Set default S3 Object Lock retention
📑 On this page
Part 76 of AWS from Zero. This lesson keeps the scope to one S3 behavior you can verify from the terminal.
What we are learning
A default retention rule applies a retention period to new versions written without an explicit retention setting.
Before you run it
LOCK_BUCKET="replace-with-object-lock-enabled-bucket"Use only a disposable Object Lock bucket. Governance mode still requires special permission to bypass retention.
The command
aws s3api put-object-lock-configuration \
--bucket "$LOCK_BUCKET" \
--object-lock-configuration \
'ObjectLockEnabled=Enabled,Rule={DefaultRetention={Mode=GOVERNANCE,Days=1}}'A successful configuration command may return no output. Treat inspection as a separate required step.
Inspect the result
aws s3api get-object-lock-configuration \
--bucket "$LOCK_BUCKET" \
--query "ObjectLockConfiguration.Rule.DefaultRetention"Read the returned fields rather than assuming the write succeeded exactly as intended.
One tiny variation
echo "retained" > retained.txt
aws s3api put-object \
--bucket "$LOCK_BUCKET" \
--key retained.txt \
--body retained.txt \
--checksum-algorithm SHA256The new version receives the bucket's default retention when no explicit retention is supplied.
Common mistake
Do not experiment with Compliance mode casually. Protected versions can become intentionally impossible to delete before retention expires, even for powerful administrators.
Cleanup
aws s3api head-object \
--bucket "$LOCK_BUCKET" \
--key retained.txt \
--query "{Mode:ObjectLockMode,Until:ObjectLockRetainUntilDate}"
rm retained.txtInspect the retention date. Delete the version only when its mode and permissions allow it.
Next, we will learn Apply an S3 Object Lock legal hold.