ILM policy for compliance example

To create an ILM policy that will effectively protect objects in compliant S3 buckets as well as objects in non-compliant buckets, you must select ILM rules that satisfy the storage requirements for both types of objects. Then, you must simulate and activate the proposed policy.

Adding rules to the policy

In this example, the active ILM policy includes three ILM rules, in the following order:

  1. A compliant rule that creates erasure-coded copies of the objects in a specific compliant S3 bucket. The EC copies are stored on Storage Nodes from day 0 to forever.
  2. A non-compliant rule that creates two replicated object copies on Storage Nodes for a year and then moves one object copy to Archive Nodes and stores that copy forever. This rule only applies to non-compliant buckets because it stores only one object copy forever and it uses Archive Nodes.
  3. A compliant rule that creates two replicated object copies on Storage Nodes from day 0 to forever.

screenshot Example Compliant Policy Active

Selecting a default rule

If the global Compliance setting is enabled, the default rule in the active or any proposed ILM policy must be compliant. In the example, the default rule is the second compliant rule. This rule applies to any object in any compliant or non-compliant bucket that was not matched by the first two rules.

Note: When the global Compliance setting is enabled, you might see an error message when you initially select the rules for a proposed ILM policy. The message indicates you must select a compliant ILM rule to be the default rule. Select the Default radio button for the compliant rule that you want to be the default, and drag that rule to the appropriate position in the list.
screenshot of Example Compliant Policy Default Rule Not Compliant

Simulating the proposed policy

After you have added rules in your proposed policy, arranged them, and chosen a default compliant rule, you should simulate the policy by testing objects from both compliant and non-compliant buckets. For example, if you simulated the example policy, you would expect test objects to be evaluated as follows:
  • A test object in the bucket bank-records for the Bank of ABC tenant would be matched by the EC objects compliant rule.
  • A test object in any non-compliant bucket for any tenant account would be matched by the non-compliant rule.
  • A test object in a compliant bucket named customer-records for Bank of ABC or any other tenant would be matched by the default rule. This is because the bucket name does not match bank-records and the non-compliant rule does not apply to objects in compliant buckets.

Activating the policy

When you are completely satisfied that the new policy protects object data as expected, you can activate it.