AWS amazonglacier documentation change
Summary
Updated branding from 'S3 Glacier' to 'Glacier' and removed detailed JSON policy examples for Vault Lock policies. Removed references to original 2012 REST API and emphasized newer Glacier storage classes.
Security assessment
Changes are primarily branding/naming updates and documentation cleanup. While Vault Lock policies relate to compliance/security controls, there's no evidence these changes address a specific vulnerability. Removal of explicit JSON examples could reduce implementation clarity but doesn't directly introduce or mitigate security flaws.
Diff
diff --git a/amazonglacier/latest/dev/vault-lock-policy.md b/amazonglacier/latest/dev/vault-lock-policy.md index faea7fd74..da78d6afb 100644 --- a//amazonglacier/latest/dev/vault-lock-policy.md +++ b//amazonglacier/latest/dev/vault-lock-policy.md @@ -7 +7 @@ Example 1: Deny Deletion Permissions for Archives Less Than 365 Days OldExample -**This page is only for existing customers of the S3 Glacier service using Vaults and the original REST API from 2012.** +**This page is only for existing customers of the Glacier service using Vaults and the original REST API from 2012.** @@ -9 +9 @@ Example 1: Deny Deletion Permissions for Archives Less Than 365 Days OldExample -If you're looking for archival storage solutions we suggest using the S3 Glacier storage classes in Amazon S3, **S3 Glacier Instant Retrieval** , **S3 Glacier Flexible Retrieval** , and **S3 Glacier Deep Archive**. To learn more about these storage options, see [S3 Glacier storage classes](https://aws.amazon.com/s3/storage-classes/glacier/) and [Long-term data storage using S3 Glacier storage classes](https://docs.aws.amazon.com/AmazonS3/latest/userguide/glacier-storage-classes) in the _Amazon S3 User Guide_. These storage classes use the Amazon S3 API, are available in all regions, and can be managed within the Amazon S3 console. They offer features like Storage Cost Analysis, Storage Lens, advanced optional encryption features, and more. +If you're looking for archival storage solutions we suggest using the Glacier storage classes in Amazon S3, **S3 Glacier Instant Retrieval** , **S3 Glacier Flexible Retrieval** , and **S3 Glacier Deep Archive**. To learn more about these storage options, see [Glacier storage classes](https://aws.amazon.com/s3/storage-classes/glacier/) and [Long-term data storage using Glacier storage classes](https://docs.aws.amazon.com/AmazonS3/latest/userguide/glacier-storage-classes) in the _Amazon S3 User Guide_. These storage classes use the Amazon S3 API, are available in all regions, and can be managed within the Amazon S3 console. They offer features like Storage Cost Analysis, Storage Lens, advanced optional encryption features, and more. @@ -13 +13 @@ If you're looking for archival storage solutions we suggest using the S3 Glacier -An Amazon S3 Glacier (S3 Glacier) vault can have one resource-based vault access policy and one Vault Lock policy attached to it. A _Vault Lock policy_ is a vault access policy that you can lock. Using a Vault Lock policy can help you enforce regulatory and compliance requirements. Amazon S3 Glacier provides a set of API operations for you to manage the Vault Lock policies, see [Locking a Vault by Using the S3 Glacier API](./vault-lock-how-to-api.html). +An Amazon Glacier (Glacier) vault can have one resource-based vault access policy and one Vault Lock policy attached to it. A _Vault Lock policy_ is a vault access policy that you can lock. Using a Vault Lock policy can help you enforce regulatory and compliance requirements. Amazon Glacier provides a set of API operations for you to manage the Vault Lock policies, see [Locking a Vault by Using the Glacier API](./vault-lock-how-to-api.html). @@ -17 +17 @@ As an example of a Vault Lock policy, suppose that you are required to retain ar -You can use the S3 Glacier API, Amazon SDKs, AWS CLI, or the S3 Glacier console to create and manage Vault Lock policies. For a list of S3 Glacier actions allowed for vault resource-based policies, see [API Permissions Reference](./glacier-api-permissions-ref.html). +You can use the Glacier API, Amazon SDKs, AWS CLI, or the Glacier console to create and manage Vault Lock policies. For a list of Glacier actions allowed for vault resource-based policies, see [API Permissions Reference](./glacier-api-permissions-ref.html). @@ -30,23 +30 @@ You can use the S3 Glacier API, Amazon SDKs, AWS CLI, or the S3 Glacier console -Suppose that you have a regulatory requirement to retain archives for up to one year before you can delete them. You can enforce that requirement by implementing the following Vault Lock policy. The policy denies the `glacier:DeleteArchive` action on the examplevault vault if the archive being deleted is less than one year old. The policy uses the S3 Glacier-specific condition key `ArchiveAgeInDays` to enforce the one-year retention requirement. - - - { - "Version":"2012-10-17", - "Statement":[ - { - "Sid": "deny-based-on-archive-age", - "Principal": "*", - "Effect": "Deny", - "Action": "glacier:DeleteArchive", - "Resource": [ - "arn:aws:glacier:us-west-2:123456789012:vaults/examplevault" - ], - "Condition": { - "NumericLessThan" : { - "glacier:ArchiveAgeInDays" : "365" - } - } - } - ] - } - +Suppose that you have a regulatory requirement to retain archives for up to one year before you can delete them. You can enforce that requirement by implementing the following Vault Lock policy. The policy denies the `glacier:DeleteArchive` action on the examplevault vault if the archive being deleted is less than one year old. The policy uses the Glacier-specific condition key `ArchiveAgeInDays` to enforce the one-year retention requirement. @@ -67,45 +44,0 @@ To put these two rules in place, the following example policy has two statements - - { - "Version":"2012-10-17", - "Statement":[ - { - "Sid": "lock-vault", - "Principal": "*", - "Effect": "Deny", - "Action": [ - "glacier:DeleteArchive" - ], - "Resource": [ - "arn:aws:glacier:us-west-2:123456789012:vaults/examplevault" - ], - "Condition": { - "StringLike": { - "glacier:ResourceTag/LegalHold": [ - "true", - "" - ] - } - } - }, - { - "Sid": "you-can-delete-archive-less-than-1-year-old", - "Principal": { - "AWS": "arn:aws:iam::123456789012:root" - }, - "Effect": "Allow", - "Action": [ - "glacier:DeleteArchive" - ], - "Resource": [ - "arn:aws:glacier:us-west-2:123456789012:vaults/examplevault" - ], - "Condition": { - "NumericLessThan": { - "glacier:ArchiveAgeInDays": "365" - } - } - } - ] - } - -