Profile Applicability:

Level 2

Description:

Amazon S3 MFA Delete is a security feature that requires users to provide two forms of authentication when:

  • Deleting an object version from an S3 bucket

  • Changing the versioning state of a bucket

 Rationale:

  • Protects against accidental or unauthorized deletions.

  • Provides an extra layer of security in case an AWS account or credentials are compromised.

  • Prevents attackers from deleting critical data even if they gain IAM user permissions.

Impact:

  • Requires AWS root user credentials to enable.

  • Some automation scripts and AWS services may not work if MFA Delete is required.

  • Admin overhead: Requires MFA-enabled authentication for deletions.

Default Value:

By default:

  • S3 Versioning is disabled.

  • MFA Delete is disabled.

  • Deleting objects does not require additional authentication.

 Pre-Requisites:

  1. IAM permissions to modify bucket versioning

    • s3:PutBucketVersioning, s3:GetBucketVersioning

  2. AWS CLI installed

  3. Root account with an MFA device enabled

  4. AWS account ID and root account MFA ARN

Remediation:

Test Plan:

Using AWS Console

  1. Login to AWS Console → Open S3 Console.

  2. Click on Buckets and select the target bucket.

             

  1. Click on Properties.

           

  1. Check the Versioning section:

    • Ensure Versioning is Enabled

    • Ensure MFA Delete is Enabled

             

Using AWS CLI

Step 1: Check Bucket Versioning and MFA Delete Status

aws s3api get-bucket-versioning --bucket <bucket_name>

Example Output (MFA Delete Enabled)

<VersioningConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <Status>Enabled</Status>
    <MfaDelete>Enabled</MfaDelete>
</VersioningConfiguration>

Example Output (MFA Delete NOT Enabled)

<VersioningConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <Status>Enabled</Status>
</VersioningConfiguration>

Implementation Steps:

Using AWS CLI

Note: MFA Delete cannot be enabled using the AWS Console.

Step 1: Obtain Root MFA ARN

Run the following command to get the MFA device ARN:

aws iam list-mfa-devices --user-name root

Example Output:

{
    "MFADevices": [
        {
            "SerialNumber": "arn:aws:iam::123456789012:mfa/root-account-mfa-device"
        }
    ]
}

Step 2: Enable MFA Delete on an S3 Bucket

Run the following command as the root user with the MFA token:

aws s3api put-bucket-versioning \
    --bucket <bucket_name> \
    --versioning-configuration Status=Enabled,MFADelete=Enabled \
    --mfa "arn:aws:iam::123456789012:mfa/root-account-mfa-device <MFA_Token>"
  • Replace <bucket_name> with your S3 bucket name.
  • Replace <MFA_Token> with the current MFA code from your MFA device.
  • Use the root MFA ARN obtained earlier.

Backout Plan:

If MFA Delete causes operational issues, follow these steps:

Run the disable command:

aws s3api put-bucket-versioning \
    --bucket <bucket_name> \
    --versioning-configuration Status=Enabled \
    --mfa "arn:aws:iam::123456789012:mfa/root-account-mfa-device <MFA_Token>"

Verify MFA Delete is disabled:

aws s3api get-bucket-versioning --bucket <bucket_name>

  1. Output should NOT contain <MfaDelete>Enabled</MfaDelete>.

  2. Monitor the bucket for unauthorized deletions.

References: