I am looking for some more help to solving the below problem:
To meet compliance requirement for data protection, we want to create separate S3 buckets which will temporarily store the and after completion of the specified duration the data should make it's way to Glacier Vaults for archival. Our major requirement is to ensure that our archived data shouldn't be tempered. Data should be saved in a non-rewritable and no-erasable storage to ensure archived data protection.
I understand that Amazon Glacier Vault Lock allows to easily deploy and enforce compliance controls for individual Amazon Glacier vaults with a Vault Lock policy and we can specify controls such as “write once read many” (WORM) in a Vault Lock policy and lock the policy from future edits. But I'm facing an issue while testing this option.
As our requirement is that some S3 buckets will retain information temporarily and after some time move the contents to glacier vault. My doubt is when I apply life cycle policy to an S3 bucket it doesn't shows the Vault name where it's gonna reside neither it ask while configuring life cycle policy to specify vault name so that later in glacier console we can easily apply lock-down policy to that specific vault.
I understand that to upload data, such as photos, videos, and other documents, we must either use the AWS CLI or write code to make requests, using either the REST API directly or by using the AWS SDKs. Does it mean there is no possible way to directly move S3 bucket objects to a specific Vault? Do we have to download all the contents first from S3 bucket which we want to archive and then upload then using AWS CLI to a specific Vault and then apply the vault lock-down policy to make the storage WORM compliance?