Vault Readiness Checklist
Before ingestion begins, your vault must pass these checks. We block regulated-mode writes until a valid readiness receipt exists.
Object Lock (Compliance Mode)
Prevents deletion or retention shortening—so even administrators can't rewrite history.
Show technical detail
Must be enabled at bucket creation. Compliance mode ensures even root cannot delete or shorten retention.
ObjectLockConfiguration.ObjectLockRule.DefaultRetention.Mode: COMPLIANCE
Versioning
Preserves every version so audits can reference exact object generations.
Show technical detail
Required for Object Lock to function. Preserves all object versions.
Default Retention
Ensures objects inherit retention by default—no gaps caused by caller mistakes.
Show technical detail
Set a default retention (e.g., 7 years for SEC 17a-4). Applied to all objects unless overridden.
Write-only role
Allows ingestion to write, but blocks reads and deletes by design.
Show technical detail
IAM role we assume for ingest. Allow PutObject only. Deny Get, List, Delete, retention modification.
Deny: s3:GetObject, s3:ListBucket, s3:DeleteObject
Break-glass role
Customer-controlled retrieval used only for drills and examiner requests.
Show technical detail
Customer-controlled IAM role for retrieval. Used during drills and examiner requests.
Production Kit escrow
Ensures the offline verifier/exporter is always available inside your account.
Show technical detail
Latest Production Kit release must exist in your tools bucket. Enables offline verification + export.
Readiness Receipt
Once all checks pass, we write an immutable Readiness Receipt to your vault. This proves the vault was compliant at ingestion start. Regulators can verify this receipt anytime.