Skip to content
Latchkey

aws s3 rm: Delete Objects and Prefixes in S3

aws s3 rm deletes objects from S3, either a single key or an entire prefix with --recursive.

Cleanup steps use s3 rm to purge old artifacts or a temporary prefix. --recursive plus a filter deletes many keys at once, so a --dryrun first is worth the second it costs.

What it does

aws s3 rm deletes the object at an s3:// URL. With --recursive it deletes every object under a prefix. --exclude and --include narrow which keys are removed. It does not touch local files.

Common usage

Terminal
aws s3 rm s3://my-bucket/artifacts/old.tar.gz
aws s3 rm s3://my-bucket/tmp/ --recursive
# delete everything except the newest layout
aws s3 rm s3://my-bucket/cache/ --recursive --exclude "current/*"

Options

FlagWhat it does
--recursiveDelete all objects under the prefix
--exclude / --include <pattern>Filter which keys are deleted
--dryrunShow what would be deleted without deleting
--only-show-errorsSuppress per-object output in logs

In CI

Always run --dryrun first for a --recursive delete; the command has no undo unless the bucket has versioning. Scope the IAM role to s3:DeleteObject on the specific prefix so a bad path cannot wipe the whole bucket. For scheduled cleanup, S3 lifecycle rules are safer than a recurring rm.

Common errors in CI

"(AccessDenied) when calling the DeleteObject operation" means the role lacks s3:DeleteObject on that prefix. "(NoSuchBucket)" is a wrong bucket. A rm that reports success but leaves objects usually hit a versioned bucket, where delete only adds a delete marker; use --recursive on s3api delete-objects with version IDs to hard-delete. "(SignatureDoesNotMatch)" is a wrong secret or clock skew.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →