diff --git a/cmd/object-handlers.go b/cmd/object-handlers.go
index 3c563b8cc..9bd929cfc 100644
--- a/cmd/object-handlers.go
+++ b/cmd/object-handlers.go
@@ -2884,6 +2884,12 @@ func (api objectAPIHandlers) PutObjectRetentionHandler(w http.ResponseWriter, r
 		return
 	}
 
+	// Check permissions to perform this object retention operation
+	if s3Err := checkRequestAuthType(ctx, r, policy.PutObjectRetentionAction, bucket, object); s3Err != ErrNone {
+		writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
+		return
+	}
+
 	cred, owner, s3Err := validateSignature(getRequestAuthType(r), r)
 	if s3Err != ErrNone {
 		writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)