Ensure that your Amazon CloudTrail buckets are configured to use the Multi-Factor Authentication (MFA) Delete feature in order to prevent the deletion of the versioned log files.
This rule can help you with the following compliance standards:
- PCI
- HIPAA
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Using an MFA-protected bucket for your Amazon CloudTrail trail will enable an important layer of protection in order to ensure that your versioned log files can't be accidentally or intentionally deleted in case your access credentials are compromised.
Note: Only the S3 bucket owner can enable the MFA Delete feature and perform DELETE actions for the CloudTrail bucket.
Audit
To determine if the MFA Delete feature is enabled for your CloudTrail buckets, perform the following actions:
Remediation / Resolution
To enable MFA Delete protection for the S3 buckets associated with your Amazon CloudTrail trails, perform the following actions:
Note: Enabling and configuring MFA Delete for your Amazon S3 buckets using AWS Management Console is not currently supported. You must also have root account access to enable the MFA delete feature.References
- AWS Documentation
- AWS Identity and Access Management (IAM) FAQs
- Multi-Factor Authentication (MFA) for IAM
- Data protection in Amazon S3
- Using versioning in S3 buckets
- Deleting multiple objects
- Deleting object versions from a versioning-enabled bucket
- Deleting an object from an MFA delete-enabled bucket
- AWS Command Line Interface (CLI) Documentation
- cloudtrail
- list-trails
- describe-trails
- get-bucket-versioning
- put-bucket-versioning
- delete-object