Profile Applicability:
- Level 1
Description:
Amazon S3 is a scalable object storage service that is often used to store CloudTrail logs for auditing and compliance purposes. MFA Delete is a feature that prevents the deletion of objects or the S3 bucket versioning configuration unless multi-factor authentication (MFA) is provided.
Enabling MFA Delete on the S3 bucket used for CloudTrail logs adds an additional layer of security. This ensures that any actions to delete logs or modify the versioning configuration require MFA, reducing the risk of accidental or malicious deletion of critical CloudTrail logs.
This SOP ensures that the CloudTrail S3 bucket has MFA Delete enabled to protect logs and meet compliance and security best practices.
Rationale:
Enabling MFA Delete ensures that:
Data Integrity: CloudTrail logs are protected from accidental or unauthorized deletions, maintaining the integrity of audit logs.
Increased Security: Prevents unauthorized users, including compromised accounts, from deleting critical logs or changing versioning configurations without additional authentication.
Compliance: Helps meet security and compliance standards like SOC 2, PCI-DSS, and HIPAA, which require the protection of audit logs from tampering or unauthorized deletion.
Impact:
Pros:
Increased Protection: Prevents the deletion of CloudTrail logs by requiring MFA, reducing the chance of log deletion.
Regulatory Compliance: Meets data retention and audit requirements by ensuring logs are not deleted without proper authorization.
Auditability: Ensures that deletion of logs or changes to the versioning configuration are highly controlled and tracked.
Cons:
Additional Complexity: Requiring MFA for deletions adds complexity to managing the S3 bucket, especially for automation or script-based deletions.
Operational Overhead: If the root account or admin needs to delete logs for maintenance or troubleshooting, they must provide MFA, which can delay processes.
Default Value:
By default, MFA Delete is disabled on S3 buckets, and it must be explicitly enabled for CloudTrail log buckets.
Pre-requisite:
AWS IAM Permissions:
s3:PutBucketVersioning
s3:GetBucketVersioning
s3:DeleteBucket
iam:ListMFADevices
AWS CLI installed and configured.
A compatible MFA device associated with the AWS root account.
Basic understanding of Amazon S3 versioning, CloudTrail, and MFA Delete configurations.
Remediation:
Test plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to Amazon S3 under Services.
Find the S3 bucket used for CloudTrail logs.
Go to the Properties tab of the bucket and under Versioning, check if versioning is enabled.
Versioning must be enabled to use MFA Delete.
Scroll down to the MFA Delete section and verify that it is enabled.
If MFA Delete is not enabled, the bucket is vulnerable to accidental or unauthorized deletions.
If MFA Delete is disabled, go to MFA Device Settings and ensure the root account has MFA enabled.
Using AWS CLI:
To check if versioning and MFA Delete are enabled for the S3 bucket, run:
aws s3api get-bucket-versioning --bucket <bucket-name> --query 'Status'
The output should show Enabled for versioning:
{
"Status": "Enabled",
"MFADelete": "Enabled"
}If MFADelete is not Enabled, run the following command to enable MFA Delete for the bucket:
aws s3api put-bucket-versioning --bucket <bucket-name> --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "arn:aws:iam::<account-id>:mfa/<mfa-device-serial-number> <mfa-code>"
Verify that MFA Delete is successfully enabled by running the get-bucket-versioning command again.
Implementation steps:
Using AWS Console:
Sign in to the AWS Management Console and navigate to Amazon S3.
Go to the S3 bucket that is used for CloudTrail logs.
Click on the Properties tab and scroll to Versioning.
Enable Versioning if it is not already enabled.
Scroll to MFA Delete and enable it.
To confirm, use an MFA device (such as an MFA device associated with the root account) to authenticate the changes.
Save the changes to apply MFA Delete to the S3 bucket.
Using AWS CLI:
Enable Versioning and MFA Delete using the following command:
aws s3api put-bucket-versioning \ --bucket <bucket-name> \ --versioning-configuration Status=Enabled,MFADelete=Enabled \ --mfa "arn:aws:iam::<account-id>:mfa/<mfa-device-serial-number> <mfa-code>"
Verify that MFA Delete is enabled by running:
aws s3api get-bucket-versioning --bucket <bucket-name>
The output should confirm that MFADelete is enabled.
Backout Plan:
If enabling MFA Delete causes issues (e.g., a need to delete or modify logs without MFA authentication):
Identify the S3 bucket used for CloudTrail logs.
To disable MFA Delete, run the following command:
aws s3api put-bucket-versioning \ --bucket <bucket-name> \ --versioning-configuration Status=Enabled,MFADelete=Disabled \ --mfa "arn:aws:iam::<account-id>:mfa/<mfa-device-serial-number> <mfa-code>"
Verify that MFA Delete has been disabled by running:
aws s3api get-bucket-versioning --bucket <bucket-name>
The output should show that MFADelete is Disabled.
Note:
- MFA Devices: Ensure that the root account or the account used to enable MFA Delete has an MFA device configured. This is a requirement for enabling and disabling MFA Delete.
- Monitoring: Consider setting up CloudTrail and CloudWatch to monitor and alert on changes to S3 Glacier bucket settings and policies, including enabling/disabling MFA Delete.