Profile Applicability:

  • Level 2

Description:
Amazon S3 provides the ability to configure Lifecycle policies that automate the transition of objects between different storage classes (e.g., from STANDARD to GLACIER) or automatically delete objects after a specified retention period. Enabling lifecycle configurations helps in managing data efficiently by reducing storage costs, ensuring that infrequently accessed data is transitioned to more cost-effective storage classes, and ensuring compliance by automatically deleting expired or unwanted data.

Rationale:
Enabling Lifecycle configuration on S3 buckets helps manage storage costs by automatically transitioning objects to lower-cost storage classes and deleting expired objects. It also improves data management by ensuring that obsolete or expired data is not stored unnecessarily, thus optimizing storage usage. Lifecycle configurations are essential for maintaining compliance with data retention policies and operational efficiency.

Impact:
 Pros:

  • Reduces storage costs by transitioning objects to cheaper storage classes (e.g., Glacier or Deep Archive).

  • Automates data retention, ensuring compliance with data retention policies by deleting objects that are no longer needed.

  • Enhances data management by controlling the lifecycle of objects, improving operational efficiency.

Cons:

  • Improperly configured lifecycle rules may result in premature deletion or incorrect transitions of objects.

  • Requires proper management of retention policies to avoid data loss.

  • Could cause access issues if objects are moved to less accessible storage classes, like Glacier.

Default Value:
 By default, S3 buckets do not have Lifecycle configurations enabled. These configurations must be manually set up.

Pre-requisites:

  • AWS IAM permissions to manage S3 lifecycle policies:
     s3:PutBucketLifecycleConfiguration
     s3:GetBucketLifecycleConfiguration

  • Access to the S3 bucket configuration to review or enable Lifecycle configurations.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to S3 and select Buckets from the left-hand menu.

  3. Select the S3 bucket you want to check.

  4. Under the Management tab, scroll down to the Lifecycle configuration section.

  5. Check if any lifecycle rules are enabled for the bucket. If no rules are present, it means lifecycle configuration is not enabled.

  6. If lifecycle policies are not configured, click Create lifecycle rule and define the rules for transitioning objects between storage classes or deleting objects after a specified time.

  7. Save the lifecycle configuration and verify that it is correctly applied to the bucket.

Using AWS CLI:

  1. List all S3 buckets:

    aws s3api list-buckets --query "Buckets[*].Name"

  2. For each bucket, check if a lifecycle configuration exists:

    aws s3api get-bucket-lifecycle-configuration --bucket <BUCKET_NAME>

  3. If no lifecycle configuration is returned or if no lifecycle policies are present, you can create a lifecycle policy by using:

    aws s3api put-bucket-lifecycle-configuration --bucket <BUCKET_NAME> --lifecycle-configuration file://lifecycle_config.json

  4. Verify the lifecycle configuration:

    aws s3api get-bucket-lifecycle-configuration --bucket <BUCKET_NAME>

Implementation Plan:

Using AWS Console:

  1. Open the S3 Console and select the bucket you want to configure.

  2. Under the Management tab, click Create lifecycle rule.

  3. Define the lifecycle rule, including transitions (e.g., from STANDARD to GLACIER) and expirations (e.g., deleting objects after a certain period).

  4. Apply the rule and verify that it works as expected.

Using AWS CLI:

  1. To create a lifecycle rule that transitions objects to Glacier after 30 days and expires objects after 365 days, use the following command:

    aws s3api put-bucket-lifecycle-configuration --bucket <BUCKET_NAME> --lifecycle-configuration file://lifecycle_config.json

  2. Verify the configuration is applied:

    aws s3api get-bucket-lifecycle-configuration --bucket <BUCKET_NAME>

Backout Plan: 

Using AWS Console:

  1. If the Lifecycle configuration causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon S3, select the bucket, and go to the Management tab.

  3. In the Lifecycle rules section, delete or modify the existing Lifecycle rule.

  4. Save the changes and verify that the changes have been applied correctly.

Using AWS CLI:

  1. To delete the Lifecycle configuration for a bucket, run:

    aws s3api delete-bucket-lifecycle --bucket <BUCKET_NAME>

  2. Verify that the Lifecycle configuration has been removed:

    aws s3api get-bucket-lifecycle-configuration --bucket <BUCKET_NAME>

Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

4.1

Enable S3 bucket lifecycle configurations to automatically manage the transition and deletion of objects.

7.1

8.1

Implement lifecycle policies to reduce storage costs and maintain compliance by automating the management of data in S3.