How do I turn on Object Lock for an existing Amazon S3 bucket?

2 minute read

I want to turn on Object Lock for an existing Amazon Simple Storage Service (Amazon S3) bucket.


Note: If you receive errors when running AWS CLI commands, make sure that you're using the most recent version of the AWS CLI.

You need an Object Lock token value to turn on Object Lock for an existing S3 bucket. To get this value, contact AWS Support.

Note that you can request for an Object Lock token value to be generated only for version-enabled buckets.

After you get the token from AWS Support, run the following AWS Command Line Interface (AWS CLI) command. You can use the latest version of AWS CLI on a local machine or AWS CloudShell to run this command:

aws s3api put-object-lock-configuration --bucket bucketname --token token-value --object-lock-configuration "ObjectLockEnabled=Enabled,Rule={DefaultRetention={Mode=string,Days=integer,Years=integer}}"

For more information, see put-object-lock-configuration.

Be sure to do the following:

  • Replace bucketname with the name of the bucket.
  • Replace token-value with the Object Lock token value.

You can set Mode to GOVERNANCE or COMPLIANCE and specify the duration in either Days or Years. Don't use both Days and Years in the command. Otherwise, you get the Malformed XML error.

This command produces no output.

To verify if Object Lock is turned on for your S3 bucket, view the default object lock settings using the Amazon S3 console.

You can also use the GetObjectLockConfiguration API.

aws s3api get-object-lock-configuration --bucket bucketname

Also, see Viewing the lock information for an object.

Important: After you configure the S3 Object Lock successfully, you can't turn it off. Also, you can't suspend versioning on the bucket.

Related information

Using S3 Object Lock

AWS OFFICIALUpdated 10 months ago