Compliant ILM policy for S3 Object Lock example

To create an ILM policy that will effectively protect all objects in your system, including those in buckets with S3 Object Lock enabled, you must select ILM rules that satisfy the storage requirements for all objects. Then, you must simulate and activate the proposed policy.

Adding rules to the policy

In this example, the ILM policy includes three ILM rules, in the following order:

  1. A compliant rule that uses erasure coding to protect objects larger than 200 KB in a specific bucket with S3 Object Lock enabled. The objects are stored on Storage Nodes from day 0 to forever.
  2. A non-compliant rule that creates two replicated object copies on Storage Nodes for a year and then moves one object copy to a Cloud Storage Pool forever. This rule does not apply to buckets with S3 Object Lock enabled because it uses a Cloud Storage Pool.
  3. The default compliant rule that creates two replicated object copies on Storage Nodes from day 0 to forever.

Example Compliant Policy

Simulating the proposed policy

After you have added rules in your proposed policy, chosen a default compliant rule, and arranged the other rules, you should simulate the policy by testing objects from the bucket with S3 Object Lock enabled and from other buckets. For example, when you simulate the example policy, you would expect test objects to be evaluated as follows:
  • The first rule will only match test objects that are larger than 200 KB in the bucket bank-records for the Bank of ABC tenant.
  • The second rule will match all objects in all non-compliant buckets for all other tenant accounts.
  • The default rule will match these objects:
    • Objects 200 KB or smaller in the bucket bank-records for the Bank of ABC tenant.
    • Objects in any other bucket that has S3 Object Lock enabled for all other tenant accounts.

Activating the policy

When you are completely satisfied that the new policy protects object data as expected, you can activate it.