AWS Backup now offers a new Backup Vault Lock console experience that provides you a more intuitive way to configure your vault lock details. AWS Backup Vault Lock allows you to deploy and manage your vault’s immutability policies, protecting your backups from accidental or malicious deletions. Depending on your data retention needs, with AWS Backup Vault Lock, you can set governance mode or compliance mode to configure your vault’s immutability policies with greater flexibility and multiple levels of security. Under governance mode, users with the appropriate role-based permissions can test and change retention policies or even remove the lock completely. In compliance mode, the user can specify a lock date after which the vault is locked immutably. Once locked, the acceptable retention periods cannot be changed and the lock cannot be disabled even by the root user. With this feature, the console also provides you with visibility into into your vaults’ lock status and facilitates reporting across all locked vaults.
Source:: Amazon AWS