Amazon Glacier now supports a new way to manage access to your individual Glacier vaults. You can now define an access policy directly on a vault, making it easier to grant vault access to users and business groups internal to your organization, as well as to your external business partners.
Previously, you have been able to assign AWS Identity and Access Management (IAM) policies to IAM users or groups to control the read, write, and delete permissions on your Glacier vaults. Now, with vault access policies, you can define a single access policy on a vault to govern access to all users. For example, to protect information in a business-critical vault from unintended deletion, you can create a vault access policy that denies delete attempts from all users. This data protection procedure can be accomplished in a matter of minutes in the AWS Management Console without having to audit and revoke delete permissions assigned to users through IAM policies.
Vault access policies also make it easier to grant cross-account access. For instance, you can grant read-only access on a vault to a business partner in a different AWS account by simply adding that account to the vault’s access policy.