These rules identify S3 buckets missing lifecycle configurations, buckets that have lifecycle rules but no storage-class transition logic, buckets accumulating orphaned multipart upload parts, and versioned buckets without noncurrent version cleanup rules.
| Rule ID | Scan Type | Name |
|---|---|---|
| CLDBRN-AWS-S3-1 | Discovery and IaC | S3 Bucket Missing Lifecycle Configuration |
| CLDBRN-AWS-S3-2 | Discovery and IaC | S3 Bucket Storage Class Not Optimized |
| CLDBRN-AWS-S3-3 | Discovery and IaC | S3 Incomplete Multipart Upload Abort Configuration |
| CLDBRN-AWS-S3-4 | IaC | S3 Versioned Bucket Missing Noncurrent Version Cleanup |
CLDBRN-AWS-S3-1
S3 Bucket Missing Lifecycle Configuration
Scan type: Discovery and IaC
What it checks
Flags S3 buckets that have no lifecycle configuration with cost-focused rules. Without lifecycle rules, objects remain in Standard storage indefinitely regardless of how infrequently they are accessed.
Why it matters
S3 Standard storage costs $0.023/GB/month. Infrequently accessed data in Standard storage is significantly overpriced compared to Intelligent-Tiering ($0.023 for frequent, $0.0125 for infrequent) or Glacier for archival data. For buckets storing logs, backups, or historical data, the difference between Standard and an appropriate storage class can cut S3 costs by 40-90%.
What triggers a finding
hasCostFocusedLifecycle is false for the bucket.
How to remediate
Add a lifecycle configuration to the bucket. At minimum, configure transitions for infrequent access patterns:
{
"Rules": [
{
"ID": "transition-to-ia",
"Status": "Enabled",
"Filter": { "Prefix": "" },
"Transitions": [
{
"Days": 30,
"StorageClass": "STANDARD_IA"
},
{
"Days": 90,
"StorageClass": "GLACIER_IR"
}
],
"NoncurrentVersionExpiration": {
"NoncurrentDays": 30
}
}
]
}
Apply using the CLI:
aws s3api put-bucket-lifecycle-configuration \
--bucket my-bucket \
--lifecycle-configuration file://lifecycle.json
IaC resources checked
| IaC Tool | Resource Type |
|---|---|
| Terraform | aws_s3_bucket_lifecycle_configuration |
| CloudFormation | AWS::S3::Bucket |
CLDBRN-AWS-S3-2
S3 Bucket Storage Class Not Optimized
Scan type: Discovery and IaC
What it checks
Flags S3 buckets that have lifecycle rules configured but none of those rules include storage-class transitions or Intelligent-Tiering configuration. A lifecycle rule that only expires objects (deletes them after N days) without first transitioning them to cheaper storage classes leaves cost savings on the table.
Why it matters
An expiration-only lifecycle rule protects against unbounded growth but does nothing to reduce the cost of objects while they are retained. Adding a transition to Intelligent-Tiering or a cheaper storage class (Standard-IA, Glacier Instant Retrieval) before expiration can significantly reduce the cost of the retention period.
What triggers a finding
The bucket has lifecycle rules configured, but none of the rules contain a storage-class transition to Intelligent-Tiering or any other storage class.
How to remediate
Add storage-class transition actions to your existing lifecycle rules. The most flexible option is Intelligent-Tiering, which automatically moves objects between tiers based on access patterns without requiring you to predict access frequency:
aws s3api put-bucket-intelligent-tiering-configuration \
--bucket my-bucket \
--id EntireBucket \
--intelligent-tiering-configuration '{
"Id": "EntireBucket",
"Status": "Enabled",
"Tierings": [
{"Days": 90, "AccessTier": "ARCHIVE_ACCESS"},
{"Days": 180, "AccessTier": "DEEP_ARCHIVE_ACCESS"}
]
}'
IaC resources checked
| IaC Tool | Resource Type |
|---|---|
| Terraform | aws_s3_bucket_intelligent_tiering_configuration |
| CloudFormation | AWS::S3::Bucket |
CLDBRN-AWS-S3-3
S3 Incomplete Multipart Upload Abort Configuration
Scan type: Discovery and IaC
What it checks
Flags S3 buckets that do not define an enabled lifecycle rule to abort incomplete multipart uploads within 7 days.
Why it matters
Incomplete multipart uploads consume storage but are invisible in standard S3 metrics. Large uploads that fail mid-way leave orphaned parts that accumulate silently. A lifecycle rule that aborts incomplete uploads after 7 days prevents this waste at no operational cost.
What triggers a finding
hasAbortIncompleteMultipartUploadAfter7Days is false.
How to remediate
Add a lifecycle rule that aborts incomplete multipart uploads. In Terraform, add an aws_s3_bucket_lifecycle_configuration resource with an abort_incomplete_multipart_upload block. In CloudFormation, add a lifecycle rule with AbortIncompleteMultipartUpload.DaysAfterInitiation: 7.
IaC resources checked
| IaC Tool | Resource Type |
|---|---|
| Terraform | aws_s3_bucket + aws_s3_bucket_lifecycle_configuration |
| CloudFormation | AWS::S3::Bucket |
CLDBRN-AWS-S3-4
S3 Versioned Bucket Missing Noncurrent Version Cleanup
Scan type: IaC
What it checks
Flags versioned S3 buckets that do not define lifecycle rules to expire or transition noncurrent object versions. Without cleanup, every overwrite or delete creates a noncurrent version that persists forever.
Why it matters
Versioned buckets can accumulate enormous amounts of noncurrent data. A bucket with frequent overwrites can store 10x more noncurrent data than current data. Without a noncurrent version expiration or transition rule, storage costs grow linearly with every change.
What triggers a finding
versioningEnabled is true AND hasNoncurrentVersionCleanup is not true.
How to remediate
Add lifecycle rules for noncurrent version management. Common patterns: expire noncurrent versions after 30-90 days, or transition them to Glacier after 30 days and expire after 365 days.
IaC resources checked
| IaC Tool | Resource Type |
|---|---|
| Terraform | aws_s3_bucket + aws_s3_bucket_lifecycle_configuration |
| CloudFormation | AWS::S3::Bucket |
See Also
- CLI discover command — scan live S3 buckets
- CLI scan command — scan IaC templates for S3 issues
- SDK Reference — run scans programmatically