/
AWS-S3-bucket-MFA-delete-enabled

AWS-S3-bucket-MFA-delete-enabled

Severity: High

Description: This control ensures that MFA Delete is enabled for S3 bucket. When its enable, the bucket owner must include two forms of authentication in any request to delete a version or change the versioning state of the bucket.

Remediation Steps:

Perform following to enable MFA delete from S3 bucket :

  1. To enable MFA Delete use the following AWS CLI command:

    aws s3api put-bucket-versioning --bucket [BucketName] --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "[AuthenticationCode]"

Important:

  • MFA Delete can not be enabled using the AWS Management Console.

  • Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.

Reference:

Related content

AWS-S3-Policies-With-Write-Access
AWS-S3-Policies-With-Write-Access
More like this
AWS-S3-S3-Bucket-Public-Access-Block
AWS-S3-S3-Bucket-Public-Access-Block
More like this
AWS-IAM-Unexpected-S3-Listing-Principal
AWS-IAM-Unexpected-S3-Listing-Principal
More like this
AWS-S3-Public
More like this
AWS-S3-S3-Bucket-Encryption-In-Transit
AWS-S3-S3-Bucket-Encryption-In-Transit
More like this
AWS-S3-S3-Bucket-Versioning
AWS-S3-S3-Bucket-Versioning
More like this

Blue Hexagon Proprietary