Profile Applicability:
Level 2
Description:
Amazon S3 MFA Delete is a security feature that requires users to provide two forms of authentication when:
Deleting an object version from an S3 bucket
Changing the versioning state of a bucket
Rationale:
Protects against accidental or unauthorized deletions.
Provides an extra layer of security in case an AWS account or credentials are compromised.
Prevents attackers from deleting critical data even if they gain IAM user permissions.
Impact:
Requires AWS root user credentials to enable.
Some automation scripts and AWS services may not work if MFA Delete is required.
Admin overhead: Requires MFA-enabled authentication for deletions.
Default Value:
By default:
S3 Versioning is disabled.
MFA Delete is disabled.
Deleting objects does not require additional authentication.
Pre-Requisites:
IAM permissions to modify bucket versioning
s3:PutBucketVersioning, s3:GetBucketVersioning
AWS CLI installed
Root account with an MFA device enabled
AWS account ID and root account MFA ARN
Remediation:
Test Plan:
Using AWS Console
Login to AWS Console → Open S3 Console.
Click on Buckets and select the target bucket.
Click on Properties.
Check the Versioning section:
Ensure Versioning is Enabled
Ensure MFA Delete is Enabled
Using AWS CLI
Step 1: Check Bucket Versioning and MFA Delete Status
aws s3api get-bucket-versioning --bucket <bucket_name>
Example Output (MFA Delete Enabled)
<VersioningConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<Status>Enabled</Status>
<MfaDelete>Enabled</MfaDelete>
</VersioningConfiguration>
Example Output (MFA Delete NOT Enabled)
<VersioningConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<Status>Enabled</Status>
</VersioningConfiguration>
Implementation Steps:
Using AWS CLI
Note: MFA Delete cannot be enabled using the AWS Console.
Step 1: Obtain Root MFA ARN
Run the following command to get the MFA device ARN:
aws iam list-mfa-devices --user-name root
Example Output:
{
"MFADevices": [
{
"SerialNumber": "arn:aws:iam::123456789012:mfa/root-account-mfa-device"
}
]
}
Step 2: Enable MFA Delete on an S3 Bucket
Run the following command as the root user with the MFA token:
aws s3api put-bucket-versioning \
--bucket <bucket_name> \
--versioning-configuration Status=Enabled,MFADelete=Enabled \
--mfa "arn:aws:iam::123456789012:mfa/root-account-mfa-device <MFA_Token>"
- Replace <bucket_name> with your S3 bucket name.
- Replace <MFA_Token> with the current MFA code from your MFA device.
- Use the root MFA ARN obtained earlier.
Backout Plan:
If MFA Delete causes operational issues, follow these steps:
Run the disable command:
aws s3api put-bucket-versioning \
--bucket <bucket_name> \
--versioning-configuration Status=Enabled \
--mfa "arn:aws:iam::123456789012:mfa/root-account-mfa-device <MFA_Token>"
Verify MFA Delete is disabled:
aws s3api get-bucket-versioning --bucket <bucket_name>
Output should NOT contain <MfaDelete>Enabled</MfaDelete>.
Monitor the bucket for unauthorized deletions.