Ensure that your Amazon S3 buckets are configured to use the Multi-Factor Authentication (MFA) Delete feature in order to prevent the deletion of versioned S3 objects available within your buckets.
This rule can help you with the following compliance standards:
- PCI
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Using MFA-protected Amazon S3 buckets will add an extra layer of protection on top of existing ones to ensure that your S3 objects can't be accidentally or intentionally deleted by other users that have access to your S3 buckets.
Note 1: The MFA Delete feature requires bucket versioning as dependency. Bucket versioning is a method of keeping multiple variations of an S3 object in the same bucket.
Note 2: Only the bucket owner that is logged in as AWS root account can enable MFA Delete feature and perform DELETE actions on Amazon S3 buckets.
Audit
To determine if MFA Delete feature is enabled for your Amazon S3 buckets, perform the following operations:
Remediation / Resolution
To enable the MFA Delete protection feature for your existing Amazon S3 buckets, perform the following operations:
Note: Enabling and configuring MFA Delete for Amazon S3 buckets using AWS CloudFormation templates is not currently supported.References
- AWS Documentation
- Amazon S3 FAQs
- Multi-Factor Authentication
- Data protection in Amazon S3
- Using versioning in S3 buckets
- Deleting multiple objects
- Deleting object versions from a versioning-enabled bucket
- Deleting an object from an MFA delete-enabled bucket
- AWS Command Line Interface (CLI) Documentation
- s3api
- list-buckets
- get-bucket-versioning
- put-bucket-versioning
- delete-object
- Terraform Documentation
- AWS Provider