Skip to main content

πŸ“ AWS S3 Bucket Lifecycle Configuration is not enabled 🟒

  • Contextual name: πŸ“ Bucket Lifecycle Configuration is not enabled 🟒
  • ID: /ce/ca/aws/s3/bucket-lifecycle-configuration
  • Located in: πŸ“ AWS S3

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • COST
    • RELIABILITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-edc86d3d1

Logic​

Description​

Open File

Description​

Configure Amazon S3 Lifecycle in order to ensure the automation of object lifecycle management, storage costs optimization, and compliance with data retention policies.

Rational​

An S3 Lifecycle configuration consists of rules that define actions to be taken on a group of objects. These actions include:

  • Transition Actions: Move objects to different storage classes as they age, helping to optimize costs without manual intervention.

  • Expiration Actions: Automatically delete objects that have reached the end of their lifecycle, ensuring compliance with data retention policies.

Impact​

Organizations may accumulate outdated or irrelevant data, resulting in cluttered storage environments that are more difficult to manage and maintain. Without proper lifecycle policies, the storage of redundant or obsolete data can consume significant resources and escalate costs unnecessarily.

Audit​

The object is marked as INCOMPLIANT if the Lifecycle Rules JSON field is empty or none of the Lifecycle rules in Lifecycle Rules JSON have "status": "Enabled".

... see more

Remediation​

Open File

Remediation​

From Command Line​

To set an S3 Lifecycle configuration on a bucket using the AWS CLI, follow these steps:

  • Save a JSON Lifecycle configuration in a file lifecycle.json. Although the Amazon S3 Lifecycle configuration is an XML file, the AWS CLI requires the configuration to be specified in JSON format.

    Here's an example of an S3 Lifecycle Configuration in JSON format:

{
  "Rules": [
    {
      "ID": "ExampleRule1",
      "Filter": {
        "Prefix": "documents/"
      },
      "Status": "Enabled",
      "Transitions": [
        {
          "Days": 60,
          "StorageClass": "INTELLIGENT_TIERING"
        },
        {
          "Days": 120,
          "StorageClass": "GLACIER"
        }
      ],
      "Expiration": {
        "Days": 730
      }
    }
  ]
}

In this example objects with the prefix documents/ will transition to the Intelligent-Tiering storage class after 60 days, then to the Glacier storage class after 120 days. Finally, the objects will be automatically deleted after 730 days.

  • Execute the following AWS CLI command to set the Lifecycle configuration on your S3 bucket. Replace {{your--bucket-name}} with the actual name of your S3 bucket:

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [S3.13] S3 general purpose buckets should have Lifecycle configurations11
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Resource Optimization3
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CP-6(2) Recovery Time and Recovery Point Objectives (H)2
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CP-9 System Backup (L)(M)(H)556
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CP-10 System Recovery and Reconstitution (L)(M)(H)22
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CP-9 System Backup (L)(M)(H)6
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CP-10 System Recovery and Reconstitution (L)(M)(H)2
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CP-9 System Backup (L)(M)(H)26
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CP-10 System Recovery and Reconstitution (L)(M)(H)12
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected82
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected67
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-11: Backups of data are created, protected, maintained, and tested6
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-01: The recovery portion of the incident response plan is executed once initiated from the incident response process2
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-02: Recovery actions are selected, scoped, prioritized, and performed2
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-03: The integrity of backups and other restoration assets is verified before using them for restoration1
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-05: The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed2
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CP-6(2) Alternate Storage Site _ Recovery Time and Recovery Point Objectives2
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CP-9 System Backup81
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CP-10 System Recovery and Reconstitution62
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-5(2) Denial-of-service Protection _ Capacity, Bandwidth, and Redundancy2
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-13(5) Predictable Failure Prevention _ Failover Capability2