There’s got to be a better way….
If you put Object Lock on a bucket and use retention hold periods on your data to protect from early/ransomeware deletion, then when it comes time to remove thate data – how do you know what the earliest date that you can delete that data?
$nt =0$endloop=0$iter = 0$max=1000$oo= "newkey"$od = "1970-01-01"$bucket = "mybucket"while ($ndloop -ne 1) { $now = (get-date).ToString('T') write-host "$nt (Iteration items done $iter $now)" $k = aws s3api list-objects --bucket $bucket--max-items $max --starting-token $nt | ConvertFrom-Json $nt= $k.NextToken write-host $nt #If $nt not defined we are at the end of the list. Exit loop if ($nt.Length -lt 5) { write-host $nt $endloop=1 } foreach ($key in $k.Contents) { #write-host $key.Key $r = aws s3api get-object-retention --bucket $bucket--key $key.Key | ConvertFrom-Json $d = $r.Retention.RetainUntilDate #write-host $d if ((get-date $d) -gt (get-date $od)) { # further out $od = $d $oo = $key.Key write-host "Longest ret hold $od $oo" } } $iter+=$max} |
The above script works. But it’s slow. It uses list-object to get all the objects in a bucket, and then for each of those calls get-object-retention to find the retention date and prints if later than what we’ve seen before.
Problem is I can only iterate about 1000 objects in 15 minutes. Not ideal when my bucket has a couple of million objects.
S3 Object Lock