S3 bucket MFA Delete feature is enabled
- 24 Aug 2023
- 1 Minute to read
- DarkLight
S3 bucket MFA Delete feature is enabled
- Updated on 24 Aug 2023
- 1 Minute to read
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
Description
Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.
Rationale
Adding MFA DELETE to an S3 bucket requires additional authentication when you change the version state of your bucket or when you delete an object version, which adds another layer of security in the event your security credentials are compromised or unauthorized access is granted.
Remediation
MFA-protected Amazon S3 buckets ensure S3 objects cannot be accidentally or intentionally deleted by AWS users who have access to your bucket.
From the console
MFA DELETE cannot be enabled in the AWS Console. See the CLI remediation below for configuration instructions.
From the command line
Run put-bucket-versioning with your bucket name, versioning configuration, and MFA configuration.
aws s3api put-bucket-versioning --profile my-root-profile --bucket
Bucket_Name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa
“arn:aws:iam::aws_account_id:mfa/root-account-mfa-device passcode”
References
- https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html#MultiFactorAuthenticationDelete
- https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMFADelete.html
- https://aws.amazon.com/blogs/security/securing-access-to-aws-using-mfa-part-3/
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_lost-or-broken.html