Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

SnapLock Enterprise

PDF
RSS
Focus mode
SnapLock Enterprise - FSx for ONTAP
Using SnapLock EnterprisePrivileged deleteBypassing Enterprise mode

Amazon FSx for NetApp ONTAP supports SnapLock Enterprise volumes.

Using SnapLock Enterprise

This section describes use cases and considerations for the Enterprise retention mode.

You might choose the Enterprise retention mode for the following use cases.

  • You can use SnapLock Enterprise to authorize only specific users to delete files.

  • You can use SnapLock Enterprise to advance your organization's data integrity and internal compliance.

  • You can use SnapLock Enterprise to test retention settings before using SnapLock Compliance.

Here are some important items to consider about the Enterprise retention mode.

  • You can use SnapMirror to replicate WORM files, but the source volume and destination volume must have the same retention mode (for example, both must be Enterprise).

  • A SnapLock volume can't be converted from Enterprise to Compliance, or from Compliance to Enterprise.

  • SnapLock Enterprise doesn't support Legal Hold.

Privileged delete

One of the key differences between SnapLock Enterprise and SnapLock Compliance is that a SnapLock administrator can turn on privileged delete on a SnapLock Enterprise volume to allow a file to be deleted before the file's retention period expires. The SnapLock administrator is the only user who can delete files from a SnapLock Enterprise volume that has active retention policies placed on it. For more information, see SnapLock administrator.

You can turn on or turn off privileged delete with the Amazon FSx console, the AWS CLI, the Amazon FSx API, and the ONTAP CLI and REST API. To turn on privileged delete, you must first create a SnapLock audit log volume in the same SVM as the SnapLock volume. For more information, see SnapLock audit log volumes.

To turn on privileged delete with the Amazon FSx API, use PrivilegedDelete in the CreateSnaplockConfiguration. In the Amazon FSx console, for Privileged Delete, choose Enabled.

Note

You can't issue a privileged delete command to delete a write once, read many (WORM) file that has an expired retention period. You can issue a normal delete operation after the retention period expires.

You can opt to turn off privileged delete permanently, but this action is irreversible. If privileged delete is permanently turned off, you don't need to have a SnapLock audit log volume associated with the SnapLock Enterprise volume.

To permanently turn off privileged delete with the Amazon FSx API, use PrivilegedDelete in the CreateSnaplockConfiguration. In the Amazon FSx console, for Privileged Delete, choose Permanently disabled.

Bypassing Enterprise mode

If you are using the Amazon FSx console or Amazon FSx API, you must have the IAM fsx:BypassSnapLockEnterpriseRetention permission to delete a SnapLock Enterprise volume that contains WORM files with active retention policies.

For more information, see Deleting SnapLock volumes.

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.