AWS-S3-bucket-MFA-delete-enabled
Severity: High
Description: This control ensures that MFA Delete is enabled for S3 bucket. When its enable, the bucket owner must include two forms of authentication in any request to delete a version or change the versioning state of the bucket.
Remediation Steps:
Perform following to enable MFA delete from S3 bucket :
To enable MFA Delete use the following AWS CLI command:
aws s3api put-bucket-versioning --bucket [BucketName] --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "[AuthenticationCode]"
Important:
MFA Delete can not be enabled using the AWS Management Console.
Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.
Reference:
CIS reference: CIS Amazon Web Services Foundations Benchmark v1.4.0 - 05-28-2021: Recommendation #2.1.3
https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html
https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingMFADelete.html
https://aws.amazon.com/blogs/security/securing-access-to-aws-using-mfa-part-3
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_lost-or-broken.html
Blue Hexagon Proprietary