Lock a Recycle Bin retention rule to prevent it from being updated or deleted
Recycle Bin lets you lock Region-level retention rules at any time.
A locked retention rule can't be modified or deleted, even by users who have the required IAM permissions. Lock your retention rules to help protect them against accidental or malicious modifications and deletions.
When you lock a retention rule, you must specify an unlock delay period. This is the period of time that you must wait after unlocking the retention rule before you can modify or delete it. You cannot modify or delete the retention rule during the unlock delay period. You can modify or delete the retention rule only after the unlock delay period has expired.
You can't change the unlock delay period after the retention rule has been locked. If your account permissions have been compromised, the unlock delay period gives you additional time to detect and respond to security threats. The length of this period should be longer than the time it takes for you to identify and respond to security breaches. To set the right duration, you can review previous security incidents and the time needed to identify and remediate an account breach.
We recommend that you use Amazon EventBridge rules to notify you of retention rule lock state changes. For more information, see Monitor Recycle Bin using Amazon EventBridge.
Considerations
-
You can't lock tag-level retention rules, or Region-level retention rules that have exclusion tags.
-
You can lock an unlocked retention rule at any time.
-
The unlock delay period must be 7 to 30 days.
-
You can re-lock a retention rule during the unlock delay period. Relocking the retention rule resets the unlock delay period.
You can lock a Region-level retention rule using one of the following methods.