How to Enable MFA Delete on AWS S3 Buckets?
Object storage is a very popular service in the cloud, the first thing normally organizations move to the cloud is the object storage which are files like documents, images, audio, video, and other content data.
With many different services that exist in the cloud, security is a top priority of any organization. Therefore, protecting data with accidental delete also should be included in the top list of operations. In AWS S3 you can optionally add another layer of security by configuring buckets to enable MFA Delete, which can help to prevent accidental bucket deletions and it’s content.
In this post, we cover how to enable MFA (Multi-factor authentication) on S3 buckets in AWS. If you want to learn more about how to enable MFA I did a post on it a while back.
Note: Currently this option is only available via AWS CLI or REST API
Enable MFA on S3 bucket
Once you create an S3 bucket, run the following command to enable MFA Delete.
Note: You must use the AWS root account to enable MFA Delete on S3 buckets, I have tried using IAM Administrator but it does not work. Also, make sure you have enabled Versioning on the S3 bucket (following CLI command would also enable versioning).
You need to pass root account MFA device serial number and current MFA token value. (I have created a separate CLI profile for my root account).
$ aws s3api put-bucket-versioning --profile my-root-profile --bucket my-bucket-name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa “arn:aws:iam::00000000:mfa/root-account-mfa-device 123456”By executing the above command you can enable MFA Delete on S3 buckets.
You can confirm it on AWS console
Try Deleting File without MFA
$ aws s3api delete-object --bucket my-bucket-name --key my-file-name.jpg{
“DeleteMarker”: true,
“VersionId”: “ZqKCWV3gMdDpeTdySysyDgwnlFi8tutI”
}
Execute the above command….guess what the file would be deleted. The MFA Delete only protects the deletion of the versioning of the files, when you try to delete the file it in facts deletes it from the bucket but keeps a version.
The behavior is similar when deleting from AWS console, it deletes the file but does not allow to delete the version.
Try Deleting File version without MFA
This time we should get an error that MFA is required.
$ aws s3api delete-object --bucket my-bucket-name --key my-file-name.jpg --version-id FqXGVAVzMdsXwTdySysyDgwnxyZyzxYxyAn error occurred (AccessDenied) when calling the DeleteObject operation: Mfa Authentication must be used for this request
Delete using MFA
In order to delete files or change the state of the bucket, you need to include the x-amz-mfa in the request header of REST API or pass MFA to AWS CLI
$ aws s3api delete-object --profile my-root-profile --bucket my-bucket-name --key my-file-name.jpg --version-id myfileVeRsioNiU8u4DTsqUg9NR_Z_SA —-mfa “arn:aws:iam::000000000:mfa/root-account-mfa-device 123456”{
“VersionId”: “myfileVeRsioNiU8u4DTsqUg9NR_Z_SA”
}
Conclusion
In this post, we have covered how to enable and work with MFA Delete on S3 buckets.
I hope you like this post.
About DataNext
DataNext Solutions is a US-based system integrator, specialized in Cloud, Big Data, DevOps technologies. As a registered AWS partner, our services comprise of any Cloud Migration, Cost optimization, Integration, Security and Managed Services. Click here and Book a Free assessment call with our experts today or visit our website www.datanextsolutions.com for more info.
