By using AWS re:Post, you agree to the AWS re:Post Terms of Use

S3 Lifecycle cannot apply to S3 objects which are uploaded by unsigned requests.

0

I created a S3 Lifecycle rule to delete expired object, and uploaded S3 object with aws cli aws s3 cp hello-unsigned.txt s3://bucket/ --no-signed-request --endpoint-url https://bucket.s3-vpce/. The S3 object was uploaded successfully, but didn't show any information about expiration rule and expiration date in Management configurations block. I uploaded another S3 object using aws s3 cp hello-signed.txt s3://bucket/ --endpoint-url https://bucket.s3-vpce/. This S3 object was applied Lifecycle rule. Is this a bug or normal behavior about unsigned S3 object? Or I misconfiguration on any steps?

asked 3 years ago382 views
1 Answer
2
Accepted Answer

Hello!

The issue you're experiencing is caused by not being the owner of the objects that are uploaded with an unsigned request via the CLI, which causes the objects to not be applied to the lifecycle rule. Here are a few options we can do to ensure you own the objects in the bucket:

  • [1] Configure Enforced Bucket Ownership (ACL's disabled)
  • [2] Your bucket policy can require bucket-owner-full-control (ACL's enabled)

Note: Configuring Enforced Bucket Ownership is considered best practice for S3 Buckets but be aware that it will disable legacy ACL's for that bucket, potentially causing you to use a bucket policy (if you want to make certain objects public and they were previously made public by ACL).

Resources:

[1] https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html

profile pictureAWS
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions