There’s got to be a better way….
If you put Object Lock on a bucket and use retention hold periods on your data to protect from early/ransomeware deletion, then when it comes time to remove thate data – how do you know what the earliest date that you can delete that data?
$nt =0 $endloop =0 $iter = 0 $max =1000 $oo = "newkey" $od = "1970-01-01" $bucket = "mybucket" while ( $ndloop -ne 1) { $now = ( get-date ).ToString( 'T' ) write-host "$nt (Iteration items done $iter $now)" $k = aws s3api list-objects --bucket $bucket --max-items $max --starting-token $nt | ConvertFrom-Json $nt = $k .NextToken write-host $nt #If $nt not defined we are at the end of the list. Exit loop if ( $nt .Length -lt 5) { write-host $nt $endloop =1 } foreach ( $key in $k .Contents) { #write-host $key.Key $r = aws s3api get-object -retention --bucket $bucket --key $key .Key | ConvertFrom-Json $d = $r .Retention.RetainUntilDate #write-host $d if (( get-date $d ) -gt ( get-date $od )) { # further out $od = $d $oo = $key .Key write-host "Longest ret hold $od $oo" } } $iter += $max } |
The above script works. But it’s slow. It uses list-object to get all the objects in a bucket, and then for each of those calls get-object-retention to find the retention date and prints if later than what we’ve seen before.
Problem is I can only iterate about 1000 objects in 15 minutes. Not ideal when my bucket has a couple of million objects.
S3 Object Lock