Cloud Security Index
aws

medium

Compliance Frameworks

BETA
NIST 800-53
AU-11, CP-9
PCI DSS v4.0
10.5.1
ISO/IEC 27001
A.12.4.1

// Beta Mapping Disclaimer

Framework mappings are currently in beta. These references are generated based on technical specifications and common industry alignments. Mappings may be incomplete or inaccurate; always consult with a qualified auditor for official compliance validation.

Overview

Configure S3 lifecycle policies on the central logging buckets in the Log Archive account to automatically transition log data through cheaper storage classes over time and enforce retention-based expiration.

This control applies to all log data centralised in the Log Archive account. The sources, retention requirements, and bucket structure for each log type are defined in the following controls:

  • [AWS-SEC-XXX] Enable AWS CloudTrail at the Organization Level - defines CloudTrail log delivery configuration, bucket naming, and minimum retention requirements.
  • [AWS-NET-XXX] Enable VPC Flow Logs - defines Flow Log delivery targets, format, and account-level activation scope.
  • [AWS-SEC-XXX] Enable AWS Config Recording - defines Config snapshot and history delivery to the Log Archive bucket.

Lifecycle policies defined in this control must be applied to the buckets referenced in those controls and must not reduce retention below the minimums they specify.

Log data delivered to the Log Archive account accumulates continuously from all Landing Zone accounts. Without lifecycle management, standard S3 storage costs compound linearly with organisational growth. This control defines storage class transition schedules and expiration rules per log type, balancing access frequency patterns against cost and compliance obligations.

Recommended transition schedule by log type

Log TypeStandard → Intelligent-Tiering→ Glacier IR→ Glacier Deep ArchiveExpiration
CloudTrail30 days90 days365 days3650 days (10 years)
VPC Flow Logs30 days60 days180 days365 days
ALB / WAF Access Logs14 days60 days180 days365 days

Retention minimums for CloudTrail and Config are driven by compliance standards. Adjust expiration only after confirming with your compliance team.

S3 Intelligent-Tiering is preferred over a direct Standard → Glacier transition for the first 30–90 day window because access patterns for recent logs are non-uniform - incident response queries frequently target logs from the past 30 days.

Log storage is a significant and predictable cost driver in Landing Zone architectures. Lifecycle policies are the lowest-effort, highest-return cost optimisation available for the Log Archive account. Establishing them at Landing Zone build time prevents cost accumulation that becomes difficult to remediate retroactively once bucket objects number in the billions.

Remediation Strategy

Apply S3 lifecycle configurations to the central logging buckets in the Log Archive account using the transition schedules defined above. Use Terraform to ensure the policies are version-controlled and reproducible.

1.

Identify all central logging buckets in the Log Archive account (CloudTrail, VPC Flow Logs, CloudWatch, ALB/WAF, ...).

2.

For each bucket, apply the lifecycle configuration matching the log type schedule from the table in the details section.

3.

Confirm that no transition rule reduces retention below the minimum specified in the sourcing control for that log type.

4.

Validate the applied configuration using the detection CLI command below and confirm rules are in Active status.

resource "aws_s3_bucket_lifecycle_configuration" "cloudtrail_logs" {
  bucket = var.cloudtrail_log_bucket_name

  rule {
    id     = "cloudtrail-transition-and-expiry"
    status = "Enabled"

    filter {}

    transition {
      days          = 30
      storage_class = "INTELLIGENT_TIERING"
    }

    transition {
      days          = 90
      storage_class = "GLACIER_IR"
    }

    transition {
      days          = 365
      storage_class = "DEEP_ARCHIVE"
    }

    expiration {
      days = 3650
    }

    noncurrent_version_expiration {
      noncurrent_days = 90
    }
  }
}

# VPC Flow Logs bucket lifecycle - 1-year retention
resource "aws_s3_bucket_lifecycle_configuration" "vpc_flow_logs" {
  bucket = var.vpc_flow_logs_bucket_name

  rule {
    id     = "flowlogs-transition-and-expiry"
    status = "Enabled"

    filter {}

    transition {
      days          = 30
      storage_class = "INTELLIGENT_TIERING"
    }

    transition {
      days          = 60
      storage_class = "GLACIER_IR"
    }

    transition {
      days          = 180
      storage_class = "DEEP_ARCHIVE"
    }

    expiration {
      days = 365
    }

    noncurrent_version_expiration {
      noncurrent_days = 30
    }
  }
}

# AWS Config log bucket lifecycle - 7-year retention
resource "aws_s3_bucket_lifecycle_configuration" "config_logs" {
  bucket = var.config_log_bucket_name

  rule {
    id     = "config-transition-and-expiry"
    status = "Enabled"

    filter {}

    transition {
      days          = 30
      storage_class = "INTELLIGENT_TIERING"
    }

    transition {
      days          = 90
      storage_class = "GLACIER_IR"
    }

    transition {
      days          = 365
      storage_class = "DEEP_ARCHIVE"
    }

    expiration {
      days = 3650
    }

    noncurrent_version_expiration {
      noncurrent_days = 90
    }
  }
}

Enforcement Logic

Automatedaws-api

For each central logging bucket in the Log Archive account, retrieve the lifecycle configuration and verify: (1) at least one transition rule to INTELLIGENT_TIERING or GLACIER_IR exists within 90 days, (2) a DEEP_ARCHIVE transition exists within 365 days, and (3) an expiration rule is present.

for bucket in $(aws s3api list-buckets \
  --query "Buckets[?contains(Name, 'log')].Name" \
  --output text); do
echo "=== $bucket ==="
aws s3api get-bucket-lifecycle-configuration \
  --bucket "$bucket" \
  --query 'Rules[].{ID:ID,Status:Status,FirstTransition:Transitions[0],Expiration:Expiration}' \
  2>/dev/null || echo "NO LIFECYCLE POLICY"
done
SPEC_METADATA

Complexity
low
Impact
none
Scope
account
Environment
all
Resources
S3
Remediation
account
Auto-Remediate
Available
Category
cost-management
Enforcement
mandatory
Tags
cost-managements3lifecycleloggingoptimizationlanding-zone

Type
role
Frequency
annually