S3 Object Lock Flashcards Preview

AWS Certified Solutions Architect [Edited] > S3 Object Lock > Flashcards

Flashcards in S3 Object Lock Deck (8)
Loading flashcards...
1
Q

What does S3 Object Lock do? Why is it useful?

A
  • protect objects in S3 from being overwritten or deleted for a fixed (or indefinite) amount of time
  • Create storage using Write Once, Read Many (WORM) model
  • good for regulatory requirements
2
Q

What is the storage model associated with S3 Object Lock?

A

Write Once, Read Many (WORM)

3
Q

What does WORM stand for?

A

Write Once, Read Many. (A compliant form of storage)

4
Q

What are the two modes of S3 Object Lock? What is the main difference between the two?

A

Governance Mode and Compliance Mode:

  • In governance mode, users can’t overwrite or delete an object version or alter its lock settings unless they have special permissions. With governance mode, you protect objects against being deleted by most users, but you can still grant some users permission to alter the retention settings or delete the object if necessary. You can also use governance mode to test retention-period settings before creating a compliance-mode retention period.
  • In compliance mode, a protected object version can’t be overwritten or deleted by any user, including the root user in your AWS account. When an object is locked in compliance mode, its retention mode can’t be changed, and its retention period can’t be shortened. Compliance mode helps ensure that an object version can’t be overwritten or deleted for the duration of the retention period.
5
Q

Define and compare Retention Period vs. Legal Hold

A

Both protect an object version from being overwitten/deleted.

  • Retention Period is a fixed amount of time.
  • Legal Hold prevents an object version from being overwritten or deleted. However, a legal hold doesn’t have an associated retention period and remains in effect until removed. It can be freely placed/removed by anyone with the ‘s3:PutObjectLegalHold’ Permission
6
Q

What is S3 Glacier Vault Lock?

A
  • S3 Glacier Vault Lock allows you to easily deploy and enforce compliance controls for individual S3 Glacier vaults with a vault lock policy. You can specify controls such as “write once read many” (WORM) in a vault lock policy and lock the policy from future edits. Once locked, the policy can no longer be changed.
7
Q

What is the best way to put an object lock on all objects in an S3 bucket?

A

S3 Object Locks can be configured to be bucket-wide, so just put one object lock on at the bucket level.

8
Q

In S3 Glacier Vault Lock, once the policy is initially locked, can it be changed?

A

No