S3 Rules
These rules identify S3 buckets missing lifecycle configurations and buckets that have lifecycle rules but no storage-class transition logic, leaving objects in the most expensive storage class indefinitely.
| Rule ID | Scan Type | Name |
|---|---|---|
| CLDBRN-AWS-S3-1 | Discovery and IaC | S3 Bucket Missing Lifecycle Configuration |
| CLDBRN-AWS-S3-2 | Discovery and IaC | S3 Bucket Storage Class Not Optimized |
CLDBRN-AWS-S3-1
S3 Bucket Missing Lifecycle Configuration
Scan type: Discovery and IaC
What it checks
Flags S3 buckets that have no lifecycle configuration with cost-focused rules. Without lifecycle rules, objects remain in Standard storage indefinitely regardless of how infrequently they are accessed.
Why it matters
S3 Standard storage costs $0.023/GB/month. Infrequently accessed data in Standard storage is significantly overpriced compared to Intelligent-Tiering ($0.023 for frequent, $0.0125 for infrequent) or Glacier for archival data. For buckets storing logs, backups, or historical data, the difference between Standard and an appropriate storage class can cut S3 costs by 40-90%.
What triggers a finding
hasCostFocusedLifecycle is false for the bucket.
How to remediate
Add a lifecycle configuration to the bucket. At minimum, configure transitions for infrequent access patterns:
{
"Rules": [
{
"ID": "transition-to-ia",
"Status": "Enabled",
"Filter": { "Prefix": "" },
"Transitions": [
{
"Days": 30,
"StorageClass": "STANDARD_IA"
},
{
"Days": 90,
"StorageClass": "GLACIER_IR"
}
],
"NoncurrentVersionExpiration": {
"NoncurrentDays": 30
}
}
]
}
Apply using the CLI:
aws s3api put-bucket-lifecycle-configuration \
--bucket my-bucket \
--lifecycle-configuration file://lifecycle.json
IaC resources checked
| IaC Tool | Resource Type |
|---|---|
| Terraform | aws_s3_bucket_lifecycle_configuration |
| CloudFormation | AWS::S3::Bucket |
CLDBRN-AWS-S3-2
S3 Bucket Storage Class Not Optimized
Scan type: Discovery and IaC
What it checks
Flags S3 buckets that have lifecycle rules configured but none of those rules include storage-class transitions or Intelligent-Tiering configuration. A lifecycle rule that only expires objects (deletes them after N days) without first transitioning them to cheaper storage classes leaves cost savings on the table.
Why it matters
An expiration-only lifecycle rule protects against unbounded growth but does nothing to reduce the cost of objects while they are retained. Adding a transition to Intelligent-Tiering or a cheaper storage class (Standard-IA, Glacier Instant Retrieval) before expiration can significantly reduce the cost of the retention period.
What triggers a finding
The bucket has lifecycle rules configured, but none of the rules contain a storage-class transition to Intelligent-Tiering or any other storage class.
How to remediate
Add storage-class transition actions to your existing lifecycle rules. The most flexible option is Intelligent-Tiering, which automatically moves objects between tiers based on access patterns without requiring you to predict access frequency:
aws s3api put-bucket-intelligent-tiering-configuration \
--bucket my-bucket \
--id EntireBucket \
--intelligent-tiering-configuration '{
"Id": "EntireBucket",
"Status": "Enabled",
"Tierings": [
{"Days": 90, "AccessTier": "ARCHIVE_ACCESS"},
{"Days": 180, "AccessTier": "DEEP_ARCHIVE_ACCESS"}
]
}'
IaC resources checked
| IaC Tool | Resource Type |
|---|---|
| Terraform | aws_s3_bucket_intelligent_tiering_configuration |
| CloudFormation | AWS::S3::Bucket |
See Also
- CLI discover command — scan live S3 buckets
- CLI scan command — scan IaC templates for S3 issues
- SDK Reference — run scans programmatically