Archive Retrieval Options

User can specify one of the following when initiating a job to retrieve an archive based on your access time and cost requirements.

  • Expedited — Expedited retrievals allow you to quickly access your data when occasional urgent requests for a subset of archives are required. For all but the largest archives (250 MB+), data accessed using Expedited retrievals are typically made available within 1–5 minutes. Provisioned Capacity ensures that retrieval capacity for Expedited retrievals is available when you need it.
  • Standard — Standard retrievals allow you to access any of your archives within several hours. Standard retrievals typically complete within 3–5 hours. This is the default option for retrieval requests that do not specify the retrieval option.
  • Bulk — Bulk retrievals are S3 Glacier’s lowest-cost retrieval option, which you can use to retrieve large amounts, even petabytes, of data inexpensively in a day. Bulk retrievals typically complete within 5–12 hours.

To make an Expedited, Standard, or Bulk retrieval, set the Tier parameter in the Initiate Job (POST jobs) REST API request to the option you want, or the equivalent in the AWS CLI or AWS SDKs. If you have purchased provisioned capacity, then all expedited retrievals are automatically served through your provisioned capacity.

while files are uploaded to Glacier, file names will not be the same. Inorder to come over this issues, one can upload files to Snowball and move to glacier with lifecycle rules. Also, storing files to S3 and moving files to Glacier with life cycle rules will also ensure that files retain with original file names.

Vault lock policy

  1. In order to lock vault with the Glacier API, first call Initiate Vault Lock (POST lock-policy) with a vault lock policy that specifies the controls you want to deploy.
  2. This will attaches the policy to your vault, transitions the vault lock to the in-progress state, and returns a unique lock ID
  3.  while vault lock enters the in-progress state, we will have 24 hours to complete the lock by calling Complete Vault Lock
  4. After the vault is locked it cannot be unlocked.
  5. vault lock process is not completed within 24 hours after entering the in-progress state, vault automatically exits the in-progress state, and the vault lock policy is removed. user needs to repeat steps from 1-4 again

Amazon S3 Glacier Access Control with Vault Access Policies

An Amazon S3 Glacier vault access policy is a resource-based policy that you can use to manage permissions to your vault.

Example 1: Grant Cross-Account Permissions for Specific Amazon S3 Glacier Actions

The following example policy grants cross-account permissions to two AWS accounts for a set of S3 Glacier operations on a vault named examplevault

The account that owns the vault is billed for all costs associated with the vault. All requests, data transfer, and retrieval costs made by allowed external accounts are billed to the account that owns the vault.

{
    "Version":"2012-10-17",
    "Statement":[
       {
          "Sid":"cross-account-upload",
          "Principal": {
             "AWS": [
                "arn:aws:iam::123456789012:root",
                "arn:aws:iam::444455556666:root"
             ]
          },
          "Effect":"Allow",
          "Action": [
             "glacier:UploadArchive",
             "glacier:InitiateMultipartUpload",
             "glacier:AbortMultipartUpload",
             "glacier:CompleteMultipartUpload"
          ],
          "Resource": [
             "arn:aws:glacier:us-west-2:999999999999:vaults/examplevault"                                           
          ]
       }
    ]
}

Example 2: Grant Cross-Account Permissions for MFA Delete Operations

You can use multi-factor authentication (MFA) to protect your S3 Glacier resources. To provide an extra level of security, MFA requires users to prove physical possession of an MFA device by providing a valid MFA code. 

The example policy grants an AWS account with temporary credentials permission to delete archives from a vault named examplevault, provided the request is authenticated with an MFA device. The policy uses the aws:MultiFactorAuthPresent condition key to specify this additional requirement.

{
    "Version": "2012-10-17",
    "Statement": [
       {
          "Sid": "add-mfa-delete-requirement",
          "Principal": {
             "AWS": [
                "arn:aws:iam::123456789012:root"
             ]
          },
          "Effect": "Allow",
          "Action": [ 
             "glacier:Delete*" 
          ],
          "Resource": [
             "arn:aws:glacier:us-west-2:999999999999:vaults/examplevault"
          ],
          "Condition": {
             "Bool": {
                "aws:MultiFactorAuthPresent": true
             }
          }
       }
    ]
}