S3 bucket versioning and lifecycle policies should be enabled

Description

S3 bucket versioning and lifecycle policies are used to protect data availability and integrity. By enabling object versioning, data is protected from overwrites and deletions. Lifecycle policies ensure sensitive data is deleted when appropriate.

Remediation Steps

AWS Console

Enable versioning:

• Navigate to S3.

• Select the desired S3 bucket.

• Select the Properties tab.

• Click Versioning.

• Check Enable Versioning.

Enable lifecycle policy:

• Navigate to S3.

• Select the desired S3 bucket.

• Select the Management tab.

• Click Add lifecycle rule.

• Follow the steps documented here to add a lifecycle rule.

AWS CLI

• Enable versioning:

  • aws s3api put-bucket-versioning --bucket <bucket name> --versioning-configuration Status=Enabled

• Enable lifecycle policy:

  • aws s3api put-bucket-lifecycle-configuration --bucket <bucket name> --lifecycle-configuration file://lifecycle.json

  • See documentation for JSON sample here.

Terraform

• Ensure that the aws_s3_bucket versioning block has the enabled field set to true and that there is at least one lifecycle_rule block.

Example Configuration

resource "aws_s3_bucket" "bucket" {
  bucket = "my-bucket"

  versioning {
    enabled = true
  }

  lifecycle_rule {
    prefix  = "config/"
    enabled = true

    noncurrent_version_transition {
      days          = 30
      storage_class = "STANDARD_IA"
    }

    noncurrent_version_transition {
      days          = 60
      storage_class = "GLACIER"
    }

    noncurrent_version_expiration {
      days = 90
    }
  }

  # other required fields here
}

Documentation Links

AWS Console and CLI

• Enabling versioning on buckets

• CLI: put-bucket-versioning

• Managing your storage lifecycle

• CLI: put-bucket-lifecycle-configuration

Terraform

• Resource: aws_s3_bucket

  • Field: versioning

  • Field: lifecycle_rule