aws s3 rm: Delete Objects and Prefixes in S3
aws s3 rm deletes objects from S3, either a single key or an entire prefix with --recursive.
Cleanup steps use s3 rm to purge old artifacts or a temporary prefix. --recursive plus a filter deletes many keys at once, so a --dryrun first is worth the second it costs.
What it does
aws s3 rm deletes the object at an s3:// URL. With --recursive it deletes every object under a prefix. --exclude and --include narrow which keys are removed. It does not touch local files.
Common usage
aws s3 rm s3://my-bucket/artifacts/old.tar.gz
aws s3 rm s3://my-bucket/tmp/ --recursive
# delete everything except the newest layout
aws s3 rm s3://my-bucket/cache/ --recursive --exclude "current/*"Options
| Flag | What it does |
|---|---|
| --recursive | Delete all objects under the prefix |
| --exclude / --include <pattern> | Filter which keys are deleted |
| --dryrun | Show what would be deleted without deleting |
| --only-show-errors | Suppress per-object output in logs |
In CI
Always run --dryrun first for a --recursive delete; the command has no undo unless the bucket has versioning. Scope the IAM role to s3:DeleteObject on the specific prefix so a bad path cannot wipe the whole bucket. For scheduled cleanup, S3 lifecycle rules are safer than a recurring rm.
Common errors in CI
"(AccessDenied) when calling the DeleteObject operation" means the role lacks s3:DeleteObject on that prefix. "(NoSuchBucket)" is a wrong bucket. A rm that reports success but leaves objects usually hit a versioned bucket, where delete only adds a delete marker; use --recursive on s3api delete-objects with version IDs to hard-delete. "(SignatureDoesNotMatch)" is a wrong secret or clock skew.