LOW S3

S3 bucket lifecycle policy

Check ID: aws-s3-004

AWS-S3-004 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if S3 buckets have lifecycle rules configured to automatically transition or expire objects.

Why it matters

Without lifecycle rules, S3 storage costs grow unbounded as objects accumulate indefinitely. AWS reports that the average enterprise wastes 30-35% of cloud storage spend on data that could be tiered or expired. A typical pattern: logs in S3 Standard at $0.023/GB/month could move to Glacier at $0.004/GB/month after 90 days - an 83% cost reduction. For a 10TB log bucket, that saves approximately $2,280/year. Lifecycle rules also support automatic deletion of incomplete multipart uploads, which silently accumulate and incur charges. Implementing lifecycle policies is a foundational FinOps practice required by the AWS Well-Architected Framework Cost Optimization pillar.

Common causes

Lifecycle policies are missing because teams focus on creating buckets and storing data without planning for data retention or cost optimization. Engineers assume someone else handles storage cost management, and no single team owns the S3 cost optimization process. Buckets created through quick Terraform modules or console clicks rarely include lifecycle configuration, and retroactive setup requires understanding each bucket data patterns.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws s3api put-bucket-lifecycle-configuration --bucket BUCKET_NAME --lifecycle-configuration '{"Rules":[{"ID":"auto-archive","Status":"Enabled","Transitions":[{"Days":90,"StorageClass":"GLACIER"}],"Filter":{"Prefix":""}}]}'

Remediation: Terraform

resource "aws_s3_bucket_lifecycle_configuration" "bucket" {
  bucket = "bucket-name"
  rule {
    id     = "auto-archive"
    status = "Enabled"
    transition {
      days          = 90
      storage_class = "GLACIER"
    }
  }
}

This check is part of cloud-audit - install with pip install cloud-audit

Related article

AWS Security Audit: 17 Issues in Every Account →

Related S3 checks

HIGH aws-s3-001

Public S3 buckets

LOW aws-s3-002

S3 bucket encryption

LOW aws-s3-003

S3 bucket versioning

← All checks