How to use S3 or Glacier to support WORM?

Could someone please explain What exactly is WORM(Write Once Read Many) and how can I make S3 WORM bucket.

My basic understanding of WORM compliance is that you need to be able to write to disk, and then prevent the disk/drive/service from erasing or rewriting the data afterwards for a set period of time. This can be done easily with Glacier now, you reference a good link with. You could also probably do it in a marginal fashion with S3 - though someone will always have root/master creds.
cloudtechnicianAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Stuart ScottAWS Trainer at Cloud AcademyCommented:
Hi,

Worm is exactly that - Write Once Read Many - You would want the data to have an element of write protection to stop it being overwritten.  S3 is a highly available object storage service that allows you to Write Once and Read Many with a 99.999999999% durability.  When saving objects to S3 they are automatically replicated across different Availability zones.  

A way you could manage the objects to ensure the original doesnt get over written as such would be to enable Versioning on the bucket.  Versioning would save a seperate copy of any object that is modified allowing you to reinstate an original version if required.  This obviously isnt the most ideal solution to the problem, but it does ensure you could always refer back to the original should any changed occur.

You could also initiate Lifecycle policies on the Bucket to copy the data to AWS Glacier as you have already mentioned.

Using AWS IAM (Identity & Access Management )you could set up restrictive access to the Bucket as deemed necessary.

Cheers,

Stu...
1
cloudtechnicianAuthor Commented:
Thanks Stuart for the comment.
But, it still wouldn't meet our compliance requirement which I want to achieve using AWS services.

We've a compliance requirement where we require to figure out a way to make the disk that contains the highly confidential client data Non-rewritable and Non-erasable. if I'm not wrong is not possible with S3?

I came across a post which says that using AWS Glacier we can apply the Lock down policies on the bucket and make it Non-rewritable and Non-erasable and even Root user wouldn't be able to make any changes after the Lock Down policy is applied. Though I couldn't understand properly how does it work because if I apply the Lock Down policy and lock it then what if I want to give access to some business partners.
0
Stuart ScottAWS Trainer at Cloud AcademyCommented:
Hi,

With regards to your solution in AWS Glacier, this is the Vault Lock Policy.  An overview of this can be found here:

https://aws.amazon.com/about-aws/whats-new/2015/07/meet-regulatory-storage-requirements-with-amazon-glacier-vault-lock/

Vault Lock Policy differs from Vault Access Policies, however you can use the 2 together to create what you need, a WORM vault where you can allows access to 3rd parties.  An extract from AWS documention reads as:

A Vault Lock policy is different than a vault access policy. Both policies govern access controls to your vault. However, a Vault Lock policy can be locked to prevent future changes, providing strong enforcement for your compliance controls. You can use the Vault Lock policy to deploy regulatory and compliance controls, which typically require tight controls on data access. In contrast, you use a vault access policy to implement access controls that are not compliance related, temporary, and subject to frequent modification. Vault Lock and vault access policies can be used together. For example, you can implement time-based data retention rules in the Vault Lock policy (deny deletes), and grant read access to designated third parties or your business partners (allow reads)

This extract was taken from the below where you can get more information on how to set this up etc:

http://docs.aws.amazon.com/amazonglacier/latest/dev/vault-lock.html

I hope this helps.

Cheers,

Stuart...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
AWS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.