Skip to main content

πŸ›‘οΈ AWS S3 Bucket Lifecycle Configuration is not enabled🟒

  • Contextual name: πŸ›‘οΈ Bucket Lifecycle Configuration is not enabled🟒
  • ID: /ce/ca/aws/s3/bucket-lifecycle-configuration
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: COST, RELIABILITY

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-edc86d3d1

Description​

Open File

Description​

Configure Amazon S3 Lifecycle in order to ensure the automation of object lifecycle management, storage costs optimization, and compliance with data retention policies.

Rational​

An S3 Lifecycle configuration consists of rules that define actions to be taken on a group of objects. These actions include:

  • Transition Actions: Move objects to different storage classes as they age, helping to optimize costs without manual intervention.

  • Expiration Actions: Automatically delete objects that have reached the end of their lifecycle, ensuring compliance with data retention policies.

Impact​

Organizations may accumulate outdated or irrelevant data, resulting in cluttered storage environments that are more difficult to manage and maintain. Without proper lifecycle policies, the storage of redundant or obsolete data can consume significant resources and escalate costs unnecessarily.

Audit​

The object is marked as INCOMPLIANT if the Lifecycle Rules JSON field is empty or none of the Lifecycle rules in Lifecycle Rules JSON have "status": "Enabled".

... see more

Remediation​

Open File

Remediation​

From Command Line​

To set an S3 Lifecycle configuration on a bucket using the AWS CLI, follow these steps:

  • Save a JSON Lifecycle configuration in a file lifecycle.json. Although the Amazon S3 Lifecycle configuration is an XML file, the AWS CLI requires the configuration to be specified in JSON format.

    Here's an example of an S3 Lifecycle Configuration in JSON format:

{
  "Rules": [
    {
      "ID": "ExampleRule1",
      "Filter": {
        "Prefix": "documents/"
      },
      "Status": "Enabled",
      "Transitions": [
        {
          "Days": 60,
          "StorageClass": "INTELLIGENT_TIERING"
        },
        {
          "Days": 120,
          "StorageClass": "GLACIER"
        }
      ],
      "Expiration": {
        "Days": 730
      }
    }
  ]
}

In this example objects with the prefix documents/ will transition to the Intelligent-Tiering storage class after 60 days, then to the Glacier storage class after 120 days. Finally, the objects will be automatically deleted after 730 days.

  • Execute the following AWS CLI command to set the Lifecycle configuration on your S3 bucket. Replace {{your--bucket-name}} with the actual name of your S3 bucket:

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [S3.13] S3 general purpose buckets should have Lifecycle configurations11no data
πŸ’Ό AWS Well-Architected β†’ πŸ’Ό SUS04-BP03 Use policies to manage the lifecycle of your datasets2no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Resource Optimization24no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CP-6(2) Recovery Time and Recovery Point Objectives (H)12no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CP-9 System Backup (L)(M)(H)5410no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CP-10 System Recovery and Reconstitution (L)(M)(H)212no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CP-9 System Backup (L)(M)(H)9no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CP-10 System Recovery and Reconstitution (L)(M)(H)12no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CP-9 System Backup (L)(M)(H)210no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CP-10 System Recovery and Reconstitution (L)(M)(H)112no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected148no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected142no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-11: Backups of data are created, protected, maintained, and tested12no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-01: The recovery portion of the incident response plan is executed once initiated from the incident response process12no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-02: Recovery actions are selected, scoped, prioritized, and performed12no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-03: The integrity of backups and other restoration assets is verified before using them for restoration6no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-05: The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed12no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CP-6(2) Alternate Storage Site _ Recovery Time and Recovery Point Objectives12no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CP-9 System Backup87no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CP-10 System Recovery and Reconstitution612no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-5(2) Denial-of-service Protection _ Capacity, Bandwidth, and Redundancy11no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-13(5) Predictable Failure Prevention _ Failover Capability11no data