Ensure that your AWS S3 buckets utilize lifecycle configurations to manage S3 objects during their lifetime. An S3 lifecycle configuration is a set of one or more rules, where each rule defines an action (transition or expiration action) for Amazon S3 to apply to a group of objects.
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
optimisation
Using AWS S3 lifecycle configuration, you can enable Amazon S3 to downgrade the storage class for your objects, archive or delete S3 objects during their lifecycle. For example, you can define S3 lifecycle configuration rules to achieve compliance (with the law, with your organization standards or business requirements) by automatically transitioning your S3 objects to Infrequent Access (IA) using STANDARD_IA storage class one month after creation or archive S3 objects with AWS Glacier using GLACIER storage class one year after creation. You can also implement lifecycle configuration rules to expire (delete) objects based on your retention requirements or clean up incomplete multipart uploads in order to optimize your AWS S3 costs.
Audit
To determine if your Amazon S3 buckets use lifecycle configuration rules, perform the following:
Remediation / Resolution
To enable lifecycle configuration for your existing AWS S3 buckets by creating lifecycle rules, perform the following actions:
As example, this conformity rule describes how to utilize Amazon S3 lifecycle configuration to tier down the storage class of S3 objects (in this case log files) over their lifetime in order to help reduce storage costs and retain data for compliance purposes. The transition actions for the lifecycle configuration rule defined as example are:
1. Transition S3 objects to the STANDARD_IA storage class 30 days after creation.
2. Transition S3 objects to the GLACIER storage class 60 days after creation.
3. One expiration action that enables Amazon S3 service to delete the objects a year after creation.
References
- AWS Documentation
- Amazon Simple Storage Service (S3) FAQs
- Manage an Object's Lifecycle Using the Amazon S3 Console
- Setting Lifecycle Configuration On a Bucket
- Object Lifecycle Management
- Examples of Lifecycle Configuration
- Set Lifecycle Configuration Using the AWS CLI
- AWS Command Line Interface (CLI) Documentation
- s3api
- list-buckets
- get-bucket-lifecycle-configuration
- put-bucket-lifecycle-configuration
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
S3 Buckets Lifecycle Configuration
Risk level: Low