AWS S3 Glacier is a low cost archive storage which is used for data archiving and online backup. These are suitable if you need to keep the data for a longer commitments.

Amazon S3 provides convenient transition of S3 objects into Amazon S3 Glacier storage classes, so that you can manage the lifecycle and costs for your backups.

S3 Glacier provides the following storage classes:

• S3 Glacier Instant Retrieval for archiving data that might be needed once per quarter and needs to be restored quickly (milliseconds)
• S3 Glacier Flexible Retrieval for archiving data that might infrequently need to be restored, once or twice per year, within a few hours
• S3 Glacier Deep Archive for archiving long-term backup cycle data that might infrequently need to be restored within 12 hours

How to create a vault in AWS S3 Glacier

In S3 Glacier, a vault is a container for storing archives. A vault is similar to an Amazon S3 bucket. When you create a vault, you specify a name and choose an AWS Region where you want to create the vault.

https://glacier.us-west-2.amazonaws.com/111122223333/vaults/examplevault

1. Sign in to the S3 Glacier console at https://console.aws.amazon.com/glacier/home, choose Vaults.
2. Under Select a Region, Vault name
3. Under Event notifications, to turn on or off notifications on a vault for when a job is completed, choose one of the following settings:
   • Turn off notifications – Notifications are turned off, and notifications are not sent to an Amazon Simple Notification Service (Amazon SNS) topic when a specified job is completed.
   • Turn on notifications – Notifications are turned on, and notifications are sent to the provided Amazon SNS topic when a specified job is completed.If you chose Turn on notifications, see Configuring Vault Notifications by Using the Amazon S3 Glacier Console.
4. If the AWS Region and vault name are correct, then choose Create vault.

S3 Glacier enforces the controls set in the Vault Lock policy to help achieve your compliance objectives. For example, you can use Vault Lock policies to enforce data retention.

Retrieving Vault Metadata Using the AWS CLI

aws glacier describe-vault --vault-name awsexamplevault --account-id 111122223333

How to Upload or delete an Archive in AWS S3 Glacier

An archive can be any data, such as a photo, video, or document. An archive is similar to an Amazon S3 object, and is the base unit of storage in S3 Glacier. Each archive has a unique ID and an optional description. You can store an unlimited number of archives in a vault.

S3 Glacier provides operations for you to upload and delete archives. 

https://region-specific-endpoint/account-id/vaults/vault-name/archives/archive-id

NOTE: Any archive operation, such as upload, download, or deletion, requires you to use the AWS Command Line Interface (CLI) or write code. There is no console support for archive operations.

What is S3 Glacier job ?

An S3 Glacier job can retrieve an archive, or get an inventory of a vault. Because jobs take time to run, S3 Glacier supports a notification mechanism to notify you when a job is completed. You can configure a vault to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic when a job is completed. 

S3 Glacier stores the notification configuration as a JSON document. The following is an example vault notification configuration:

{
   "Topic": "arn:aws:sns:us-west-2:111122223333:mytopic", 
   "Events": ["ArchiveRetrievalCompleted", "InventoryRetrievalCompleted"] 
}

Downloading a Vault Inventory Using the AWS CLI

• Start an inventory retrieval job

aws glacier initiate-job --vault-name awsexamplevault --account-id 111122223333 --job-parameters='{"Type": "inventory-retrieval"}'

Expected output:

{
    "location": "/111122223333/vaults/awsexamplevault/jobs/*** jobid ***", 
    "jobId": "*** jobid ***"
}
	

• command to check status of the previous retrieval job.

aws glacier describe-job --vault-name awsexamplevault --account-id 111122223333 --job-id *** jobid ***

Upload an Archive Using the AWS CLI

• Add an archive to an existing vault

aws glacier upload-archive --vault-name awsexamplevault --account-id 123456789012 --body archive.zip

Amazon S3 Glacier IAM policy permissions

      {
         "Version": "2012-10-17",
         "Statement": [
            {
               "Effect": "Allow",
               "Action": [
               "glacier:CreateVault",
               "glacier:DescribeVault",
               "glacier:ListVaults",
              "glacier:InitiateJob",
              "glacier:GetJobOutput",
               "glacier:DescribeJob"
               ],
               "Resource": "arn:aws:glacier:us-west-2:123456789012:vaults/*"
            }
         ]
      }

Amazon S3 Glacier vault Resource based Policy

An Amazon S3 Glacier vault access policy is a resource-based policy that you can use to manage permissions to your vault.

You can create one vault access policy for each vault to manage permissions. 

               {
                  "Version":"2012-10-17",
                  "Statement":[
                     {
                        "Sid":"cross-account-upload",
                        "Principal": {
                           "AWS": [
                              "arn:aws:iam::123456789012:root",
                              "arn:aws:iam::444455556666:root"
                           ]
                        },
                        "Effect":"Allow",
                        "Action": [
                           "glacier:UploadArchive",
                           "glacier:InitiateMultipartUpload",
                           "glacier:AbortMultipartUpload",
                           "glacier:CompleteMultipartUpload"
                        ],
                        "Resource": [
                           "arn:aws:glacier:us-west-2:999999999999:vaults/examplevault"                                           
                        ]
                     }
                  ]
               }
            

Conclusion

In this article we learnt everything we need to know about AWS S3 Glacier.