← All posts
2 min read

Set default S3 Object Lock retention

#aws#cli#s3#storage#security#compliance
📑 On this page

Part 76 of AWS from Zero. This lesson keeps the scope to one S3 behavior you can verify from the terminal.

What we are learning

A default retention rule applies a retention period to new versions written without an explicit retention setting.

Before you run it

LOCK_BUCKET="replace-with-object-lock-enabled-bucket"

Use only a disposable Object Lock bucket. Governance mode still requires special permission to bypass retention.

The command

aws s3api put-object-lock-configuration \
  --bucket "$LOCK_BUCKET" \
  --object-lock-configuration \
  'ObjectLockEnabled=Enabled,Rule={DefaultRetention={Mode=GOVERNANCE,Days=1}}'

A successful configuration command may return no output. Treat inspection as a separate required step.

Inspect the result

aws s3api get-object-lock-configuration \
  --bucket "$LOCK_BUCKET" \
  --query "ObjectLockConfiguration.Rule.DefaultRetention"

Read the returned fields rather than assuming the write succeeded exactly as intended.

One tiny variation

echo "retained" > retained.txt
aws s3api put-object \
  --bucket "$LOCK_BUCKET" \
  --key retained.txt \
  --body retained.txt \
  --checksum-algorithm SHA256

The new version receives the bucket's default retention when no explicit retention is supplied.

Common mistake

Do not experiment with Compliance mode casually. Protected versions can become intentionally impossible to delete before retention expires, even for powerful administrators.

Cleanup

aws s3api head-object \
  --bucket "$LOCK_BUCKET" \
  --key retained.txt \
  --query "{Mode:ObjectLockMode,Until:ObjectLockRetainUntilDate}"
rm retained.txt

Inspect the retention date. Delete the version only when its mode and permissions allow it.

Next, we will learn Apply an S3 Object Lock legal hold.

Official AWS CLI reference