Lifecycle Workflow and Security Considerations

  • Updated on Nov 13, 2025
  • Published on Nov 13, 2025
  • 1 minute(s) read
Prev Next

Workflow for Lifecycle Rule Implementation

Lifecycle rules cannot be created or enabled on S3 buckets with activated MFA-Delete because these features are mutually exclusive.

  1. Disable MFA-Delete using the CLI command:

    aws s3api put-bucket-versioning --bucket BUCKETNAME --versioning-configuration MFADelete=Disabled,Status=Enabled --mfa "arn:aws:iam::ACCOUNTID:mfa/root-account-mfa-device MFACODE” --endpoint-url=https://s3.BUCKETREGION.wasabisys.com –profile WASABIPROFILE

  2. Apply lifecycle configuration. Lifecycle actions can be created or enabled using the Console or the following AWS CLI command:

    aws s3api put-bucket-lifecycle-configuration –bucket BUCKETNAME --lifecycle-configuration file://lifecycle.json --endpoint-url=https://s3.BUCKETREGION.wasabisys.com –profile WASABIPROFILE

Security Considerations

When disabling MFA-Delete for lifecycle rules:

  • Audit deletion policies carefully.

  • Use bucket policies with s3:DeleteObject  condition keys.

  • If needed, enable administrative logging for deletion events.

  • Consider Object Lock as an alternative data protection.

This constraint exists because automated lifecycle actions bypass MFA authentication requirements, creating potential security policy violations. Administrators must choose between automated lifecycle management and manual deletion controls.