How do I remove an AWS Backup Vault Lock?

2 minute read

I want to delete an AWS Backup Vault Lock for my backup vault.

Resolution

When you create a vault lock, you have a choice of two modes: governance or compliance mode. For more information on modes, see Vault lock modes.

A vault lock with compliance mode has a grace time period. To delete a vault lock with compliance mode, you must delete the lock before the grace time expires. After the grace time is expired, the vault and its lock are immutable. No user or service can change it. If you try to delete the vault lock after the grace time period, you receive an InvalidRequestException error.

To delete a vault lock with governance mode, you must have the appropriate AWS Identity and Access Management (IAM) permissions. The required IAM permission to delete a backup vault is backup:DeleteBackupVaultLockConfiguration.

Delete a vault lock using the AWS Backup console

To delete a vault lock with governance mode or compliance mode (during grace time), complete the following steps:

Open the AWS Backup console.
In the navigation pane, under My account, choose Backup vaults. Then, choose Backup Vault Lock.
Choose the vault lock you want to remove. Then, choose Manage vault lock.
Choose Delete vault lock. A confirmation window appears.
Enter confirm in the text box and then choose confirm.

If the steps have been completed successfully, then a Success banner appears at the top of the console.

Delete a vault lock programmatically

To delete your vault lock during grace time using an AWS Command Line Interface (AWS CLI) command, use DeleteBackupVaultLockConfiguration.

The following is an example of the DeleteBackupVaultLockConfiguration command:

Note: If you receive errors when running AWS CLI commands, make sure that you're using the most recent version of the AWS CLI.

aws backup delete-backup-vault-lock-configuration \--backup-vault-name my_vault_to_lock

Important: Deleting the vault lock doesn't delete the backup vault or recovery point. You can delete the vault or recovery point after the lock is removed.

Related information

Enhance the security posture of your backups with AWS Backup Vault Lock

Vault lock removal during grace time (Compliance mode)

Topics

Storage

Relevant content

S3 Object-Lock and Glacier Vault Lock - Third Party Backup Support
Accepted Answer
AWS-User-4724810
asked 4 years ago
IAM permissions for AWS Backup Lock in governance mode
Paul
asked a year ago
S3 Object lock in compliance mode, file uploaded thru cli, file properties shows compliance mode, I can still delete it.
Accepted Answer
AWS-Chaos
asked 2 years ago
How to build a mechanism to govern multiple AWS data locking features?
AWS TAM
asked 2 years ago
Clarification: Deleting an AWS Backup Vault with a Backup Vault Lock in Compliance Mode
Mat Werber
asked 7 months ago
How do I configure an AWS Backup Vault Lock?
AWS OFFICIALUpdated a year ago
How do I migrate an Amazon RDS continuous backup recovery point from a backup vault that's locked in Compliance mode?
AWS OFFICIALUpdated 6 months ago
How is a legal hold different from AWS Backup Vault Lock?
AWS OFFICIALUpdated 9 months ago
How can I delete a default vault and Amazon EFS automatic backup vault in AWS Backup?
AWS OFFICIALUpdated 7 months ago
How can you stream applications using Amazon Appstream 2.0 with more than four screens in native mode?
EXPERT
Mohi-AWS
published 4 months ago