S3 Lifecycle cannot apply to S3 objects which are uploaded by unsigned requests.

Question

I created a S3 Lifecycle rule to delete expired object, and uploaded S3 object with aws cli `aws s3 cp hello-unsigned.txt s3://bucket/ --no-signed-request --endpoint-url https://bucket.s3-vpce/`. The S3 object was uploaded successfully, but didn't show any information about `expiration rule` and `expiration date` in `Management configurations` block. I uploaded another S3 object using `aws s3 cp hello-signed.txt s3://bucket/ --endpoint-url https://bucket.s3-vpce/`. This S3 object was applied Lifecycle rule.
Is this a bug or normal behavior about unsigned S3 object? Or I misconfiguration on any steps?

Accepted Answer

Hello!

The issue you're experiencing is caused by not being the owner of the objects that are uploaded with an unsigned request via the CLI, which causes the objects to not be applied to the lifecycle rule. Here are a few options we can do to ensure you own the objects in the bucket:

- [1] Configure Enforced Bucket Ownership (ACL's disabled)
- [2] Your bucket policy can require bucket-owner-full-control (ACL's enabled)

Note: Configuring Enforced Bucket Ownership is considered best practice for S3 Buckets but be aware that it will disable legacy ACL's for that bucket, potentially causing you to use a bucket policy (if you want to make certain objects public and they were previously made public by ACL).

Resources:

[1] https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html

S3 Lifecycle cannot apply to S3 objects which are uploaded by unsigned requests.

관련 콘텐츠