How do I remove an AWS Backup Vault Lock?

2 minute read

I want to delete an AWS Backup Vault Lock for my backup vault.


When you create a vault lock, you have a choice of two modes: governance or compliance mode. For more information on modes, see Vault lock modes.

A vault lock with compliance mode has a grace time period. To delete a vault lock with compliance mode, you must delete the lock before the grace time expires. After the grace time is expired, the vault and its lock are immutable. No user or service can change it. If you try to delete the vault lock after the grace time period, you receive an InvalidRequestException error.

To delete a vault lock with governance mode, you must have the appropriate AWS Identity and Access Management (IAM) permissions. The required IAM permission to delete a backup vault is backup:DeleteBackupVaultLockConfiguration.

Delete a vault lock using the AWS Backup console

To delete a vault lock with governance mode or compliance mode (during grace time), complete the following steps:

  1. Open the AWS Backup console.
  2. In the navigation pane, under My account, choose Backup vaults. Then, choose Backup Vault Lock.
  3. Choose the vault lock you want to remove. Then, choose Manage vault lock.
  4. Choose Delete vault lock. A confirmation window appears.
  5. Enter confirm in the text box and then choose confirm.

If the steps have been completed successfully, then a Success banner appears at the top of the console.

Delete a vault lock programmatically

To delete your vault lock during grace time using an AWS Command Line Interface (AWS CLI) command, use DeleteBackupVaultLockConfiguration.

The following is an example of the DeleteBackupVaultLockConfiguration command:

Note: If you receive errors when running AWS CLI commands, make sure that you're using the most recent version of the AWS CLI.

aws backup delete-backup-vault-lock-configuration \--backup-vault-name my_vault_to_lock

Important: Deleting the vault lock doesn't delete the backup vault or recovery point. You can delete the vault or recovery point after the lock is removed.

Related information

Enhance the security posture of your backups with AWS Backup Vault Lock

Vault lock removal during grace time (Compliance mode)

AWS OFFICIALUpdated a year ago