Use the Conformity Knowledge Base AI to help improve your Cloud Posture

CloudTrail Bucket MFA Delete Enabled

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: CT-004

Ensure that your Amazon CloudTrail buckets are configured to use the Multi-Factor Authentication (MFA) Delete feature in order to prevent the deletion of the versioned log files.

This rule can help you with the following compliance standards:

  • PCI
  • HIPAA
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Using an MFA-protected bucket for your Amazon CloudTrail trail will enable an important layer of protection in order to ensure that your versioned log files can't be accidentally or intentionally deleted in case your access credentials are compromised.

Note: Only the S3 bucket owner can enable the MFA Delete feature and perform DELETE actions for the CloudTrail bucket.


Audit

To determine if the MFA Delete feature is enabled for your CloudTrail buckets, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

03 In the navigation panel, under CloudTrail, choose Trails.

04 Click on the name of the Amazon CloudTrail trail that you want to examine.

05 In the General details section, choose Edit and copy the name of the associated S3 bucket available in the Trail log bucket name box.

06 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

07 Paste the name of the bucket copied at step no. 5 in the Find buckets by name box and click on the name of the returned S3 bucket to access the bucket configuration settings.

08 Select the Properties tab from the console menu to access the bucket properties.

09 In the Bucket Versioning section, check the Multi-factor authentication (MFA) delete attribute value. If the attribute value is set to Disabled, the MFA Delete feature is not enabled for the S3 bucket associated with the selected Amazon CloudTrail trail.

10 Repeat steps no. 4 – 9 for each Amazon CloudTrail trail created within your AWS cloud account.

Using AWS CLI

01 Run list-trails command (OSX/Linux/UNIX) with custom query filters to list the names of all the Amazon CloudTrail trails created for your AWS cloud account:

aws cloudtrail list-trails
  --region us-east-1
  --query 'Trails[*].Name'

02 The command output should return an array with the requested CloudTrail trail names:

[
    "cc-main-cloud-trail",
    "cc-project5-api-trail"
]

03 Run describe-trails command (OSX/Linux/UNIX) using the name of the Amazon CloudTrail trail that you want to examine as the identifier parameter and custom query filters to describe the name of the S3 bucket configured to store logs for the selected trail:

aws cloudtrail describe-trails
  --region us-east-1
  --trail-name-list cc-main-cloud-trail
  --query 'trailList[*].S3BucketName'

04 The command output should return the name of the associated bucket:

[
    "cc-main-cloudtrail-logs"
]

05 Run get-bucket-versioning command (OSX/Linux/UNIX) using the name of the associated S3 bucket that you want to examine as the identifier parameter, to describe the Multi-Factor Authentication (MFA) Delete status of the S3 bucket versioning, available for the selected bucket:

aws s3api get-bucket-versioning
  --bucket cc-main-cloudtrail-logs
  --query 'MFADelete'

06 The command output should return the requested configuration information:

null

If the get-bucket-versioning command output returns null, as shown in the example above, the MFA Delete feature is not enabled for the S3 bucket associated with the selected Amazon CloudTrail trail.

07 Repeat steps no. 3 – 6 for each Amazon CloudTrail trail created in your AWS cloud account.

Remediation / Resolution

To enable MFA Delete protection for the S3 buckets associated with your Amazon CloudTrail trails, perform the following actions:

Note: Enabling and configuring MFA Delete for your Amazon S3 buckets using AWS Management Console is not currently supported. You must also have root account access to enable the MFA delete feature.

Using AWS CLI

01 Run put-bucket-versioning command (OSX/Linux/UNIX) using the name of the associated S3 bucket that you want to reconfigure as the identifier parameter, to enable the MFA Delete protection feature for the selected S3 bucket. Use the Multi-Factor Authentication (MFA) device configured for your AWS root account and replace the highlighted access details with your own details (<passcode> represents the value that is displayed on your authentication device). If the request is successful, the put-bucket-versioning command should not return an output:

aws s3api put-bucket-versioning
  --bucket cc-main-cloudtrail-logs
  --versioning-configuration '{"MFADelete":"Enabled","Status":"Enabled"}'
  --mfa 'arn:aws:iam::<aws-account-id>:mfa/root-account-mfa-device <passcode>'

02 Once the Multi-Factor Authentication (MFA) Delete feature is enabled, for each DELETE request made for your CloudTrail log file objects you must provide your MFA token. The token represents a concatenation of the MFA device serial number or the full ARN associated with the device (i.e. arn:aws:iam::<aws-account-id>:mfa/root-account-mfa-device), a space, and the generated passcode (the unique access code generated by the authentication device). To test the MFA Delete feature implementation, run delete-object command (OSX/Linux/UNIX) using your MFA token as value for the --mfa command parameter, to delete the specified log file object (replace the highlighted details with your own access details):

aws s3api delete-object
  --bucket cc-main-cloudtrail-logs
  --key <object-name>
  --version-id '<object-version>'
  --mfa 'arn:aws:iam::<aws-account-id>:mfa/root-account-mfa-device <passcode>'

03 The command output should return the ID of the log file object and the Delete Marker status. The Delete Marker specifies whether the versioned log file object that was permanently deleted was (true) or was not (false) a delete marker:

{
  "VersionId": 'abcdabcdabcdabcdabcdabcdabcdabcd',
  "DeleteMarker": true
}

04 Repeat steps no. 1 – 3 to enable the MFA Delete feature for other associated S3 buckets available within your AWS cloud account.

References

Publication date Apr 14, 2016