Get started with AWS S3 MFA Delete

Photo by Sam Pak on Unsplash

Get started with AWS S3 MFA Delete

AWS S3 MFA Delete is a feature in Amazon Web Services (AWS) that enhances the security of your S3 buckets by requiring multi-factor authentication (MFA) for the deletion of objects or MFA-protected API access to the S3 resources. This feature adds an additional layer of security on top of the existing permissions and policies, helping to protect your data from accidental or malicious deletions. To use MFA delete, you can use either a hardware or virtual MFA device to generate an authentication code.

MFA delete requires additional authentication for either of the following operations:

  • Changing the versioning state of your bucket

  • Permanently deleting an object version

MFA delete requires two forms of authentication together:

  • Your security credentials

  • The concatenation of a valid serial number, a space, and the six-digit code displayed on an approved authentication device

The bucket owner, the AWS account that created the bucket (root account), and all authorized users can enable versioning. However, only the bucket owner (root account) can enable MFA delete.

To use MFA delete with versioning, you enable MFA Delete. However, you cannot enable MFA Delete using the AWS Management Console. You must use the AWS Command Line Interface (AWS CLI) or the API. You also cannot use MFA delete with lifecycle configurations.

You configure MFA delete on a bucket to help ensure that the data in your bucket cannot be accidentally deleted. MFA-protected API access is used to enforce another authentication factor (MFA code) when accessing sensitive Amazon S3 resources. You can require any operations against these Amazon S3 resources to be done with temporary credentials created using MFA. For an example, see Requiring MFA.

Activation and Configuration

  • MFA Protected Operations: When you enable MFA Delete on an S3 bucket, it requires the use of MFA to permanently delete an object version or to change the versioning state of the bucket (from enabled to suspended, and vice versa).

  • Bucket Versioning: MFA Delete is only applicable to buckets that have versioning enabled. Versioning keeps multiple variants of an object in the same bucket, allowing you to preserve, retrieve, and restore every version of every object stored in your bucket.

  • AWS Management Console Limitation: MFA Delete cannot be enabled or disabled using the AWS Management Console. It must be done programmatically via the AWS CLI or the AWS SDKs.

How It Works

  • During Deletion Requests: To delete an object version or change the bucket's versioning state when MFA Delete is enabled, you must provide two pieces of information: your security credentials and the serial number or ARN (Amazon Resource Name) of the MFA device, along with the current, unique code provided by the device.

  • Enhanced Security: This requirement ensures that even if an attacker gains access to your AWS credentials, they cannot delete objects without also having physical access to your MFA device.

Things to consider:

  • Impact on Automation: Enabling MFA Delete can impact scripts and applications that perform delete operations, as they will now need to include a step to provide MFA information.

  • Recovery from Accidental Deletions: By making it harder to delete objects, MFA Delete can help protect against accidental data loss. However, it also makes the deletion process more complex and should be used when the additional security is necessary.

  • Admin Permissions: Only the AWS account that owns the bucket (or the root user) can enable or disable MFA Delete.

MFA Delete is a powerful tool for ensuring the integrity and security of your data stored in AWS S3, but it should be used judiciously, considering its implications on data management and operational processes.

Workshop: Enable and Disable MFA Delete for S3 bucket

To enable or disable MFA Delete for an Amazon S3 bucket, you'll need to use the AWS CLI (Command Line Interface) because this feature cannot be managed through the AWS Management Console. Ensure you have the AWS CLI installed and configured on your system before you start.

Prerequisites

  1. AWS CLI Installed: Make sure you have the AWS CLI installed. You can check by running aws --version in your terminal. If it's not installed, follow the installation instructions for your operating system on the AWS website.

  2. Configure AWS CLI: Run aws configure to set up your credentials (Access Key ID and Secret Access Key) and default region.

  3. MFA Device: Ensure you have an MFA device set up for your AWS account and have access to it.

  4. S3 bucket created: To create an S3 bucket using the AWS CLI, you can use the aws s3 mb command, which stands for "make bucket". The basic syntax for creating a new bucket is as follows:

     aws s3 mb s3://your-bucket-name --region your-region
    

Part 1: Enable MFA Delete

Step 1: Enable Versioning on the Bucket

MFA Delete requires that versioning is enabled on the bucket. If it's not already enabled, do so with the following command:

aws s3api put-bucket-versioning --bucket your-bucket-name --versioning-configuration Status=Enabled

Replace your-bucket-name with the name of your S3 bucket.

Step 2: Enable MFA Delete

To enable MFA Delete, you need your MFA device's serial number (for hardware devices) or the ARN (for virtual MFA devices), and the current MFA token code. The command format is as follows:

aws s3api put-bucket-versioning --bucket your-bucket-name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "arn-of-mfa-device mfa-code"

Replace:

  • your-bucket-name with your actual bucket name.

  • arn-of-mfa-device with the ARN of your MFA device. For hardware MFA devices, this could be the serial number.

  • mfa-code with the current code from your MFA device.

Example:

aws s3api put-bucket-versioning --bucket my-example-bucket --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "arn:aws:iam::123456789012:mfa/my-virtual-mfa-device 123456"

To check that MFA delete is turned on, use the GetBucketVersioning API:

aws s3api get-bucket-versioning --bucket my-example-bucket 
{  
    "Status": "Enabled",  
    "MFADelete": "Enabled"  
}

Part 2: Disable MFA Delete

Disabling MFA Delete follows a similar process but sets MFADelete to Disabled:

aws s3api put-bucket-versioning --bucket your-bucket-name --versioning-configuration Status=Enabled,MFADelete=Disabled --mfa "arn-of-mfa-device mfa-code"

Replace the placeholders as before.

Note: Only the AWS account owners (root account) can enable or disable MFA Delete. IAM users, regardless of their permissions, cannot perform these operations.

Considerations

  • After enabling MFA Delete, you must include the MFA information in any request to delete an object version or to change the bucket versioning state from enabled to suspended (or vice versa).

  • Enabling and managing MFA Delete can complicate automation scripts that perform deletion operations because they now need to handle MFA.

This workshop provides a basic understanding of how to enable and disable MFA Delete on an S3 bucket using the AWS CLI. Remember to test these operations in a non-production environment to understand their impact fully before implementing them in your production environment.

References:

  1. Configuring MFA delete

  2. How do I turn on MFA delete for my Amazon S3 bucket?

  3. Deleting an object from an MFA delete-enabled bucket

  4. S3 Bucket MFA Delete Enabled Trend Micro