🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: 10 S3 buckets with versioning enabled should have lifecycle policies configured

Description

This control checks if Amazon Simple Storage Service (Amazon S3) version enabled buckets have lifecycle policy configured. This rule fails if Amazon S3 lifecycle policy is not enabled.

It is recommended to configure lifecycle rules on your Amazon S3 bucket as these rules help you define actions that you want Amazon S3 to take during an object's lifetime.

Remediation

For more information on configuring lifecycle on an Amazon S3 bucket, see Setting lifecycle configuration on a bucketand Managing your storage lifecycle.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_s3_10

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_s3_10 --share

SQL

This control uses a named query:

with lifecycle_rules_enabled as (
  select
    arn
  from
    aws_s3_bucket,
    jsonb_array_elements(lifecycle_rules) as r
  where
    r ->> 'Status' = 'Enabled'
)
select
  b.arn as resource,
  case
    when not versioning_enabled then 'alarm'
    when versioning_enabled and r.arn is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when not versioning_enabled then name || ' versioning diabled.'
    when versioning_enabled and r.arn is not null then name || ' lifecycle policy configured.'
    else name || ' lifecycle policy not configured.'
  end as reason
  
  , b.region, b.account_id
from
  aws_s3_bucket as b
  left join lifecycle_rules_enabled as r on r.arn = b.arn;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = logging
foundational_security_item_id = s3_10
plugin = aws
service = AWS/S3