- A storage service optimized for infrequently used data, or “cold data.”
- Provides durable, secure, and flexible storage for data archiving and online backup.
- Can store an unlimited amount of virtually any kind of data, in any format
Amazon Glacier Data Model
- The Amazon Glacier data model core concepts include vaults and archives.
- Amazon Glacier is a REST-based web service. In terms of REST, vaults and archives are the resources.
- Vault: In Amazon Glacier, a vault is a container for storing archives.
- Archive: It can be any data such as a photo, video, or document and is a base unit of storage in Amazon Glacier which has a unique ID and an optional description.
- Job : Retrieving an archive and vault inventory are asynchronous operations in Amazon Glacier in which you first initiate a job, and then download the job output after Amazon Glacier completes the job.
- Notification Configuration: Amazon Glacier supports a notification mechanism to notify you when a job is complete.
Supported operations in Amazon Glacier
- Vault Operations : Amazon Glacier provides operations to create and delete vaults
- Archive Operations : Amazon Glacier provides operations for you to upload and delete archives . You cannot update an existing archive; you must delete the existing archive and upload a new archive.
- Jobs : Retrieving an archive or vault inventory from Amazon Glacier is an asynchronous operation. It requires you to first initiate a job, wait for the job to complete and then download the job output.
Amazon Glacier Data Model
- Accessing Amazon Glacier
○When using the REST API directly, you must write the necessary code to sign and authenticate your requests.
Getting Started with Amazon Glacier
- In this, you will create a vault, upload and download an archive, and finally delete the archive and the vault.
- You can do all these operations programmatically.
- Step 1: Before You Begin with Amazon Glacier
- Step 2: Create a Vault in Amazon Glacier
Amazon Glacier features
- Archives : data is stored in Amazon Glacier in the form of archives, you can upload a single file as an archive or aggregate multiple files into TAR or ZIP file and upload as one archive. A single archive can be as large as 40 terabytes.
Vaults : these serve as “ containers “ to store archives. You can view a list of vaults in the AWS management console and use AWS SDKs to perform a variety of vault operations such as create vault, delete vault, lock vault, list vault metadata, retrieve vault inventory , tag vaults for filtering and configure vault notifications.
Amazon Glacier key features
- Data retrieval features
- AWS snowball and direct connect integration
- Vault lock
- Access control
- Tagging support
- Audit logs
- Vault access policies
- Vault inventory
- Integrated lifecycle management with Amazon S3.
- Data retrieval features : it provides three ways to retrieve your archives to meet varying access time and cost requirements: expedited, standard and bulk retrievals.
- AWS snowball and direct connect integration : AWS snowball can accelerate moving large amounts of data directly into and out of AWS using portable storage devices for transport. AWS transfers your data directly onto and off of storage devices using Amazon high speed internal network and by passing the internet. AWS direct connect makes it easy to establish a high bandwidth , dedicated network connection from your premises to AWS.
- Vault lock : it allows you to easily deploy and enforce compliance controls on individual glacier vaults via a lockable policy and lock the policy from future edits. Once locked, the policy becomes immutable and Glacier will enforce the prescribed controls to help achieve your compliance objectives.
- Access control : it uses AWS IAM to help you securely control access to AWS and Glacier data. You can create users in IAM , assign individual security credentials and IAM policies on each Amazon Glacier vault to grant permitted activities to intended users.
- Vault access policies : these policies allows you to easily manage access to your individual Glacier vaults. You can define an access policy on a vault to grant vault access to users and business groups internal to your organization as well as external business partners.
- Vault inventory : it maintains an inventory of all archives in each of your vaults for disaster recovery. It is updated approximately once a day.
- Tagging support : it allows you to tag your Glacier vaults for easier resource and cost management. Tags are labels that you can define and associate with your vaults.
- Integrated lifecycle management with Amazon S3 : Amazon Glacier works together with Amazon S3 lifecycle rules to help you to automate archiving of Amazon S3 data and reduce overall storage costs. You can easily set up a rule that stores all your previous Amazon S3 object versions in the lower cost Glacier storage class and deletes them from Glacier storage after 100 days.
- AWS software development kits (SDKs) : data upload and retrieval are done using AWS SDKs or Amazon Glacier API. Amazon Glacier is supported by AWS SDKs for java, .net, php, python. The SDKs libraries wrap the underlying Amazon API simplifying programming tasks. API libraries are : low level API & high level API.
Protecting your data
- Data stored in Amazon Glacier is protected by default, only vault owners have access to Amazon glacier resources they create. It encrypts your data at rest by default and supports secure data transit by SSL.
- It also supports access control mechanisms with IAM policies.
- With Amazon Glacier data protection features, you can protect your data from logical and physical failures, guarding against data loss from unintended user accounts, application errors and infrastructure breakdown.
Managing your data
- Uploading an archive to Amazon glacier.
- Downloading an archive from Amazon glacier.
- Deleting an archive in Amazon glacier.
Amazon Glacier Vault Lock
- Amazon Glacier Vault Lock allows you to easily deploy and enforce compliance controls for individual Amazon Glacier vaults with a vault lock policy.
- You can specify controls such as “write once read many” (WORM) in a vault lock policy and lock the policy from future edits.
- Once locked, the policy can no longer be changed.
- You can access AWS as any of the following types of identities:
○AWS account root user
- Every AWS resource is owned by an AWS account, and permissions to create or access a resource are governed by permissions policies.
- Amazon Glacier Resources and Operations
○Amazon Glacier supports policies only at the vault level.
○In an IAM policy, the Resource value that you specify can be a specific vault or a set of vaults in a specific AWS Region.
- Understanding Resource Ownership
○A resource owner is the AWS account that created the resource.
○The resource owner is the AWS account of the principal entity that authenticates the request that creates the resource.
- Managing Access to Resources
○Identity-Based Policies (IAM policies)
○Resource-Based Policies (Amazon Glacier Vault Policies)
Amazon Glacier Data Retrieval Policies
- With Amazon Glacier data retrieval policies, you can easily set data retrieval limits and manage the data retrieval activities across your AWS account in each region.
- Choosing an Amazon Glacier Data Retrieval Policy
- Three types of Amazon Glacier data retrieval policies : free tier only, max retrieval policies and no retrieval limit.
- Using the Amazon Glacier Console to Set Up a Data Retrieval Policy
- You can view and update the data retrieval policies in the Amazon Glacier console or by using the Amazon Glacier API.
- Abort Vault Lock (DELETE lock-policy)
- Add Tags To Vault (POST tags add)
- Create Vault (PUT vault)
- Complete Vault Lock (POST lockId)
- Delete Vault (DELETE vault)
- Delete Vault Access Policy (DELETE access-policy)
- Get Vault Notifications (GET notification-configuration)
- Delete Archive (DELETE archive)
○This operation deletes an archive from a vault.
○You can delete one archive at a time from a vault.
○To delete the archive you must provide its archive ID in the delete request.
○You can get the archive ID by downloading the vault inventory for the vault that contains the archive.
- Upload Archive (POST archive)
○This operation adds an archive to a vault.
○For a successful upload, your data is durably persisted. In response, Amazon Glacier returns the archive ID in the x-amz-archive-id header of the response.
○You should save the archive ID returned so that you can access the archive later.