S3 buckets should have the 'MFA Delete' feature enabled
Description
Once MFA Delete
is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.
Rationale
Adding MFA DELETE
to an S3 bucket requires additional authentication when you change the version state of your bucket or when you delete an object version, which adds another layer of security in the event your security credentials are compromised or unauthorized access is granted.
MFA-protected Amazon S3 buckets ensure S3 objects cannot be accidentally or intentionally deleted by AWS users who have access to your bucket.
From the console
MFA DELETE
cannot be enabled in the AWS Console. See the CLI remediation below for configuration instructions.
From the command line
Run put-bucket-versioning
with your bucket name, versioning configuration, and MFA configuration.
aws s3api put-bucket-versioning --profile my-root-profile --bucket
Bucket_Name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa
“arn:aws:iam::aws_account_id:mfa/root-account-mfa-device passcode”
References
- https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html#MultiFactorAuthenticationDelete
- https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMFADelete.html
- https://aws.amazon.com/blogs/security/securing-access-to-aws-using-mfa-part-3/
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_lost-or-broken.html