Ensure that your Amazon S3 buckets are using lifecycle configurations for security and cost optimization purposes. An S3 lifecycle configuration is a set of one or more rules, where each rule defines an action (transition or expiration action) for Amazon S3 to apply to a group of objects. A lifecycle configuration is used to manage Amazon S3 data during its lifetime.
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
optimisation
With an S3 lifecycle configuration, you can enable Amazon S3 to downgrade the storage class for your objects, archive or delete S3 objects during their lifecycle. For example, you can define S3 lifecycle configuration rules to achieve compliance (with the law, with your organization standards or business requirements) by automatically transitioning your objects to S3 Standard-Infrequent Access (S3 Standard-IA) storage class one month after creation, or archive S3 objects with Amazon S3 Glacier using Glacier or Glacier Deep Archive storage class one year after creation. You can also implement lifecycle configuration rules to expire (delete) objects based on your retention requirements or clean up incomplete multipart uploads in order to optimize your Amazon S3 costs.
Audit
To determine if your Amazon S3 buckets are using lifecycle configurations, perform the following operations:
Remediation / Resolution
To enable the lifecycle configuration for your Amazon S3 buckets by creating lifecycle rules, perform the following operations:
Note: As an example, this conformity rule describes how to utilize Amazon S3 lifecycle configuration to tier down the storage class of S3 objects over their lifetime in order to help reduce the storage costs and retain data for compliance purposes. The transition actions for the lifecycle configuration rule used as an example are:- Transition objects to the S3 Standard-Infrequent Access (S3 Standard-IA) storage class 30 days after creation.
- Transition objects to the Glacier storage class 60 days after creation.
- One expiration action that enables Amazon S3 to delete the objects a year after creation.
References
- AWS Documentation
- Amazon S3 FAQs
- Setting lifecycle configuration on a bucket
- Managing your storage lifecycle
- Examples of S3 Lifecycle configuration
- AWS Command Line Interface (CLI) Documentation
- s3api
- list-buckets
- get-bucket-logging
- put-bucket-acl
- put-bucket-logging
- CloudFormation Documentation
- AWS::S3::Bucket
- Terraform Documentation
- AWS Provider