Control: S3 buckets with versioning enabled should have lifecycle policies configured
Description
This control checks if AWS Simple Storage Service (AWS S3) version enabled buckets have lifecycle policy configured. This rule fails if AWS S3 lifecycle policy is not enabled.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.s3_bucket_versioning_and_lifecycle_policy_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.s3_bucket_versioning_and_lifecycle_policy_enabled --shareSQL
This control uses a named query:
with lifecycle_rules_enabled as ( select arn from aws_s3_bucket, jsonb_array_elements(lifecycle_rules) as r where r ->> 'Status' = 'Enabled')select b.arn as resource, case when not versioning_enabled then 'alarm' when versioning_enabled and r.arn is not null then 'ok' else 'alarm' end as status, case when not versioning_enabled then name || ' versioning diabled.' when versioning_enabled and r.arn is not null then name || ' lifecycle policy configured.' else name || ' lifecycle policy not configured.' end as reason , b.region, b.account_idfrom aws_s3_bucket as b left join lifecycle_rules_enabled as r on r.arn = b.arn;