Amazon S3 buckets use Lifecycle configurations with at least one rule Status: Enabled to automate object Transitions and Expiration based on age, prefix, or tags
Risk
Without lifecycle rules, objects persist indefinitely, driving costs and retaining sensitive data beyond policy. Unchecked log/version growth strains operations and recovery. Long-lived data increases exposure if the account is compromised and can break required deletion timelines, affecting confidentiality and availability.
prowler aws --checks s3_bucket_lifecycle_enabled
Recommendation
Define Lifecycle policies by data classification: set Expiration to enforce retention, use Transitions to lower-cost classes, and enable AbortIncompleteMultipartUpload. For critical logs, keep versioning and, if required, Object Lock. Limit who can change lifecycle using least privilege and separation of duties.
Remediation
aws s3api put-bucket-lifecycle-configuration --bucket <BUCKET_NAME> --lifecycle-configuration '{"Rules":[{"Status":"Enabled","Filter":{"Prefix":""},"AbortIncompleteMultipartUpload":{"DaysAfterInitiation":7}}]}'
- In the AWS Console, go to S3 and open the target bucket
- Select the Management tab, then click Create lifecycle rule
- Enter a name and choose This rule applies to all objects in the bucket
- Under Lifecycle rule actions, select Clean up incomplete multipart uploads and set Days after initiation to 7
- Ensure Status is Enabled and click Create rule
Source Code
Resource Type
AwsS3Bucket
References
- https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-13
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/how-to-set-lifecycle-configuration-intro.html
- https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/S3/lifecycle-configuration.html