S3 Buckets Lifecycle Configuration

Risk level: Low (generally tolerable level of risk)

Rule ID: S3-020

Ensure that your AWS S3 buckets utilize lifecycle configurations to manage S3 objects during their lifetime. An S3 lifecycle configuration is a set of one or more rules, where each rule defines an action (transition or expiration action) for Amazon S3 to apply to a group of objects.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Cost
optimisation

Using AWS S3 lifecycle configuration, you can enable Amazon S3 to downgrade the storage class for your objects, archive or delete S3 objects during their lifecycle. For example, you can define S3 lifecycle configuration rules to achieve compliance (with the law, with your organization standards or business requirements) by automatically transitioning your S3 objects to Infrequent Access (IA) using STANDARD_IA storage class one month after creation or archive S3 objects with AWS Glacier using GLACIER storage class one year after creation. You can also implement lifecycle configuration rules to expire (delete) objects based on your retention requirements or clean up incomplete multipart uploads in order to optimize your AWS S3 costs.

Audit

To determine if your Amazon S3 buckets use lifecycle configuration rules, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Click on the name (link) of the S3 bucket that you want to examine to access the bucket configuration.

04 Select the Management tab from the S3 dashboard top menu, select Lifecycle and search for existing lifecycle configuration rules. If there are no rules defined on the Lifecycle page, instead a Get started panel is displayed: Get Started Display , the lifecycle configuration for the selected Amazon S3 bucket is not enabled.

05 Repeat step no. 3 and 4 to check lifecycle configuration for other S3 buckets available in your AWS account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) using custom query filters to list all existing S3 buckets available in your AWS account:

aws s3api list-buckets
	--query 'Buckets[*].Name'

02 The command output should return the names of your S3 buckets:

[
    "cloud-conformity-logs",
    "cloud-conformity-media"
]

03 Run get-bucket-lifecycle-configuration command (OSX/Linux/UNIX) using the name of the S3 bucket returned at the previous step as identifier to get the lifecycle configuration information set for the selected bucket:

aws s3api get-bucket-lifecycle-configuration
	--bucket cloud-conformity-logs

04 The command output should return the requested configuration details or the NoSuchLifecycleConfiguration error message if there are no lifecycle configuration rules defined for the S3 bucket:

An error occurred (NoSuchLifecycleConfiguration) when calling the GetBucketLifecycleConfiguration operation: The lifecycle configuration does not exist.

If the get-bucket-lifecycle-configuration command output returns the ServerSideEncryptionConfigurationNotFoundError error message, as shown in the output example above, there are no lifecycle rules currently defined, therefore the lifecycle configuration for the selected Amazon S3 bucket is not enabled.

05 Repeat step no. 3 and 4 for each S3 bucket that you want to examine, available in your AWS account.

Remediation / Resolution

To enable lifecycle configuration for your existing AWS S3 buckets by creating lifecycle rules, perform the following actions:

As example, this conformity rule describes how to utilize Amazon S3 lifecycle configuration to tier down the storage class of S3 objects (in this case log files) over their lifetime in order to help reduce storage costs and retain data for compliance purposes. The transition actions for the lifecycle configuration rule defined as example are:

1. Transition S3 objects to the STANDARD_IA storage class 30 days after creation.
2. Transition S3 objects to the GLACIER storage class 60 days after creation.
3. One expiration action that enables Amazon S3 service to delete the objects a year after creation.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Click on the name (link) of the S3 bucket that you want to reconfigure (see Audit section part I to identify the right resource).

04 Select the Management tab from the S3 dashboard top menu, choose Lifecycle panel, then click Add lifecycle rule to set up a new lifecycle configuration rule.

05 Inside Lifecycle rule dialog box, perform the following:

For Name and scope section, provide a unique name for your lifecycle rule in Enter a rule name box and a prefix/tag within Add filter to limit scope to prefix/tags box (e.g. app-logs). Click Next to continue the setup process.
For Transitions section, select Current version checkbox to add transitions for current version of S3 objects. Click + Add transition, select Transition to Standard-IA after for Object creation and set 30 for Days after object creation. Click + Add transition again, select Transition to Amazon Glacier after for Object creation and set 60 for Days after object creation. Once the necessary transitions are set, click Next to continue.
For Expiration section, select Current version checkbox to add expiration actions for current version of S3 objects. Select Expire current version of object checkbox and set 365 (days) for After x days from object creation. Click Next to continue.
For Review section, reexamine the rule configuration details then click Save to create the S3 lifecycle configuration rule.

06 Repeat step no. 4 and 5 to define more lifecycle configuration rules for the selected Amazon S3 bucket.

07 Repeat steps no. 3 – 6 to enable lifecycle configuration for other S3 buckets available in your AWS account.

Using AWS CLI

01 Run put-bucket-lifecycle-configuration command (OSX/Linux/UNIX) to enable lifecycle configuration for the selected S3 bucket by creating a new lifecycle rule that moves S3 objects to the STANDARD_IA and GLACIER storage classes 30 and 60 days after creation and deletes the objects a year after creation (the command does not produce an output):

aws s3api put-bucket-lifecycle-configuration
	--bucket cloud-conformity-logs
	--lifecycle-configuration '{
    "Rules": [
        {
            "Filter": {
                "Prefix": "app-logs/"
            },
            "Status": "Enabled",
            "Transitions": [
                {
                    "Days": 30,
                    "StorageClass": "STANDARD_IA"
                },
                {
                    "Days": 60,
                    "StorageClass": "GLACIER"
                }
            ],
            "Expiration": {
                "Days": 365
            },
            "ID": "Log files transition and expiration."
        }
    ]
}'

02 Repeat steps no. 1 to enable lifecycle configuration for other S3 buckets available in your AWS account.

References

AWS Command Line Interface (CLI) Documentation
s3api
list-buckets
get-bucket-lifecycle-configuration
put-bucket-lifecycle-configuration

Publication date Dec 8, 2017

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

S3 Buckets Lifecycle Configuration

Risk level: Low

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related S3 rules