AWS-S3-bucket-MFA-delete-enabled

Owned by naveen

Nov 29, 2021

1 min read

Severity: High

Description: This control ensures that MFA Delete is enabled for S3 bucket. When its enable, the bucket owner must include two forms of authentication in any request to delete a version or change the versioning state of the bucket.

Remediation Steps:

Perform following to enable MFA delete from S3 bucket :

To enable MFA Delete use the following AWS CLI command:
aws s3api put-bucket-versioning --bucket [BucketName] --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "[AuthenticationCode]"

Important:

MFA Delete can not be enabled using the AWS Management Console.
Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.

Reference:

CIS reference: CIS Amazon Web Services Foundations Benchmark v1.4.0 - 05-28-2021: Recommendation #2.1.3
Configuring MFA delete - Amazon Simple Storage Service
Deleting an object from an MFA delete-enabled bucket - Amazon Simple Storage Service
https://aws.amazon.com/blogs/security/securing-access-to-aws-using-mfa-part-3
Recover an MFA protected identity in IAM - AWS Identity and Access Management

Blue Hexagon Proprietary