AWS data retention policies: Set them and stop worrying about compliance

Data lives forever until it doesn't. Then it doesn't exist when you need it. Retention policies are the guardrails. They define how long data stays and how it moves (hot to cold storage).

Why retention policies matter

Compliance requires retention. Legal discovery requires retention. Cost management hates retention (storage is expensive). Balance all three with a policy.

Financial data: 7 years retention for audit purposes.

GDPR personal data: Retention only as long as necessary.

Backup data: 30 days to 1 year depending on RTO.

Logs: 90 days hot, 1 year cold, then delete.

Policy first, then configure it.

S3 Lifecycle policies

S3 Lifecycle Policies move objects between storage classes automatically. New object goes to Standard (expensive but fast). After 30 days, move to Intelligent-Tiering. After 90 days, move to Glacier. After 1 year, delete.

Saves 80-90% on storage costs. Movement is automatic.

Configure in S3 console. Define rules by prefix or tag. Example: all objects with tag "log-type=audit" move to Glacier after 60 days.

Also enables versioning. Keep current version in Standard, move old versions to Glacier.

RDS backups

Automated backups: AWS deletes them when you delete the database. Change default retention from 7 days to something longer (30 days, 1 year).

Manual snapshots: persist forever unless you delete them. Tag them with retention date. Set calendar reminders to delete old snapshots.

For disaster recovery, keep automated backups short (7-14 days). Use manual snapshots for long-term retention.

Costs: first 100GB free, then £0.023 per GB/month. Snapshots add up. Clean them up.

Logs and CloudWatch

Logs grow infinitely unless you set retention. Default is forever (costs keep growing).

Set log group retention to 30-90 days. Delete old logs automatically.

For compliance-required logs (CloudTrail, VPC Flow Logs), keep longer. Move to S3 with Lifecycle Policies.

Cost per GB-month is low (£0.50 to £1), but it compounds. A busy application generates 100GB/month. 1 year of logs is 1.2TB. That's expensive.

Compliance reality

Document your policy. Show auditors the retention rules for each data type. Show the automatic cleanup.

Different data types need different retentions. Financial data ≠ application logs ≠ audit logs. Define each.

Test deletion. Make sure you can actually get old data when you need it before deleting.

Where Critical Cloud comes in

Retention policies are easy to set. Hard to maintain. Are all new buckets compliant? Did someone override policies? Are automated deletions actually running?

We track retention compliance across your infrastructure. You see which resources follow policy and which don't.

If retention policies are a guessing game, see how Critical Support works.