# Plan your deployment
This section describes the Regions, [cost](cost.md), [security](security-1.md), [quota](quotas.md), and other considerations before deploying the Guidance.
## Supported AWS Regions
This Guidance uses AWS services that are not currently available in all AWS Regions. For the most current availability of AWS services by Region, see the [AWS Regional Services List](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).
**Note**
This Guidance launches in the US East (Ohio) Region by default. To launch the Guidance in a different AWS Region, use the Region selector in the console navigation bar. See [Step 1: Launch the stack](step-1-launch-the-stack.md) for more information.
| Region name |
| --- |
| US East (N. Virginia) | Canada (Central) |
| US East (Ohio) | China (Beijing) |
| US West (N. California) | China (Ningxia) |
| US West (Oregon) | Europe (Frankfurt) |
| Africa (Cape Town) | Europe (Ireland) |
| Asia Pacific (Hong Kong) | Europe (London) |
| Asia Pacific (Mumbai) | Europe (Milan) |
| Asia Pacific (Osaka) | Europe (Paris) |
| Asia Pacific (Seoul) | Europe (Stockholm) |
| Asia Pacific (Singapore) | Middle East (Bahrain) |
| Asia Pacific (Sydney) | South America (São Paulo) |
| Asia Pacific (Tokyo) | AWS GovCloud (US-West) |
# Cost
You are responsible for the cost of the AWS services used while running this Guidance. As of this revision, the cost for running this Guidance with the default settings in the US East (Ohio) Region is approximately **\$1153.57** for 100,000 Amazon Glacier vault archives (1GB each) and **\$11,229.21** for 10,000,000 Amazon Glacier vault archives (10MB each). These costs assume that the destination bucket is also in US East (Ohio) Region. Refer to Sample cost tables for more details.
**Note**
If the destination bucket is not in the same region as the Glacier vault, a "Data Transfer OUT From Amazon S3 Glacier" fee will be added. See [Data transfer pricing](https://aws.amazon.com/s3/glacier/pricing/#Data_transfer_pricing) for more information. This cost should be considered when planning your data storage and transfer strategies to avoid unexpected charges.
See the pricing webpage for each AWS service used in this Guidance. Estimated costs vary based on the number of archives processed and the total volume of data to copy from an Amazon Glacier vault.
We recommend creating a [budget](https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-create.html) through AWS Cost Explorer to help manage costs. Prices are subject to change. For full details, see the pricing webpage for each [AWS service used in this Guidance](architecture-details.md#aws-services-in-this-guidance).
## Cost table calculation
The following table shows how the sample cost tables were calculated.
| Guidance component | Type | [A] - Unit cost | [B] - Value | [C] - Estimated cost |
| --- | --- | --- | --- | --- |
| Additional services | Per 1,000 requests | \$10.01 | `<# of S3 Glacier vault archives>` | *[A] × [B] / 1,000* |
| Amazon S3 multipart upload create requests | Per 1,000 requests | \$10.005 | `<# of S3 Glacier vault archives>` | *[A] × [B] / 1,000* |
| Amazon S3 multipart upload complete requests | Per 1,000 requests | \$10.03 | `<# of S3 Glacier vault archives>` | *[A] × [B] / 1,000* |
| Guidance runtime (Lambda and Step Functions) | Per GB | \$10.00143 | `` | *[A] × [B]* |
| Guidance runtime (Lambda and Step Functions) | Per 1,000 requests | \$10.0447 | `<# of S3 Glacier vault archives>` | *[A] × [B] / 1,000* |
| DynamoDB writes/reads for transfer metadata | Per 1,000 requests | \$10.02 | `<# of S3 Glacier vault archives>` | *[A] × [B] / 1,000* |
| Data Transfer OUT from S3 Glacier | Per GB | \$10.02 *if destination bucket is in a different region than S3 Glacier vault.*\$10.00 *if destination bucket is in the same region as S3 Glacier vault.* | | *[A] × [B]* |
## Sample cost tables
The following tables provide two sample cost breakdowns for deploying this Guidance with the default parameters in the US East (Ohio) Region, with an Amazon Glacier vault size of 100 TB. These cost breakdowns are based on the destination bucket is also being in the US East (Ohio) Region, the same region as the S3 Glacier vault.
**Note**
Costs associated with storing data in the Amazon S3 service are nearly continuous and aren't included in these estimates.
### Scenario 1: 100,000 Amazon Glacier vault archives
| AWS service | Dimensions | Cost [USD] |
| --- | --- | --- |
| Step Functions | | \$10.07 |
| Lambda | | \$1140.00 |
| DynamoDB | | \$12.00 |
| Amazon S3 | Transfer cost | \$15.00 |
| Additional services: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/data-transfer-from-amazon-s3-glacier-vaults-to-amazon-s3/cost.html) | | \$16.50 |
| | Total: | \$1153.57 [USD] |
If the destination bucket is in a different region than US East (Ohio), an additional price of \$12048 (\$10.02 x size of S3 Glacier vault in GBs) should be added to the total.
### Scenario 2: 10,000,000 Amazon Glacier vault archives
| AWS service | Dimensions | Cost [USD] |
| --- | --- | --- |
| Step Functions | | \$13.21 |
| Lambda | | \$1411.00 |
| DynamoDB | | \$1221.00 |
| Amazon S3 | Transfer cost | \$1465.00 |
| Additional services: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/data-transfer-from-amazon-s3-glacier-vaults-to-amazon-s3/cost.html) | | \$1129.00 |
| | Total: | \$11,229.21 [USD] |
If the destination bucket is in a different region than US East (Ohio), an additional price of \$12048 (\$10.02 x size of S3 Glacier vault in GBs) should be added to the total.
## AWS CloudTrail cost
You can use [AWS CloudTrail](https://aws.amazon.com/cloudtrail/) to log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. When you create additional trails—for example, to capture data or insight on generated events—AWS CloudTrail charges apply. See [AWS CloudTrail pricing](https://aws.amazon.com/cloudtrail/pricing/) for more information.
## Potential cost savings
As of this revision, you can save \$10.00261 per GB per month by storing your archives in the Amazon S3 service with the S3 Glacier Deep Archive storage class applied. For example, if you have 100 TB stored in your Amazon Glacier vault, you can save \$1261.00 per month by storing that data in the Amazon S3 service with the S3 Glacier Deep Archive storage class applied.
The cost to run the Guidance scales with the size of the Amazon Glacier vault and the number of archives. Cost savings only scale with the Amazon Glacier vault size.
# Security
When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) reduces your operational burden because AWS operates, manages, and controls the components including the host operating system, the virtualization layer, and the physical security of the facilities in which the services operate. For more information about AWS security, visit [AWS Cloud Security](https://aws.amazon.com/security/).
## Amazon DynamoDB
All user data stored in DynamoDB is encrypted at rest using encryption keys stored in [AWS Key Management Service](https://aws.amazon.com/kms/) (AWS KMS). We recommend enforcing [AWS managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt) because you have permission to [audit their use](https://docs.aws.amazon.com/kms/latest/developerguide/logging-using-cloudtrail.html) in AWS CloudTrail logs. Refer to [Managing encrypted tables in DynamoDB](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html) for more information.
Consider enabling DynamoDB Data Plane Events for CloudTrail logging to gain insights into the data operations in DynamoDB tables, according to your use cases and your regulatory and compliance requirements. Refer to [Logging DynamoDB operations by using AWS CloudTrail](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/logging-using-cloudtrail.html) for more information. Additionally, consider implementing [AWS Config](https://aws.amazon.com/config/) to actively monitor DynamoDB configuration changes
## CloudWatch Logs
We recommend [changing the retention period](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html#SettingLogRetention) of your [CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html) according to your use cases and your regulatory and compliance requirements.
## IAM roles
IAM roles allow you to assign granular access policies and permissions to services and users on the AWS Cloud. This Guidance creates IAM roles that grant the Guidance's resources permission to access the Amazon Glacier vault, write logs, and create EventBridge targets.
# Quotas
Service quotas, also referred to as limits, are the maximum number of service resources or operations for your AWS account.
## Quotas for AWS services in this Guidance
Make sure you have a sufficient quota for each of the [services implemented in this Guidance](architecture-details.md#aws-services-in-this-guidance). For more information, see [AWS service quotas](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html).
Use the following links to go to the page for that service. To view the service quotas for all AWS services in the documentation without switching pages, view the information in the [Service endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/aws-general.pdf#aws-service-information) page in the PDF instead.
## AWS CloudFormation quotas
Your AWS account has AWS CloudFormation quotas that you should be aware of when [launching the stack](step-1-launch-the-stack.md) in this Guidance. By understanding these quotas, you can avoid limitation errors that would prevent you from deploying this Guidance successfully. For more information, see [AWS CloudFormation quotas](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-limits.html) in the AWS CloudFormation User Guide.
## Lambda concurrent execution quota
Your AWS account has a quota on the number of concurrent Lambda executions that can be running. For more information, see [Lambda quotas](https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-limits.html) in the *AWS Lambda Developer Guide.* This Guidance uses 230–250 concurrent Lambda executions when running at maximum capacity.
## Amazon Glacier Initiate Job quota
This Guidance optimizes your transfer by requesting archives in order. Other random restore requests can impact throughput.
The Amazon Glacier service maintains a service quota of [35 random restore requests](https://docs.aws.amazon.com/general/latest/gr/glacier-service.html) per PiB stored per day. If you continue to initiate your archive retrievals as the Guidance runs, Amazon Glacier responses might slow down. You might also see Amazon Glacier [ThrottlingExceptions](https://docs.aws.amazon.com/amazonglacier/latest/dev/api-error-responses.html) if you initiate archive retrievals external to the Guidance.
## Amazon S3 file size limit
The Amazon S3 service restricts file sizes to 5 TB. The Guidance won't transfer archives larger than 5 TB. The Guidance's CloudWatch dashboard indicates the number of archives that meet this condition. The Guidance stores inventory data for these archives in the Inventory S3 bucket under `$WORKFLOW_RUN/not_migrated/`.
# Amazon S3 storage class considerations
When you deploy this Guidance, you must choose a storage class to apply to all of your transferred data. Before you choose this storage class, consider the availability, durability, minimum storage duration, and cost of each storage class. After your data is stored in the Amazon S3 service, you can change the storage class for each object. Some storage classes have minimum durations, so it's important to plan accordingly. For more information, see [Comparing the Amazon S3 storage classes](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-class-intro.html#sc-compare) in the *Amazon Simple Storage Service User Guide* and [Amazon S3 pricing](https://aws.amazon.com/s3/pricing/).
# Amazon S3 Glacier resource considerations
This Guidance uses the entirety of your Amazon S3 Glacier service resources. You won’t be able to use your Amazon S3 Glacier archive while the Guidance is running.
# Amazon Glacier Vault Lock policy considerations
This Guidance doesn't delete the original archives or the source Amazon Glacier vault. You must manually delete the archives and vault. For more information, refer to [Deleting an Archive in Amazon Glacier](https://docs.aws.amazon.com/amazonglacier/latest/dev/deleting-an-archive.html) in the *Amazon Glacier Developer Guide*.
If your source Amazon Glacier vault has a [Vault Lock policy](https://docs.aws.amazon.com/amazonglacier/latest/dev/vault-lock-policy.html) that prevents deletion, you must delete this policy before deleting the original archives. However, if your Vault Lock policy is in the `Locked` state, you can't delete it. See [Amazon Glacier Vault Lock](https://docs.aws.amazon.com/amazonglacier/latest/dev/vault-lock.html) and [Abort Vault Lock (DELETE lock-policy)](https://docs.aws.amazon.com/amazonglacier/latest/dev/api-AbortVaultLock.html) in the Amazon Glacier Developer Guide for more information.