AWS-S3-bucket-MFA-delete-enabled

Severity: High

Description: This control ensures that MFA Delete is enabled for S3 bucket. When its enable, the bucket owner must include two forms of authentication in any request to delete a version or change the versioning state of the bucket.

Remediation Steps:

Perform following to enable MFA delete from S3 bucket :

1. To enable MFA Delete use the following AWS CLI command:

   aws s3api put-bucket-versioning --bucket [BucketName] --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "[AuthenticationCode]"

Important:

• MFA Delete can not be enabled using the AWS Management Console.

• Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.

Reference:

• CIS reference: CIS Amazon Web Services Foundations Benchmark v1.4.0 - 05-28-2021: Recommendation #2.1.3

• https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html

• https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingMFADelete.html

• https://aws.amazon.com/blogs/security/securing-access-to-aws-using-mfa-part-3

• https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_lost-or-broken.html