Use the Conformity Knowledge Base AI to help improve your Cloud Posture

S3 Bucket MFA Delete Enabled

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: S3-013

Ensure that your Amazon S3 buckets are configured to use the Multi-Factor Authentication (MFA) Delete feature in order to prevent the deletion of versioned S3 objects available within your buckets.

This rule can help you with the following compliance standards:

  • PCI
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Using MFA-protected Amazon S3 buckets will add an extra layer of protection on top of existing ones to ensure that your S3 objects can't be accidentally or intentionally deleted by other users that have access to your S3 buckets.

Note 1: The MFA Delete feature requires bucket versioning as dependency. Bucket versioning is a method of keeping multiple variations of an S3 object in the same bucket.

Note 2: Only the bucket owner that is logged in as AWS root account can enable MFA Delete feature and perform DELETE actions on Amazon S3 buckets.


Audit

To determine if MFA Delete feature is enabled for your Amazon S3 buckets, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

03 Click on the name of the S3 bucket that you want to examine to access the bucket configuration settings.

04 Select the Properties tab from the console menu to access the bucket properties.

05 In the Bucket Versioning section, check the Multi-factor authentication (MFA) delete attribute value. If the attribute value is set to Disabled, the MFA Delete feature is not enabled for the selected Amazon S3 bucket.

06 Repeat steps no. 3 – 5 to determine the MFA Delete feature status for other Amazon S3 buckets available within your AWS cloud account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) using custom query filters to list the names of all Amazon S3 buckets available in your AWS cloud account:

aws s3api list-buckets
	--query 'Buckets[*].Name'

02 The command output should return an array with the requested bucket names:

[
  "cc-prod-web-data",
  "cc-project5-logs"
]

03 Run get-bucket-versioning command (OSX/Linux/UNIX) using the name of the Amazon S3 bucket that you want to examine as the identifier parameter, to describe the Multi-Factor Authentication (MFA) Delete status of the S3 bucket versioning, available for the selected bucket:

aws s3api get-bucket-versioning
  --bucket cc-prod-web-data
  --query 'MFADelete'

04 The command output should return the requested configuration information:

null

If the get-bucket-versioning command output returns null, as shown in the example above, the MFA Delete feature is not enabled for the selected Amazon S3 bucket.

05 Repeat steps no. 3 and 4 to determine the MFA Delete feature status for other Amazon S3 buckets available in your AWS cloud account.

Remediation / Resolution

To enable the MFA Delete protection feature for your existing Amazon S3 buckets, perform the following operations:

Note: Enabling and configuring MFA Delete for Amazon S3 buckets using AWS CloudFormation templates is not currently supported.

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.27"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  profile = "default"
  region  = "us-east-1"
}

resource "aws_s3_bucket" "mfa-protected" {
  bucket = "cc-prod-web-data"
  versioning {
    enabled = true
    mfa_delete = true
  }
}

Using AWS CLI

Note: Enabling and configuring MFA Delete for Amazon S3 buckets using AWS Management Console is not currently supported.

01 Run put-bucket-versioning command (OSX/Linux/UNIX) using the name of the Amazon S3 bucket that you want to reconfigure as the identifier parameter, to enable the MFA Delete protection feature for the selected S3 bucket. Use the Multi-Factor Authentication (MFA) device configured for your AWS root account and replace the highlighted access details with your own details (<passcode> represents the value that is displayed on your authentication device). If the request is successful, the put-bucket-versioning command should not return an output:

aws s3api put-bucket-versioning
  --bucket cc-prod-web-data
  --versioning-configuration '{"MFADelete":"Enabled","Status":"Enabled"}'
  --mfa 'arn:aws:iam::<aws-account-id>:mfa/root-account-mfa-device <passcode>'

02 Once the Multi-Factor Authentication (MFA) Delete feature is enabled, for each DELETE request made for your S3 objects you must provide your MFA token. The token represents a concatenation of the MFA device serial number or the full ARN associated with the device (i.e. arn:aws:iam::<aws-account-id>:mfa/root-account-mfa-device), a space, and the generated passcode (the unique access code generated by the authentication device). To test the MFA Delete feature implementation, run delete-object command (OSX/Linux/UNIX) using your MFA token as value for the --mfa command parameter, to delete the specified versioned object (replace the highlighted details with your own access details):

aws s3api delete-object
  --bucket cc-prod-web-data
  --key <object-name>
  --version-id '<object-version>'
  --mfa 'arn:aws:iam::<aws-account-id>:mfa/root-account-mfa-device <passcode>'

03 The command output should return the ID of the versioned object and the Delete Marker status. The Delete Marker specifies whether the versioned object that was permanently deleted was (true) or was not (false) a delete marker:

{
  "VersionId": 'abcdabcdabcdabcdabcdabcdabcdabcd',
  "DeleteMarker": true
}

04 Repeat steps no. 1 – 3 to enable and test the MFA Delete feature for other Amazon S3 buckets available within your AWS cloud account.

References

Publication date May 10, 2016