diff --git a/CHANGELOG.md b/CHANGELOG.md
index 405137a..4932876 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -382,3 +382,8 @@
 * 2.8.0 -- 2024-12-16
   - ec2-settings
     - add settings for ebs (encrypt by default) and ec2 (enable imdsv2), block public sharing of ami and snapshots
+
+* 2.9.0 -- 2024-12-26
+  - s3-flow-logs
+    - add aws_s3_bucket_lifecycle_configuration (delete vpc*/ after 900 days)
+    - add aws_s3_bucket_intelligent_tiering_configuration (archive 180, deep archive 365)
diff --git a/common/version.tf b/common/version.tf
index 4baf91e..345aa6e 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.8.0"
+  _module_version = "2.9.0"
 }
diff --git a/s3-flow-logs/README.md b/s3-flow-logs/README.md
index c3634ad..44ca05b 100644
--- a/s3-flow-logs/README.md
+++ b/s3-flow-logs/README.md
@@ -153,6 +153,8 @@ No modules.
 |------|------|
 | [aws_s3_bucket.flowlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket_acl.flowlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_intelligent_tiering_configuration.flowlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_intelligent_tiering_configuration) | resource |
+| [aws_s3_bucket_lifecycle_configuration.flowlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
 | [aws_s3_bucket_ownership_controls.flowlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
 | [aws_s3_bucket_policy.flowlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_public_access_block.flowlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
@@ -173,7 +175,7 @@ No modules.
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
 | <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | VPC Flow Logs S3 bucket name | `string` | `""` | no |
 | <a name="input_bucket_name_prefix"></a> [bucket\_name\_prefix](#input\_bucket\_name\_prefix) | VPC Flow Logs S3 bucket prefix, prepended to the AWS account ID to make the bucket name. | `string` | `"inf-flowlogs"` | no |
-| <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | <pre>{<br>  "ddb": {},<br>  "kms": {},<br>  "s3": {}<br>}</pre> | no |
+| <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | <pre>{<br/>  "ddb": {},<br/>  "kms": {},<br/>  "s3": {}<br/>}</pre> | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 | <a name="input_versioning_configuration"></a> [versioning\_configuration](#input\_versioning\_configuration) | S3 Versioning Configuration (Enabled, Disabled, Suspended).  To disable, use Suspended if existing bucket and Disabled if new | `string` | `"Disabled"` | no |
diff --git a/s3-flow-logs/main.tf b/s3-flow-logs/main.tf
index 214a19e..3761689 100644
--- a/s3-flow-logs/main.tf
+++ b/s3-flow-logs/main.tf
@@ -147,3 +147,49 @@ resource "aws_s3_bucket_versioning" "flowlogs" {
     status = var.versioning_configuration
   }
 }
+
+
+# m-21-31 says 12 months active and 18 months cold
+# * https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf
+# going to use intellegent tiering which is < 365 active, and > 365 deep, along with delete > 30m (900 days)
+# * https://docs.aws.amazon.com/AmazonS3/latest/userguide/intelligent-tiering.html
+# may need clarification if the 18 months cold is additional
+# * 30 days IA
+# * 90 days instant archive
+# * 180 days archive access (glacier flexible)
+# * 365 deep archive (glacier) 
+resource "aws_s3_bucket_lifecycle_configuration" "flowlogs" {
+  bucket = aws_s3_bucket.flowlogs.id
+
+  rule {
+    id     = "legacy-flowlogs"
+    status = "Enabled"
+    abort_incomplete_multipart_upload {
+      days_after_initiation = 1
+    }
+    filter {
+      prefix = "vpc*/"
+    }
+    expiration {
+      days                         = 900
+      expired_object_delete_marker = false
+    }
+    noncurrent_version_expiration {
+      noncurrent_days = 900
+    }
+  }
+}
+
+resource "aws_s3_bucket_intelligent_tiering_configuration" "flowlogs" {
+  bucket = aws_s3_bucket.flowlogs.id
+  name   = "flowlogs-bucket"
+
+  tiering {
+    access_tier = "ARCHIVE_ACCESS"
+    days        = 180
+  }
+  tiering {
+    access_tier = "DEEP_ARCHIVE_ACCESS"
+    days        = 365
+  }
+}
