Profile Applicability

  • Level 1

Description:

MFA Delete is a feature in Amazon S3 that provides an additional layer of protection against accidental or malicious deletion of objects in S3. When enabled, MFA Delete requires multi-factor authentication (MFA) to delete objects or change the versioning state of the bucket. This ensures that only authorized users with the appropriate MFA device can perform delete operations, helping prevent unauthorized access or loss of critical data stored in the S3 bucket.

Enabling MFA Delete ensures that the deletion of S3 objects requires an additional layer of security, preventing accidental or malicious deletion of data without explicit authentication.

Rationale:

Enabling MFA Delete for S3 buckets provides the following benefits:

  • Enhanced data protection: Adds a second layer of security to prevent the accidental or unauthorized deletion of S3 objects or changes to bucket versioning.

  • Compliance: Meets regulatory and security standards that require MFA for critical operations, such as data deletion, to avoid the risk of unauthorized or inadvertent data loss.

  • Prevents unauthorized actions: Ensures that no unauthorized user can delete data without providing additional verification through MFA.

Without MFA Delete, users with sufficient IAM permissions can delete objects or change the versioning state of the bucket without any additional verification, which increases the risk of data loss.

Impact:

Failure to enable MFA Delete on S3 buckets can result in:

  • Accidental or malicious deletion of data without sufficient safeguards.

  • Unintended changes to bucket versioning or deletion policies.

  • Non-compliance with regulatory standards requiring MFA for sensitive operations like deleting data.

Enabling MFA Delete ensures that sensitive operations on S3 are protected by an additional authentication step, reducing the likelihood of unauthorized or accidental deletion.

Default Value:

By default, MFA Delete is disabled. It must be explicitly enabled when versioning is enabled on an S3 bucket. MFA Delete requires an MFA device to be configured for the root account, and it must be enabled using the AWS CLI.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions:

    • s3:PutBucketVersioning

    • s3:GetBucketVersioning

  • An MFA device must be enabled for the root account

Remediation:

Test Plan:

Using AWS Console:

  1. Go to the S3 Console.

  2. Select the S3 bucket and verify that versioning is enabled under the Properties tab.

  3. Ensure that MFA Delete is enabled for the bucket under the Versioning section.

  4. Confirm that changes to versioning and delete operations require MFA authentication.

Using AWS CLI:

aws s3api get-bucket-versioning --bucket <bucket-name> --query "Status" --output table

To check if MFA Delete is enabled:

aws s3api get-bucket-versioning --bucket <bucket-name> --query "MFADelete" --output table
Implementation Plan:

Using AWS Console:

  1. Enable MFA Delete for S3 bucket:

    • Go to the S3 Console.

    • Select the bucket and enable Versioning if not already enabled.

    • To enable MFA Delete, use the AWS CLI (MFA Delete cannot be enabled directly through the console).

  2. Verify MFA Delete is enabled:

    • After enabling MFA Delete via the CLI, verify that the MFADelete status is set to Enabled in the Versioning section of the bucket’s settings.

Using AWS CLI:

  1. Enable MFA Delete for an S3 bucket:

    • First, ensure versioning is enabled:

aws s3api put-bucket-versioning --bucket <bucket-name> --versioning-configuration Status=Enabled

  • Then, enable MFA Delete:

aws s3api put-bucket-versioning --bucket <bucket-name> --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "arn:aws:iam::<account-id>:mfa/<mfa-device-name> <mfa-token>"

  1. Verify MFA Delete is enabled:

aws s3api get-bucket-versioning --bucket <bucket-name> --query "MFADelete" --output table

Backout Plan:

Using AWS Console:

  1. If MFA Delete causes operational issues (e.g., legitimate delete operations being blocked):

    • Go to the S3 Console.

    • Disable MFA Delete by using the AWS CLI (MFA Delete cannot be disabled through the console).

  2. Adjust the MFA device settings if the MFA token is causing access issues.

Using AWS CLI:

  1. Temporarily disable MFA Delete:

aws s3api put-bucket-versioning --bucket <bucket-name> --versioning-configuration Status=Enabled,MFADelete=Disabled --mfa "arn:aws:iam::<account-id>:mfa/<mfa-device-name> <mfa-token>"

  1. Stop S3 bucket modifications if necessary:

aws s3api put-bucket-versioning --bucket <bucket-name> --versioning-configuration Status=Suspended

  1. Re-enable MFA Delete once issues are resolved:

aws s3api put-bucket-versioning --bucket <bucket-name> --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "arn:aws:iam::<account-id>:mfa/<mfa-device-name> <mfa-token>"

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.9

Perform Continuous Security Monitoring and Incident Detection

CIS v7

6.3

Monitor Security Configurations for Compliance

CIS v7

5.2

Securely Manage and Monitor Cloud Accounts and Services