A policy you lock onto a Glacier vault that becomes permanent and cannot be changed or deleted by anyone — not even the root user.
Model: WORM — Write Once, Read Many
How it works:
Create Vault Lock Policy --> Lock it --> Policy is permanent forever
Use when: Regulatory requirements force you to retain data for a fixed period (financial records for 7 years, medical records for 10 years, etc.)
Key point: Once locked, no one can modify or delete the policy. Ever.
Block deletion or overwriting of an object version for a set period.
Model: WORM — Write Once, Read Many
Requirement: Versioning must be enabled.
| Mode | Who Can Override | Use Case |
|---|---|---|
| Compliance | Nobody, not even root | Strict regulatory requirements |
| Governance | Users with special permissions | Internal business rules |
Retention Period — protect the object for a fixed number of days or years. In Compliance mode, the period cannot be shortened.
Legal Hold — protect the object indefinitely with no expiry date. Can be placed or removed by users who have the s3:PutObjectLegalHold permission.
Access Points simplify access management for large S3 buckets shared by multiple teams.
Instead of one massive, complex bucket policy, you create one Access Point per team — each with its own simple policy scoped to a specific prefix.