving Compliance Logs with Glacier Vault**

SecureCart, an **e-commerce company**, must store **security audit logs** for **5 years** per **compliance regulations**.

#### **Challenges:**

🔸 Logs must be **protected from unauthorized deletion**.\
🔸 Logs must remain **immutable** for compliance.\
🔸 The solution must be **cost-effective**.

#### **✅ SecureCart’s Solution with Amazon S3 Glacier Vault Lock**

✔ **Stored audit logs in an Amazon S3 Glacier Vault** for low-cost archiving.\
✔ **Enabled Glacier Vault Lock** to enforce WORM (Write-Once, Read-Many) compliance.\
✔ **Configured IAM access policies** to restrict retrieval permissions.\
✔ **Implemented lifecycle policies** to transition older logs from S3 to Glacier.

***

### **🔹 Glacier Vault Lock: How It Works**

Glacier Vault Lock **prevents deletion and modification** of data by enforcing compliance policies.

#### **🔹 Steps to Enable Vault Lock for SecureCart’s Compliance Logs**

1️⃣ **Create an S3 Glacier Vault** to store audit logs.\
2️⃣ **Apply Vault Lock policy** (e.g., retention = 5 years, no delete allowed).\
3️⃣ **Confirm and finalize** the Vault Lock policy (after confirmation, it **cannot be changed**).\
4️⃣ **Use IAM policies** to grant read-only access to security teams.\
5️⃣ **Configure lifecycle policies** to **move logs from S3 to Glacier** automatically.

***

### **✅ Best Practices for Using Amazon S3 Glacier for Compliance**

✔ **Use Glacier Vault Lock** for regulatory compliance (WORM storage).\
✔ **Apply IAM policies** to control access to archived logs.\
✔ **Use Object Lock in S3** before transitioning to Glacier for additional protection.\
✔ **Set up automated lifecycle policies** to transition data efficiently.\
✔ **Use Expedited retrieval only when necessary** to minimize costs.

***

### **⚠️ Common Mistakes & How to Avoid Them**

| **Mistake**                                 | **Impact**                                                               | **Solution**                                               |
| ------------------------------------------- | ------------------------------------------------------------------------ | ---------------------------------------------------------- |
| **Not using Vault Lock**                    | Logs can be accidentally deleted before compliance requirements are met. | Enable **Glacier Vault Lock** for immutability.            |
| **Granting excessive IAM permissions**      | Unauthorized users may retrieve or delete data.                          | Restrict access using **least privilege IAM policies**.    |
| **Not finalizing Vault Lock policies**      | Policies can be changed, reducing compliance enforcement.                | Always **finalize Vault Lock policies** after configuring. |
| **Using Expedited Retrieval for bulk data** | High retrieval costs.                                                    | Use **Bulk Retrieval for cost-efficient access**.          |

***

### **🔹 Summary**

✔ **Amazon S3 Glacier is a cost-effective solution for long-term data retention and compliance.**\
✔ **Glacier Vault Lock ensures immutable storage for regulatory requirements.**\
✔ **SecureCart uses Glacier Vault Lock to store security logs for 5 years securely.**\
✔ **Best practices include using IAM policies, Vault Lock, and lifecycle policies for automation.**