Andrea Danti - Fotolia
What features are involved with Amazon Glacier backup storage?
We'd like to move infrequently accessed data to cold storage to save money. How does Amazon Glacier work and what are some of the main features?
Amazon Glacier provides secure storage for low-cost, long-term enterprise data retention. Amazon Glacier storage -- much like other AWS storage offerings -- is broken down into two fundamental concepts: the objects being stored and the containers holding data.
In Glacier, a data object is called an archive. An archive can be a document, image or another form of data, as well as a collection of data consolidated into a single compressed file, such as a .tar or .zip file. These collections are then uploaded to Glacier as a single archive entity. Archives must be placed in suitable containers, and Glacier stores its archives in "vaults." Administrators can use the AWS Management Console and AWS software development kits to create, delete, lock, inventory, filter, adjust access policies and otherwise manage vaults. A single AWS account can support up to 1,000 vaults; each vault can contain numerous archive objects.
Admins often use Amazon Glacier backup because of its security features. Glacier assigns each archive object a unique identifier when it is uploaded to AWS, rendering the archive immutable. Administrators can run Identity and Access Management controls to authenticate and restrict access at the user level, ensuring that only authorized users, business groups or partners can access certain vaults. Glacier vault containers can also be locked using the Amazon Glacier Vault Lock policy. For example, an admin can set a vault to read-only and prohibit alterations to the policy, leaving Glacier to enforce the policy and guard data against changes or deletion.
Combining Amazon Glacier backup storage with a tool like AWS CloudTrail creates detailed log files of the actions performed on Glacier vaults and objects. Logs can report which user accessed a certain vault or interacted with a particular archive. Logging can help maintain proper regulatory compliance and business governance for archived cloud data.
By design, developers cannot readily access Amazon Glacier backup data. Unlike online storage -- such as Amazon Simple Storage Service (S3), Amazon Glacier storage is not directly visible. Admins must restore data to accessible storage, such as S3, before accessing it. It may take several hours to retrieve archived object data stored in Glacier vault containers, and retrieving data imposes a cost. Administrators should configure the retrieval rate and mitigate retrieval costs with Amazon Glacier backup.