AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-07-16 · Documentation low

File: securityhub/latest/userguide/s3-controls.md

Summary

Added new control [S3.25] requiring lifecycle configurations for S3 directory buckets and removed backticks from AWS Config rule links throughout the document

Security assessment

The addition of [S3.25] documents a security best practice for data lifecycle management in directory buckets, which enhances data protection but does not address a specific active vulnerability. The removal of backticks from AWS Config rule links is a formatting change with no security impact.

Diff

diff --git a/securityhub/latest/userguide/s3-controls.md b/securityhub/latest/userguide/s3-controls.md
index 177bb5c91..3362b054e 100644
--- a//securityhub/latest/userguide/s3-controls.md
+++ b//securityhub/latest/userguide/s3-controls.md
@@ -5 +5 @@
-[S3.1] S3 general purpose buckets should have block public access settings enabled[S3.2] S3 general purpose buckets should block public read access[S3.3] S3 general purpose buckets should block public write access[S3.5] S3 general purpose buckets should require requests to use SSL[S3.6] S3 general purpose bucket policies should restrict access to other AWS accounts[S3.7] S3 general purpose buckets should use cross-Region replication[S3.8] S3 general purpose buckets should block public access[S3.9] S3 general purpose buckets should have server access logging enabled[S3.10] S3 general purpose buckets with versioning enabled should have Lifecycle configurations[S3.11] S3 general purpose buckets should have event notifications enabled[S3.12] ACLs should not be used to manage user access to S3 general purpose buckets[S3.13] S3 general purpose buckets should have Lifecycle configurations[S3.14] S3 general purpose buckets should have versioning enabled[S3.15] S3 general purpose buckets should have Object Lock enabled[S3.17] S3 general purpose buckets should be encrypted at rest with AWS KMS keys[S3.19] S3 access points should have block public access settings enabled[S3.20] S3 general purpose buckets should have MFA delete enabled[S3.22] S3 general purpose buckets should log object-level write events[S3.23] S3 general purpose buckets should log object-level read events[S3.24] S3 Multi-Region Access Points should have block public access settings enabled
+[S3.1] S3 general purpose buckets should have block public access settings enabled[S3.2] S3 general purpose buckets should block public read access[S3.3] S3 general purpose buckets should block public write access[S3.5] S3 general purpose buckets should require requests to use SSL[S3.6] S3 general purpose bucket policies should restrict access to other AWS accounts[S3.7] S3 general purpose buckets should use cross-Region replication[S3.8] S3 general purpose buckets should block public access[S3.9] S3 general purpose buckets should have server access logging enabled[S3.10] S3 general purpose buckets with versioning enabled should have Lifecycle configurations[S3.11] S3 general purpose buckets should have event notifications enabled[S3.12] ACLs should not be used to manage user access to S3 general purpose buckets[S3.13] S3 general purpose buckets should have Lifecycle configurations[S3.14] S3 general purpose buckets should have versioning enabled[S3.15] S3 general purpose buckets should have Object Lock enabled[S3.17] S3 general purpose buckets should be encrypted at rest with AWS KMS keys[S3.19] S3 access points should have block public access settings enabled[S3.20] S3 general purpose buckets should have MFA delete enabled[S3.22] S3 general purpose buckets should log object-level write events[S3.23] S3 general purpose buckets should log object-level read events[S3.24] S3 Multi-Region Access Points should have block public access settings enabled[S3.25] S3 directory buckets should have lifecycle configurations
@@ -21 +21 @@ These AWS Security Hub controls evaluate the Amazon Simple Storage Service (Amaz
-**AWS Config rule:** [`s3-account-level-public-access-blocks-periodic`](https://docs.aws.amazon.com/config/latest/developerguide/s3-account-level-public-access-blocks-periodic.html)
+**AWS Config rule:** [s3-account-level-public-access-blocks-periodic](https://docs.aws.amazon.com/config/latest/developerguide/s3-account-level-public-access-blocks-periodic.html)
@@ -62 +62 @@ To enable Amazon S3 Block Public Access for your AWS account, see [Configuring b
-**AWS Config rule:** [`s3-bucket-public-read-prohibited`](https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-public-read-prohibited)
+**AWS Config rule:** [s3-bucket-public-read-prohibited](https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-public-read-prohibited)
@@ -90 +90 @@ To block public read access on your Amazon S3 buckets, see [Configuring block pu
-**AWS Config rule:** [`s3-bucket-public-write-prohibited`](https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-public-write-prohibited.html)
+**AWS Config rule:** [s3-bucket-public-write-prohibited](https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-public-write-prohibited.html)
@@ -118 +118 @@ To block public write access on your Amazon S3 buckets, see [Configuring block p
-**AWS Config rule:** [`s3-bucket-ssl-requests-only`](https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-ssl-requests-only.html)
+**AWS Config rule:** [s3-bucket-ssl-requests-only](https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-ssl-requests-only.html)
@@ -169 +169 @@ For more information, see [What S3 bucket policy should I use to comply with the
-**AWS Config** rule: [`s3-bucket-blacklisted-actions-prohibited`](https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-blacklisted-actions-prohibited.html)
+**AWS Config** rule: [s3-bucket-blacklisted-actions-prohibited](https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-blacklisted-actions-prohibited.html)
@@ -209 +209 @@ On the **Edit bucket policy** page, in the policy editing text box, take one of
-**AWS Config rule:** [`s3-bucket-cross-region-replication-enabled`](https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-cross-region-replication-enabled.html)
+**AWS Config rule:** [s3-bucket-cross-region-replication-enabled](https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-cross-region-replication-enabled.html)
@@ -235 +235 @@ To enable Cross-Region Replication on an S3 bucket, see [Configuring replication
-**AWS Config rule:** [`s3-bucket-level-public-access-prohibited`](https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-level-public-access-prohibited.html)
+**AWS Config rule:** [s3-bucket-level-public-access-prohibited](https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-level-public-access-prohibited.html)
@@ -277 +277 @@ For information on how to remove public access at a bucket level, see [Blocking
-**AWS Config rule:** [`s3-bucket-logging-enabled`](https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-logging-enabled.html)
+**AWS Config rule:** [s3-bucket-logging-enabled](https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-logging-enabled.html)
@@ -301 +301 @@ To enable Amazon S3 server access logging, see [Enabling Amazon S3 server access
-**AWS Config rule:** [`s3-version-lifecycle-policy-check`](https://docs.aws.amazon.com/config/latest/developerguide/s3-version-lifecycle-policy-check.html)
+**AWS Config rule:** [s3-version-lifecycle-policy-check](https://docs.aws.amazon.com/config/latest/developerguide/s3-version-lifecycle-policy-check.html)
@@ -325 +325 @@ For more information on configuring lifecycle on an Amazon S3 bucket, see [Setti
-**AWS Config rule:** [`s3-event-notifications-enabled`](https://docs.aws.amazon.com/config/latest/developerguide/s3-event-notifications-enabled.html)
+**AWS Config rule:** [s3-event-notifications-enabled](https://docs.aws.amazon.com/config/latest/developerguide/s3-event-notifications-enabled.html)
@@ -353 +353 @@ For information about detecting changes to S3 buckets and objects, see [Amazon S
-**AWS Config rule:** [`s3-bucket-acl-prohibited`](https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-acl-prohibited.html)
+**AWS Config rule:** [s3-bucket-acl-prohibited](https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-acl-prohibited.html)
@@ -379 +379 @@ To create an S3 bucket policy, see [Adding a bucket policy by using the Amazon S
-**AWS Config rule:** [`s3-lifecycle-policy-check`](https://docs.aws.amazon.com/config/latest/developerguide/s3-lifecycle-policy-check.html)
+**AWS Config rule:** [s3-lifecycle-policy-check](https://docs.aws.amazon.com/config/latest/developerguide/s3-lifecycle-policy-check.html)
@@ -409 +409 @@ For information about configuring lifecycle policies on an Amazon S3 bucket, see
-**AWS Config rule:** [`s3-bucket-versioning-enabled`](https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-versioning-enabled.html)
+**AWS Config rule:** [s3-bucket-versioning-enabled](https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-versioning-enabled.html)
@@ -437 +437 @@ To use versioning on an S3 bucket, see [Enabling versioning on buckets](https://
-**AWS Config rule:** [`s3-bucket-default-lock-enabled`](https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-default-lock-enabled.html) ``
+**AWS Config rule:** [s3-bucket-default-lock-enabled](https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-default-lock-enabled.html)
@@ -465 +465 @@ To configure Object Lock for new and existing S3 buckets, see [Configuring S3 Ob
-**AWS Config rule:** [`s3-default-encryption-kms`](https://docs.aws.amazon.com/config/latest/developerguide/s3-default-encryption-kms.html) ``
+**AWS Config rule:** [s3-default-encryption-kms](https://docs.aws.amazon.com/config/latest/developerguide/s3-default-encryption-kms.html)
@@ -489 +489 @@ To encrypt an S3 bucket using SSE-KMS, see [Specifying server-side encryption wi
-**AWS Config rule:** [`s3-access-point-public-access-blocks`](https://docs.aws.amazon.com/config/latest/developerguide/s3-access-point-public-access-blocks.html) ``
+**AWS Config rule:** [s3-access-point-public-access-blocks](https://docs.aws.amazon.com/config/latest/developerguide/s3-access-point-public-access-blocks.html)
@@ -513 +513 @@ Amazon S3 currently doesn't support changing an access point's block public acce
-**AWS Config rule:** [`s3-bucket-mfa-delete-enabled`](https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-mfa-delete-enabled.html)
+**AWS Config rule:** [s3-bucket-mfa-delete-enabled](https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-mfa-delete-enabled.html)
@@ -541 +541 @@ For information about enabling versioning and configuring MFA delete for an S3 b
-**AWS Config rule:** [`cloudtrail-all-write-s3-data-event-check`](https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-all-write-s3-data-event-check.html) ``
+**AWS Config rule:** [cloudtrail-all-write-s3-data-event-check](https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-all-write-s3-data-event-check.html)
@@ -565 +565 @@ To enable object-level logging for S3 buckets, see [Enabling CloudTrail event lo
-**AWS Config rule:** [`cloudtrail-all-read-s3-data-event-check`](https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-all-read-s3-data-event-check.html) ``
+**AWS Config rule:** [cloudtrail-all-read-s3-data-event-check](https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-all-read-s3-data-event-check.html)
@@ -602,0 +603,26 @@ By default, all Block Public Access settings are enabled for an S3 Multi-Region
+## [S3.25] S3 directory buckets should have lifecycle configurations
+
+**Category:** Protect > Data Protection
+
+**Severity:** Low
+
+**Resource type:** `AWS::S3Express::DirectoryBucket`
+
+**AWS Config rule:** [s3express-dir-bucket-lifecycle-rules-check](https://docs.aws.amazon.com/config/latest/developerguide/s3express-dir-bucket-lifecycle-rules-check.html)
+
+**Schedule type:** Change triggered
+
+**Parameters:**
+
+Parameter | Description | Type | Allowed custom values | Security Hub default value  
+---|---|---|---|---  
+`targetExpirationDays` |  The number of days, after object creation, when objects should expire. |  Integer |  `1` to `2147483647` |  No default value  
+  
+This control checks whether lifecycle rules are configured for an S3 directory bucket. The control fails if lifecycle rules aren't configured for the directory bucket, or a lifecycle rule for the bucket specifies expiration settings that don't match the parameter value that you optionally specify.
+
+In Amazon S3, a lifecycle configuration is a set of rules that define actions for Amazon S3 to apply to a group of objects in a bucket. For an S3 directory bucket, you can create a lifecycle rule that specifies when objects expire based on age (in days). You can also create a lifecycle rule that deletes incomplete multipart uploads. Unlike other types of S3 buckets, such as general purpose buckets, directory buckets do not support other types of actions for lifecycle rules, such as transitioning objects between storage classes.
+
+### Remediation
+
+To define a lifecycle configuration for an S3 directory bucket, create a lifecycle rule for the bucket. For more information, see [Creating and managing a lifecycle configuration for your directory bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-create-lc.html) in the _Amazon Simple Storage Service User Guide_.
+