AWS S3 MFA Delete is a feature in Amazon Web Services (AWS) that enhances the security of your S3 buckets by requiring multi-factor authentication (MFA) for the deletion of objects or MFA-protected API access to the S3 resources. This feature adds an additional layer of security on top of the existing permissions and policies, helping to protect your data from accidental or malicious deletions. To use MFA delete, you can use either a hardware or virtual MFA device to generate an authentication code.
MFA delete requires additional authentication for either of the following operations:
Changing the versioning state of your bucket❗
Permanently deleting an object version ❗
MFA delete requires two forms of authentication together:
Your security credentials ❗
The concatenation of a valid serial number, a space, and the six-digit code displayed on an approved authentication device❗
The bucket owner, the AWS account that created the bucket (root account), and all authorized users can enable versioning. However, only the bucket owner (root account) can enable MFA delete.
MFA Delete
. However, you cannot enable MFA Delete
using the AWS Management Console. You must use the AWS Command Line Interface (AWS CLI) or the API. You also cannot use MFA delete with lifecycle configurations.You configure MFA delete on a bucket to help ensure that the data in your bucket cannot be accidentally deleted. MFA-protected API access is used to enforce another authentication factor (MFA code) when accessing sensitive Amazon S3 resources. You can require any operations against these Amazon S3 resources to be done with temporary credentials created using MFA. For an example, see Requiring MFA.
Activation and Configuration
MFA Protected Operations: When you enable MFA Delete on an S3 bucket, it requires the use of MFA to permanently delete an object version or to change the versioning state of the bucket (from enabled to suspended, and vice versa).
Bucket Versioning: MFA Delete is only applicable to buckets that have versioning enabled. Versioning keeps multiple variants of an object in the same bucket, allowing you to preserve, retrieve, and restore every version of every object stored in your bucket.
AWS Management Console Limitation: MFA Delete cannot be enabled or disabled using the AWS Management Console. It must be done programmatically via the AWS CLI or the AWS SDKs.
How It Works
During Deletion Requests: To delete an object version or change the bucket's versioning state when MFA Delete is enabled, you must provide two pieces of information: your security credentials and the serial number or ARN (Amazon Resource Name) of the MFA device, along with the current, unique code provided by the device.
Enhanced Security: This requirement ensures that even if an attacker gains access to your AWS credentials, they cannot delete objects without also having physical access to your MFA device.
Things to consider:
Impact on Automation: Enabling MFA Delete can impact scripts and applications that perform delete operations, as they will now need to include a step to provide MFA information.
Recovery from Accidental Deletions: By making it harder to delete objects, MFA Delete can help protect against accidental data loss. However, it also makes the deletion process more complex and should be used when the additional security is necessary.
Admin Permissions: Only the AWS account that owns the bucket (or the root user) can enable or disable MFA Delete.
MFA Delete is a powerful tool for ensuring the integrity and security of your data stored in AWS S3, but it should be used judiciously, considering its implications on data management and operational processes.
Workshop: Enable and Disable MFA Delete for S3 bucket
To enable or disable MFA Delete for an Amazon S3 bucket, you'll need to use the AWS CLI (Command Line Interface) because this feature cannot be managed through the AWS Management Console. Ensure you have the AWS CLI installed and configured on your system before you start.
Prerequisites
AWS CLI Installed: Make sure you have the AWS CLI installed. You can check by running
aws --version
in your terminal. If it's not installed, follow the installation instructions for your operating system on the AWS website.Configure AWS CLI: Run
aws configure
to set up your credentials (Access Key ID and Secret Access Key) and default region.MFA Device: Ensure you have an MFA device set up for your AWS account and have access to it.
S3 bucket created: To create an S3 bucket using the AWS CLI, you can use the
aws s3 mb
command, which stands for "make bucket". The basic syntax for creating a new bucket is as follows:aws s3 mb s3://your-bucket-name --region your-region
Part 1: Enable MFA Delete
Step 1: Enable Versioning on the Bucket
MFA Delete requires that versioning is enabled on the bucket. If it's not already enabled, do so with the following command:
aws s3api put-bucket-versioning --bucket your-bucket-name --versioning-configuration Status=Enabled
Replace your-bucket-name
with the name of your S3 bucket.
Step 2: Enable MFA Delete
To enable MFA Delete, you need your MFA device's serial number (for hardware devices) or the ARN (for virtual MFA devices), and the current MFA token code. The command format is as follows:
aws s3api put-bucket-versioning --bucket your-bucket-name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "arn-of-mfa-device mfa-code"
Replace:
your-bucket-name
with your actual bucket name.arn-of-mfa-device
with the ARN of your MFA device. For hardware MFA devices, this could be the serial number.mfa-code
with the current code from your MFA device.
Example:
aws s3api put-bucket-versioning --bucket my-example-bucket --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "arn:aws:iam::123456789012:mfa/my-virtual-mfa-device 123456"
To check that MFA delete is turned on, use the GetBucketVersioning API:
aws s3api get-bucket-versioning --bucket my-example-bucket
{
"Status": "Enabled",
"MFADelete": "Enabled"
}
Part 2: Disable MFA Delete
Disabling MFA Delete follows a similar process but sets MFADelete
to Disabled
:
aws s3api put-bucket-versioning --bucket your-bucket-name --versioning-configuration Status=Enabled,MFADelete=Disabled --mfa "arn-of-mfa-device mfa-code"
Replace the placeholders as before.
Note: Only the AWS account owners (root account) can enable or disable MFA Delete. IAM users, regardless of their permissions, cannot perform these operations.
Considerations
After enabling MFA Delete, you must include the MFA information in any request to delete an object version or to change the bucket versioning state from enabled to suspended (or vice versa).
Enabling and managing MFA Delete can complicate automation scripts that perform deletion operations because they now need to handle MFA.
This workshop provides a basic understanding of how to enable and disable MFA Delete on an S3 bucket using the AWS CLI. Remember to test these operations in a non-production environment to understand their impact fully before implementing them in your production environment.