Configuring AWS's Amazon S3 for storage and Cloudfront for CDNs

Community wiki Sysadmins
,
1

The editing in draft mode is getting a bit wonky so I am publishing prematurely. Hopefully the wonkiness, love that word, will abate. For those up for reviewing and providing feedback, thanks in advance.

So you want to use AWS’s Amazon S3 for storage, Cloudfront for CDNs and ??? Hopefully this guide be helpful when configuring a need improvement here. Please let us know if something needs an adjustment, an improvement, or does not make sense.

Getting Started
Naming Strategy

AWS Configuration

Discourse Configuration

FAQ
Resources
To-Do

Getting Started

You will need:

  1. A self hosted Discourse instance with app.yml access
  2. AWS account
  3. ???

Naming Strategy

There are many places to make mistakes. Using a naming convention strategy that makes sense to you and perhaps others will help you with troubleshooting especially if you are configuring multiple Discourse instances.

  • IAM user: your-iam-user
  • Policy: s3-discourse-policy-your-iam-user
  • Backups bucket: yourdomain-subdomain-backups
  • Uploads bucket: yourdomain-subdomain-uploads
  • Distribution CDNs: cdn-yourdomain-subdomain and s3-yourdomain-subdomain-uploads

Optional: Configuration process bucket: a-origin-config-bucket

AWS Configuration

Use the default settings in the AWS configuration pages unless instructed to do otherwise.

S3 Names, names, names

  • Discourse instance domain: subdomain.yourdomain.tld (subdomain.yourdomain.tld including www.yourdomain.tld)
  • IAM user: yourdomain-subdomain (yourdomain-discourse, yourdomain-forum or Discourse in apex/root: yourdomain-tld-www )
  • Policy for IAM user: s3-discourse-policy-yourdomain-subdomain
  • Uploads bucket: yourdomain-subdomain-uploads Note: Don’t forget to set “Everyone (public access)” to “Read” in Bucket>Permissions: Access control list-(ACL) Access control list (ACL)-Grantee.
  • Backups bucket: yourdomain-subdomain-backups
  • Distribution CDNs: cdn-yourdomain-subdomain and s3-yourdomain-subdomain-uploads
  • Configuration process bucket: a-origin-config-bucket

You can see how this strategy works in a real world example:

IAM Users

  1. Go to IAM > Users > Select “Create user” https://us-east-1.console.aws.amazon.com/iam/home?region=us-east-1#/users/create
  2. IAM > Users > Create user > Specify user details > User details > User name > Enter name i.e. your-iam-user > Select “Next”
  3. IAM > Users > Create user > Set permissions > Permissions options > Select “Attach policies directly” > Select “Create policy” > Opens Create policy page (Alternatively the policy can be created first in Policies then selected when creating the user in “Permissions policies”.)
  4. IAM > Users > Create user > Set permissions > Permissions policies > Filter by Type dropdown selector > Select “Customer managed” > Select the newly created policy > Select “Next” > Select “Create user”
  5. IAM > Users > your-iam-user > Security credentials > Access keys > Select “Create access key”
  6. IAM > Users > your-iam-user > Create access key > Access key best practices & alternatives > Select “Other” > Select “Next”
  7. IAM > Users > your-iam-user > Create access key > Set description tag > Select “Create access key”
  8. IAM > Users > your-iam-user > Create access key > Retrieve access keys > Safely save Access key and Secret access key for use in Discourse app.yml > Select “Done”

Policies

  1. Modify s3-discourse-policy-your-iam-user.txt with your IAM user name and bucket names.
  2. Go to IAM > Policies > Create policy
  3. IAM > Policies > Create policy > Specify permissions > Policy editor > Select “JSON” in Policy editor > Copy policy from s3-discourse-policy-your-iam-user.txt and paste into JSON editor copying over existing JSON > Select “Next”
  4. IAM > Policies > Create policy > Review and create > Policy details > Policy name > Enter Policy name i.e. s3-discourse-policy-your-iam-user > Select “Next”
  5. Go to IAM Users : 4. IAM > Users > Create user to continue the create user process

Amazon S3 Buckets

Create and configure the backups bucket, uploads bucket, and the optional but useful configuration process bucket.

Create the backups bucket yourdomain-subdomain-backups

  1. Go to Amazon S3 Buckets > Select “Create bucket
  2. Amazon S3 > Buckets > Create bucket > General configuration > Confirm “General Purpose” selection
  3. Amazon S3 > Buckets > Create bucket > General configuration > Bucket name > Enter backups bucket name i.e. yourdomain-subdomain-backups
  4. Amazon S3 > Buckets > Create bucket > General configuration > Confirm “ACLs disabled (recommended)” selection
  5. Amazon S3 > Buckets > Create bucket > Block Public Access settings for this bucket > Deselect “Block all public access” then Select “Block public access to buckets and objects granted through new public bucket or access point policies” and “Block public and cross-account access to buckets and objects through any public bucket or access point policies”
  6. Amazon S3 > Buckets > Create bucket > Block Public Access settings for this bucket > Turning off block all public access might result in this bucket and the objects within becoming public > Select “I acknowledge that the current settings might result in this bucket and the objects within becoming public.”
  7. Amazon S3 > Buckets > Create bucket > Bucket Versioning > Bucket Versioning > Select “Enable” Info: Bucket Versioning is required for “Lifecycle rules”
  8. Amazon S3 > Buckets > Create bucket > Select “Create bucket”

Lifecycle rules configuration

Backup Retention Rule

  1. Amazon S3 > Buckets > Select newly created bucket i.e. yourdomain-subdomain-backups
  2. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Select “Create lifecycle rule”
  3. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Lifecycle rule name > Enter rule name i.e. backup retention
  4. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Choose a rule scope > Select “Apply to all objects in the bucket”
  5. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Choose a rule scope > Apply to all objects in the bucket > Select “I acknowledge that this rule will apply to all objects in the bucket.”
  6. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Lifecycle rule actions > Select “Transition noncurrent versions of objects between storage classes”, “Expire current versions of objects”, and “Permanently delete noncurrent versions of objects”
  7. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Lifecycle rule actions > Transitions are charged per request > Select “I acknowledge that this lifecycle rule will incur a transition cost per request.”
  8. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Transition noncurrent versions of objects between storage classes > Choose storage class transitions > Select “Glacier Instant Retrieval”
  9. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Transition noncurrent versions of objects between storage classes > Days after objects become noncurrent > Enter “1”
  10. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Expire current versions of objects > Days after object creation > Enter “7” or 15 or 30 or ??? See FAQ or discussion
  11. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Permanently delete noncurrent versions of objects > Days after objects become noncurrent > Enter “91”
  12. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Confirm “Review transition and expiration actions” is correct > Select “Create rule”

Cleanup Rule

  1. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Select “Create lifecycle rule”
  2. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Lifecycle rule name > Enter rule name cleanup
  3. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Choose a rule scope > Select “Apply to all objects in the bucket”
  4. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Choose a rule scope > Apply to all objects in the bucket > Select “I acknowledge that this rule will apply to all objects in the bucket.”
  5. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Lifecycle rule actions > Select “Permanently delete noncurrent versions of objects” and “Delete expired object delete markers or incomplete multipart uploads”
  6. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Permanently delete noncurrent versions of objects > Days after objects become noncurrent > Enter “92”
  7. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Permanently delete noncurrent versions of objects > Delete expired object delete markers or incomplete multipart uploads > Expired object delete markers > Select “Delete expired object delete markers”
  8. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Permanently delete noncurrent versions of objects > Delete expired object delete markers or incomplete multipart uploads > Incomplete multipart uploads > Select “Delete incomplete multipart uploads”
  9. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Permanently delete noncurrent versions of objects > Delete expired object delete markers or incomplete multipart uploads > Incomplete multipart uploads > Delete incomplete multipart uploads > Number of days > Enter “3” or ???
  10. Amazon S3 > Buckets > yourdomain-subdomain-backups > Management > Lifecycle configuration > Confirm “Review transition and expiration actions” is correct > Select “Create rule”

Create the uploads bucket yourdomain-subdomain-uploads

  1. Go to Amazon S3 > Buckets > Select “Create bucket
  2. Amazon S3 > Buckets > Create bucket > General configuration > Confirm “General Purpose” selection
  3. Amazon S3 > Buckets > Create bucket > General configuration > Bucket name > Enter uploads bucket name i.e. yourdomain-subdomain-uploads
  4. Amazon S3 > Buckets > Create bucket > General configuration Select “ACLs enabled”
  5. Amazon S3 > Buckets > Create bucket > Block Public Access settings for this bucket > Deselect “Block all public access” then Select “Block public access to buckets and objects granted through new public bucket or access point policies” and “Block public and cross-account access to buckets and objects through any public bucket or access point policies”
  6. Amazon S3 > Buckets > Create bucket > Block Public Access settings for this bucket > Turning off block all public access might result in this bucket and the objects within becoming public > Select “I acknowledge that the current settings might result in this bucket and the objects within becoming public.”
  7. Amazon S3 > Buckets > Create bucket > Select “Create bucket”
  8. Amazon S3 > Buckets > Buckets screen > Select newly created bucket i.e. yourdomain-subdomain-uploads
    Return to do step 9 after creating Distribution #2
  9. Amazon S3 > Buckets > yourdomain-subdomain-uploads > Permissions > Bucket policy > Select Edit > Paste JSON from Create distribution #2 11. CloudFront > Distributions > Distribution ID > Edit origin > Origin access control > Select “Save changes”
  10. Amazon S3 > Buckets > yourdomain-subdomain-uploads > Permissions > Access control list (ACL) > Select Edit > Everyone (public access) > Select “Read” > When you grant access to the Everyone or Authenticated users group grantees, anyone in the world can access the objects in this bucket. Select “I understand the effects of these changes on my objects and buckets.” > Select “Save changes”

Create a configuration process bucket a-origin-config-bucket

Create a bucket to be used during Distribution #1 configuration process. Name and configuration are unimportant since the bucket is only used temporarily as an initial origin which will be deleted during the configuration process.

  1. Go to Amazon S3 > Buckets > Select “Create bucket
  2. Amazon S3 > Buckets > Create bucket > General configuration > Confirm “General Purpose” selection
  3. Amazon S3 > Buckets > Create bucket > General configuration > Bucket name > Enter uploads bucket name i.e. a-origin-config-bucket
  4. Toggle through the configuration pages and “Create bucket”

CloudFront Distributions

Create two AWS S3 Cloudfront distributions. One to serve website assets and the second to serve uploads bucket assets.

Create distribution #1

  Distribution #1
    DISCOURSE_CDN_URL
      Distribution name: cdn-yourdomain-subdomain
      Origin: subdomain.yourdomain.tld
      Distribution domain name (Cloudfront URL): AWS-assigned.cloudfront.net
      Alternate domain names: discourse-cdn.yourdomain.tld
  1. Go to CloudFront > Distributions > Select “Create
  2. CloudFront > Distributions > Create distribution > Choose a plan > Select “Pay as you go” > Select “Next”
  3. CloudFront > Distributions > Create distribution > Get started > Distribution options > Distribution name > Enter distribution name i.e. cdn-yourdomain-subdomain
  4. CloudFront > Distributions > Create distribution > Get started > Distribution options > Description - optional > Enter “cdn-yourdomain-subdomain” (Optional but helps with visibilty)
  5. CloudFront > Distributions > Create distribution > Get started > Distribution options > Distribution type > Confirm “Single website or app” selection > Select “Next”
  6. CloudFront > Distributions > Create distribution > Specify origin > Origin type > Confirm “Amazon S3” selection
  7. CloudFront > Distributions > Create distribution > Specify origin > Origin > S3 origin > Select “Browse S3” > Select the configuration process bucket “a-origin-config-bucket” > Select “Choose” > Select “Next”
  8. CloudFront > Distributions > Create distribution > Enable security > make your choices - for this guide > Select “Do not enable security protections” > Select “Next”
  9. CloudFront > Distributions > Create distribution > Review and create > Confirm "Review and create: is correct > Select “Create distribution” → Newly created distribution information page should open in CloudFront > Distributions > Distribution ID
  10. CloudFront > Distributions > Distribution ID > Origins > Select “Create origin” Info: The distribution requires the Discourse instance domain as the origin!
  11. CloudFront > Distributions > Distribution ID > Create origin > Settings > Origin domain > Enter discourse instance domain i.e. subdomain.yourdomain.tld > Select “Create origin”
  12. CloudFront > Distributions > Distribution ID > Behaviors > Select the lone behavior “Default (*)” > Select “Edit”
  13. CloudFront > Distributions > Distribution ID > Behaviors > Edit behavior > Settings > Origin and origin groups > Select the Custom origin “subdomain.yourdomain.tld” > Select “Save changes”
  14. CloudFront > Distributions > Distribution ID > Origins > Select the original origin “a-origin-config-bucket.s3.us-east-1.amazonaws.com” > Select “Delete” Info: The deployment must be complete, see CloudFront > Distributions > Distribution ID > Details > Last modified
    If using a branded CDN URL → Step 15
  15. CloudFront > Distributions > Distribution ID > Alternate domain names > Select “Add domain”
  16. CloudFront > Distributions > Distribution ID > Alternate domain names > Add domain > Configure domains > Domains > Domains to serve > Enter the DISCOURSE_CDN_URL i.e. discourse-cdn.yourdomain.tld > Select “Next”

Incomplete: Alternate domain names: discourse-cdn.yourdomain.tld

Create distribution #2

  Distribution #2
    DISCOURSE_S3_CDN_URL
      Distribution name: s3-yourdomain-subdomain-uploads
      Origin: yourdomain-subdomain-uploads
      Distribution domain name (Cloudfront URL: AWS-assigned.cloudfront.net
      Alternate domain names: s3-cdn.yourdomain.tld
  1. CloudFront > Distributions > Create distribution
  2. CloudFront > Distributions > Create distribution > Choose a plan > Select “Pay as you go” > Select “Next”
  3. CloudFront > Distributions > Create distribution > Get started > Distribution options > Distribution name > Enter distribution name i.e. s3-yourdomain-subdomain-uploads
  4. CloudFront > Distributions > Create distribution > Get started > Distribution options > Description - optional > Enter “s3-yourdomain-subdomain-uploads” (Optional but helps with visibilty)
  5. CloudFront > Distributions > Create distribution > Get started > Distribution options > Distribution type > Confirm “Single website or app” selection > Select “Next”
  6. CloudFront > Distributions > Create distribution > Specify origin > Origin type > Confirm “Amazon S3” selection
  7. CloudFront > Distributions > Create distribution > Specify origin > Origin > S3 origin > Select “Browse S3” > Select the uploads bucket “yourdomain-subdomain-uploads” > Select “Choose” > Select “Next”
  8. CloudFront > Distributions > Create distribution > Enable security > make your choices - for this guide > Select “Do not enable security protections” > Select “Next”
  9. CloudFront > Distributions > Create distribution > Review and create > Confirm "Review and create: is correct > Select “Create distribution” → Newly created distribution information page should open in CloudFront > Distributions > Distribution ID
  10. CloudFront > Distributions > Distribution ID > Origins > Select the origin > Select “Edit”
  11. CloudFront > Distributions > Distribution ID > Edit origin > Origin access control > ! You must allow access to CloudFront using this policy… > Select “Copy policy” > Go to Create the uploads bucket 9. Amazon S3 > Buckets > yourdomain-subdomain-uploads > Permissions > Bucket policy

Incomplete: Alternate domain names: s3-cdn.yourdomain.tld

Discourse Configuration

Current as of Discourse version: 2025.12.0-latest

Make these changes in Discourse Admin UI

Backups Settings /admin/backups/settings

  1. Maximum backups > Enter the number of backups to keep locally
  2. Backup with uploads > Select “Include uploads in scheduled backups. Disabling this will only backup the database.”

S3 Settings /admin/site_settings/category/all_results?filter=S3

  1. S3 use CDN URL for all uploads > Select “Use CDN URL for all the files uploaded to s3 instead of only for images.” (Discourse ships deselected)

Edit Config (app.yml) Unbranded URLs

Edit the app.yml making the changes below for branded URLs or unbranded Cloudfront URLs.

Discourse Unbranded URLs

Use this for unbranded Cloudfront distributions. Your DISCOURSE_S3_REGION might be different.
DISCOURSE_CDN_URL: https://amazonassigned.cloudfront.net

S3 storage config (unbranded)

## S3 storage config
DISCOURSE_USE_S3: true
DISCOURSE_S3_REGION:  us-east-1
DISCOURSE_S3_ACCESS_KEY_ID: key obfuscated
DISCOURSE_S3_SECRET_ACCESS_KEY: key obfuscated
DISCOURSE_S3_CDN_URL: https://amazonassigned.cloudfront.net
DISCOURSE_S3_BUCKET: your-bucket-name-uploads
DISCOURSE_S3_BACKUP_BUCKET: your-bucket-name-backups
DISCOURSE_BACKUP_LOCATION: s3

Discourse Branded URLs

DNS Configuration

If you prefer to use yourdomain.com based URLs for the CDNs you need to make some DNS changes and adjust your CDN URLs.

Tip: Don’t forget to add discourse-cdn.yourdomain.com and s3-cdn.yourdomain.com as a domain name in “Alternate domain names” for their respective Cloudfront distributions.

DNS config if you want to use domain branded Cloudfront distributions.

DISCOURSE_CDN_URL

Existing record:	A   discourseinstance.yourdomain.com   instance ip  Note: This is the existing Discourse install ip.
New record:		A   discourse-cdn-cloudfront.yourdomain.com   instance ip
New record: 		CNAME discourse-cdn.yourdomain.com  ->   amazonassigned.cloudfront.net

DISCOURSE_S3_CDN_URL

New record:		CNAME s3-cdn-cloudfront.yourdomain.com  ->   amazonassigned.cloudfront.net
New record: 	CNAME  s3-cdn.yourdomain.com  ->   s3-cdn-cloudfront.yourdomain.com

Edit Config (app.yml) Branded URLs

Once the DNS changes are complete you can edit your app.yml making the changes below.

Change DISCOURSE_CDN_URL and/or DISCOURSE_S3_CDN_URL if you are using domain CNAMES for the Cloudfront distribution (amazonassigned.cloudfront.net).

DISCOURSE_CDN_URL: https://discourse-cdn.yourdomain.com

S3 storage config (branded)

## S3 storage config
DISCOURSE_USE_S3: true
DISCOURSE_S3_REGION:  us-east-1
DISCOURSE_S3_ACCESS_KEY_ID: key obfuscated
DISCOURSE_S3_SECRET_ACCESS_KEY: key obfuscated
DISCOURSE_S3_CDN_URL: https://s3-cdn.yourdomain.com
DISCOURSE_S3_BUCKET: your-bucket-name-uploads
DISCOURSE_S3_BACKUP_BUCKET: your-bucket-name-backups
DISCOURSE_BACKUP_LOCATION: s3

Additional Config Edits (app.yml)

Regardless of which approach you use, branded or Cloudfront URLs, you will need the after_assets_precompile section below to ensure things stay updated during subsequent rebuilds.

  hooks:
    after_code:
      - exec:
          cd: $home/plugins
          cmd:
            - git clone https://github.com/discourse/docker_manager.git
            -you may have more plugins
    after_assets_precompile:
      - exec:
          cd: $home
          cmd:
            - sudo -E -u discourse bundle exec rake s3:upload_assets
            - sudo -E -u discourse bundle exec rake s3:expire_missing_assets

Rebuild your instance with ./launcher rebuild app

After ./launcher rebuild app completes successfully do these rakes.

./launcher enter app

rake posts:rebake
rake uploads:migrate_to_s3
rake posts:rebake_uncooked_posts

rake s3:upload_assets
rake s3:expire_missing_assets

If the rakes complete without errors then you are good to go.

On some sites the initial rebuild will fail with an error relating to s3:upload_assets. If this happens,

check “read” setting on uploads bucket. If correctly set then,

comment out or remove the after_assets_precompile section:

  after_assets_precompile:
      - exec:
          cd: $home
          cmd:
            - sudo -E -u discourse bundle exec rake s3:upload_assets
            - sudo -E -u discourse bundle exec rake s3:expire_missing_assets

and run ./launcher rebuild app again. Then run “rake s3:upload_assets” and “rake s3:expire_missing_assets”.

If both of the rakes complete without errors then re-add or uncomment the after_assets_precompile section, rebuild again and do the all the rakes listed above.

If either of the rakes give an error or the rebuild fails again you have something wrong in your app.yml and/or AWS S3 configs and/or DNS records. Happy hunting! :slight_smile:

FAQ

Getting Started FAQ

AWS FAQ

IAM User FAQ

S3 Buckets FAQ

  1. Why can’t I see the non-current backups in the backups bucket /Default folder?
  2. It has been many days since backups started disappearing from Backups /Default folder, where did they go?

S3 Distributions FAQ

Discourse Configuration FAQ

  1. Do I have to use app.yml if I only want to use S3 for backups?
  2. Why is using app.yml for using S3 the recommended approach?

Resources

To-Do

  1. Initial feedback based post publish edits
  2. Confirm approach in Cleanup rule
  3. Is there a more efficient way to replace a-origin-config-bucket with subdomain.yourdomain.tld in Create distribution #1 ??? Can selecting “Other” instead of “Amazon S3” as the Origin type in CloudFront > Distributions > Create distribution > Specify origin > Origin type work? Currently testing this approach again but still “no joy”.
  4. Better title
  5. Distribution #1 Need instructions Alternate domain names: discourse-cdn.yourdomain.tld
  6. Distribution #2 Need instructions Alternate domain names: s3-cdn.yourdomain.tld
  7. Create/find list of Discourse hosts
  8. Add screenshots
  9. Wrap initial round of edits
  10. Build FAQ
  11. Publish Discourse version here and in resource docs
  12. Update AWS_S3_Config.txt, s3-discourse-policy-your-iam-user.txt, AWS_S3_Config_Process.txt, Guide_AWS_S3_Config-sandbox.websystems360.txt, s3-discourse-policy-websystems360-sandbox.txt
Issues with AWS CDN and S3
2

OP reply for thoughts, comments, edit info, process and???

Response from AWS Support regarding: Confirmation of approach in Cleanup rule

I’ve reviewed your proposed Lifecycle rule configuration, and I’m pleased to confirm that your setup is well-designed and follows AWS best practices for backup bucket management.

========== Lifecycle Rule Assessment ==========

Your configuration is excellent and addresses the key areas for backup cleanup:

• Noncurrent Version Cleanup (92 days): This is a sensible retention period that balances storage costs with recovery needs. The 92-day retention provides ample time for backup validation while preventing indefinite storage accumulation.

• Expired Delete Markers Removal: Correctly configured to automatically clean up orphaned delete markers, which helps optimize storage costs and bucket performance.

• Incomplete Multipart Upload Cleanup (3 days): The 3-day setting is optimal - short enough to prevent storage waste from failed uploads, but long enough to accommodate legitimate large backup operations.

• Scope Application: Applying to “all objects in the bucket” is appropriate for dedicated backup buckets where all content follows the same lifecycle pattern.

Response from AWS Support regarding: Backup buckets lifecycle configuration

Review of S3 Lifecycle Configuration for Backup Buckets

I’ve analyzed your complete lifecycle configuration setup and can confirm that your “backup retention” rule is well-structured and follows AWS best practices for backup management.

Key findings from my investigation:

  • Your bucket has two complementary lifecycle rules that work together effectively
  • The “backup retention” rule properly handles current and noncurrent versions with appropriate timelines
  • The configuration includes cost-effective storage transitions for noncurrent versions
  • All rule components are correctly configured with appropriate timing parameters
  • The bucket is properly set up in us-east-1 with appropriate permissions

Configuration Assessment:

Your “backup retention” rule effectively manages your backup objects through their lifecycle:

  • Transitions noncurrent versions to Glacier Instant Retrieval after 1 day (cost optimization)
  • Expires current versions after 7 days (appropriate for regular backups)
  • Permanently deletes noncurrent versions after 91 days (good retention period)

This rule complements your “cleanup” rule which handles:

  • Removal of expired delete markers (prevents orphaned markers)
  • Cleanup of incomplete multipart uploads after 3 days (prevents storage waste)
  • Deletion of noncurrent versions after 92 days (ensures complete cleanup)

Both rules apply to all objects in the bucket, which is appropriate for dedicated backup storage where all content follows the same lifecycle pattern.

The 7-day expiration for current versions seems appropriate for regular backup scenarios, but you can adjust this based on your specific retention requirements (15 or 30 days if longer retention is needed).

Your implementation is complete and follows AWS best practices for S3 lifecycle management.