S3 Intelligent Tiering
S3 Intelligent Tiering Automation
The S3 Intelligent Tiering automation is a Cadence automation that automatically applies an AWS S3 Intelligent-Tiering lifecycle policy to your S3 buckets. Rather than analyzing access patterns and making recommendations, it directly configures buckets so that AWS handles tiering automatically going forward.
How It Works
graph LR
A[Weekly Trigger] --> B[Scan All Accounts]
B --> C[List S3 Buckets]
C --> D[Check Eligibility]
D --> E[Apply Lifecycle Policy]
E --> F[Generate Report]- Scan - For each configured AWS account, lists all S3 buckets
- Check eligibility - Skips buckets that already have a lifecycle policy or have opted out via tag
- Apply policy - Puts an S3 Intelligent-Tiering lifecycle rule on eligible buckets
- Report - Records which buckets were updated and any failures
Once the lifecycle policy is applied, AWS automatically moves objects between storage tiers based on access patterns — no further SkySaver involvement is needed.
What Gets Applied
The automation applies two configurations to each eligible bucket:
Lifecycle rule (SkySaver-S3-Intelligent-Tiering):
- Transitions all objects (current and noncurrent versions) to the
INTELLIGENT_TIERINGstorage class immediately on upload (0-day transition) - Applies to all objects in the bucket with no prefix filter
Intelligent Tiering configuration (SkySaver-Archive-Instant-Access):
- After 90 days without access, objects move to the Archive Instant Access tier
- Objects remain retrievable in milliseconds — no restore delay like Glacier
Schedule
The automation runs weekly, every Sunday at 6 AM UTC. Each run scans all accounts and applies the policy to any newly created buckets that are eligible.
Eligibility
A bucket is processed only if both conditions are met:
| Condition | Detail |
|---|---|
| No existing lifecycle policy | Buckets with any lifecycle rules already configured are skipped to avoid conflicts |
| No opt-out tag | Buckets tagged SkySaverIgnore = S3IntelligentTiering are skipped |
Opting Out a Bucket
To exclude a specific bucket from this automation, add the following tag to it in AWS:
- Key:
SkySaverIgnore - Value:
S3IntelligentTiering
Prerequisites
The SkySaver IAM role in each target account needs these S3 permissions:
s3:ListAllMyBucketss3:GetBucketLocations3:GetLifecycleConfigurations3:PutLifecycleConfigurations3:GetBucketTaggings3:PutIntelligentTieringConfiguration
See AWS Account Setup for the full CloudFormation role setup.
Enabling the Automation
- Navigate to Automations
- Find Apply S3 Intelligent Tiering
- Toggle Available for Project to enable it
- Use Enable for All to turn it on across all connected accounts, or manage per-account from Tenant Management > Accounts
Viewing Results
After the automation runs:
- Navigate to Automation Reports
- Filter by S3 Intelligent Tiering
- The report shows one row per bucket with:
- Account ID and bucket name
- Region
- Whether the policy was applied successfully
- Any error details for failures
Cost Considerations
| Cost Type | Detail |
|---|---|
| S3 Intelligent-Tiering monitoring fee | $0.0025 per 1,000 objects/month (AWS charge, applies to all objects in tiered buckets) |
| Storage savings | Varies by access patterns — infrequently accessed data moves to lower-cost tiers automatically |
| No retrieval fees | Archive Instant Access tier has no retrieval fee, unlike Glacier |
AWS does not charge the Intelligent-Tiering monitoring fee for objects smaller than 128KB, and those objects are not moved between tiers. The automation still applies the lifecycle policy to the bucket — smaller objects simply remain in Standard storage at no monitoring cost.
Troubleshooting
| Issue | Likely Cause | Solution |
|---|---|---|
| Bucket not processed | Bucket already has a lifecycle policy | Remove the existing policy if you want SkySaver to manage it |
| Bucket not processed | Opt-out tag present | Remove the SkySaverIgnore tag if you want the bucket included |
| Configuration failed | Missing IAM permissions | Verify S3 permissions in the SkySaver IAM role |
| Automation not running | Not enabled for account | Check account-level toggle in Tenant Management |
Related Topics
- Automation Reports - View execution history and download CSV
- AWS Account Setup - IAM permissions setup
- Cost Explorer - Monitor S3 cost savings over time