Profile Applicability:

  • Level 2

Description:
Amazon S3 (Simple Storage Service) provides the option to enable MFA Delete, which adds an extra layer of security to prevent accidental or malicious deletions of versioned objects in an S3 bucket. When enabled, MFA (Multi-Factor Authentication) is required to delete objects or to permanently delete versioned objects in the bucket. While MFA Delete enhances security, it is not always necessary for all use cases. There are scenarios where organizations may prefer to have this feature disabled for operational reasons, such as ease of managing object deletion without requiring MFA.

Rationale:
While MFA Delete can prevent unauthorized deletions of critical data, it is not always needed in all use cases, especially when the deletion process is automated or when administrative users need to delete objects without requiring MFA. For such cases, it’s important to check if MFA Delete is enabled and to ensure it aligns with your organization's security and operational requirements.

Impact:
 Pros:

  • Prevents accidental or unauthorized deletions of versioned objects when enabled.

  • Enhances the security of data in S3 buckets by requiring MFA for deletions.

Cons:

  • Can complicate automated or operational processes where object deletion is needed, as MFA will be required each time.

  • If the MFA device is lost or unavailable, it can prevent administrators from managing bucket contents.

Default Value:
 By default, MFA Delete is not enabled for new S3 buckets. It must be explicitly configured to be enabled.

Pre-requisites:

  • AWS IAM permissions:
         s3:GetBucketVersioning
     s3:PutBucketVersioning
     s3:GetBucketAcl

  • Access to the S3 bucket configuration to review the versioning and MFA Delete settings.

  • Access to the AWS Management Console or AWS CLI to check and modify the settings.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to S3 and select Buckets from the left-hand menu.

  3. Select the S3 bucket you want to check.

  4. Under the Properties tab, scroll down to the Bucket Versioning section.

  5. Verify if MFA Delete is enabled. If MFA Delete is enabled, it will be indicated here.

  6. If MFA Delete is enabled and you wish to disable it, click Edit, and in the Versioning section, change the MFA Delete setting to Disabled.

Using AWS CLI:

  1. List all S3 buckets:

    aws s3api list-buckets --query "Buckets[*].Name"

  2. For each bucket, check the versioning and MFA Delete settings:

    aws s3api get-bucket-versioning --bucket <BUCKET_NAME>

  3. In the output, look for the "MFADelete": "Enabled" field. If MFA Delete is enabled, the setting will appear as "MFADelete": "Enabled".

  4. If MFA Delete is enabled, disable it by running the following command:

    aws s3api put-bucket-versioning --bucket <BUCKET_NAME> --versioning-configuration Status=Enabled,MFADelete=Disabled

  5. Verify the updated versioning configuration:

    aws s3api get-bucket-versioning --bucket <BUCKET_NAME>

Implementation Plan:

Using AWS Console:

  1. Open the S3 Console and select the bucket you want to modify.

  2. Under Properties, go to the Bucket Versioning section.

  3. If MFA Delete is enabled, change it to Disabled to remove the requirement for MFA on object deletions.

  4. Save the changes and verify that MFA Delete is now disabled.

Using AWS CLI:

  1. To disable MFA Delete, use the following command:

    aws s3api put-bucket-versioning --bucket <BUCKET_NAME> --versioning-configuration Status=Enabled,MFADelete=Disabled

  2. Confirm that MFA Delete is disabled by checking the versioning configuration:

    aws s3api get-bucket-versioning --bucket <BUCKET_NAME>

Backout Plan:

Using AWS Console:

  1. If disabling MFA Delete causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon S3 and select the bucket you want to modify.

  3. Go to the Properties tab, and under Versioning, check the Enable MFA Delete option to re-enable it.

  4. Save the changes and monitor the bucket to ensure it functions correctly.

Using AWS CLI:

  1. To re-enable MFA Delete, run:

    aws s3api put-bucket-versioning --bucket <BUCKET_NAME> --versioning-configuration Status=Enabled,MFADelete=Enabled

  2. Verify the change:

    aws s3api get-bucket-versioning --bucket <BUCKET_NAME>

Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

3.1

Ensure that S3 bucket versioning is enabled to retain historical versions of objects, and control deletions with MFA when needed.

7.1

8.1

Enable MFA Delete for versioned S3 buckets to ensure that object deletions are securely managed, unless operational requirements dictate otherwise.