---
title: An AWS S3 bucket lifecycle policy expiration is set to < 90 days
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > An AWS S3 bucket lifecycle policy
  expiration is set to < 90 days
---

# An AWS S3 bucket lifecycle policy expiration is set to < 90 days
Classification:attackTactic:[TA0005-defense-evasion](https://attack.mitre.org/tactics/TA0005)Technique:[T1562-impair-defenses](https://attack.mitre.org/techniques/T1562) 
## Goal{% #goal %}

Detect when an S3 bucket has a lifecycle configuration set with an expiration policy of less than 90 days.

## Strategy{% #strategy %}

Look for `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days:<90` in your Cloudtrail logs.

**NOTE**: This rule should be set to logs that this policy applies to. The `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days` key path must be set as a measure to do a query.

## Triage & response{% #triage--response %}

1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@userIdentity.accountId}}` of `type:` `{{@userIdentity.assumed_role}}` and that the `{{@requestParameters.bucketName}}` bucket should have a file expiration of less than 90 days.
1. If `{{@requestParameters.bucketName}}` is equal to `{{@aws.s3.bucket}}`, the CloudTrail bucket, consider escalating to higher severity and investigating further.