Open menu
-->

Enable MFA Delete for AWS CloudTrail bucket

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (act today)

Ensure that your AWS CloudTrail logging bucket use Multi-Factor Authentication (MFA) Delete feature in order to prevent the deletion of any versioned log files.

This rule resolution is part of the Cloud Conformity Security Package

Using an MFA-protected bucket for AWS CloudTrail will enable the ultimate layer of protection to ensure that your versioned log files cannot be accidentally deleted or intentionally deleted in case your access credentials are compromised. Note: Only the S3 bucket owner (the AWS root account) can enable MFA Delete feature and perform DELETE actions for the CloudTrail logging bucket.

Audit

To determine if your CloudTrail logging bucket has MFA Delete enabled, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03 In the left navigation panel, select Trails.

04 Under Name column, select the trail name that you need to examine.

05 Under Storage Location section check for the S3 bucket name:

Under S3 section check for the S3 bucket name

used to store log files.

06 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

07 Select the S3 bucket used by the CloudTrail trail, then click the Properties tab from the right panel:

Select the S3 bucket used by the CloudTrail trail, then click the Properties tab from the right panel

08 In the Properties panel, under the bucket Owner name, search for the MFA Delete status. If the feature status is not displayed at all (bucket object versioning is disabled) or the current status is Not Enabled, the S3 bucket selected is not MFA-protected.

Using AWS CLI

01 Run describe-trails command (OSX/Linux/UNIX) to list all CloudTrail trails available in your AWS region:

aws cloudtrail describe-trails

02The command output should expose the name of each S3 bucket used to store log files by the AWS CloudTrail:

{
    "trailList": [
        {
            "IncludeGlobalServiceEvents": true,
            "Name": "MyCloudTrail",
            "TrailARN": "arn:aws:cloudtrail:us-east-1:
                         123456789012:trail/MyCloudTrail",
            "LogFileValidationEnabled": false,
            "IsMultiRegionTrail": true,
            "S3BucketName": "cloudtrail-global-logging",
            "HomeRegion": "us-east-1"
        }
    ]
}

03Run get-bucket-versioning command (OSX/Linux/UNIX) to determine if your CloudTrail bucket has object versioning enabled. Versioning is a method of keeping multiple variations of an object (in this case an object is a log file) in the same bucket. Since MFA Delete requires bucket versioning as dependency, you cannot use the feature without versioning enabled. If the following command does not return any output, the versioning is not active, hence the MFA Delete is not enabled for selected bucket:

aws s3api get-bucket-versioning
	--bucket cloudtrail-global-logging

Remediation / Resolution

To enable MFA Delete protection for your CloudTrail logging bucket via AWS CLI, perform the following:

Note: enabling it via AWS Management Console is not currently supported

Using AWS CLI

01 You need to enable MFA Delete at the same time when you set the versioning state for your bucket. Run put-bucket-versioning command (OSX/Linux/UNIX) to enable versioning and MFA delete for the selected bucket. Use the MFA device enabled for your AWS root account and replace the highlighted details with your own details: the --mfa parameter value should have the following format: arn:aws:iam::aws_account_id:mfa/root-account-mfa-device mfa_device_passcode

aws s3api put-bucket-versioning
	--bucket cloudtrail-global-logging
	--versioning-configuration MFADelete=Enabled,Status=Enabled
	--mfa 'arn:aws:iam::123456789012:mfa/root-account-mfa-device 993475'
			

02 Run get-bucket-versioning command (OSX/Linux/UNIX) using the bucket name to determine if versioning and MFA delete protection were enabled:

aws s3api get-bucket-versioning
	--bucket cloudtrail-global-logging

03 If enabled, the command output should look like the following:

{
  "MFADelete": "Enabled",
  "Status": "Enabled"
}

04 Once the MFA Delete feature is enabled, for each DELETE request you must provide your MFA token: the MFA serial number (the full ARN associated with the device) and the generated passcode. To test this feature, try to delete a CloudTrail log file object version with and without the MFA token:

  1. Run list-object-versions command (OSX/Linux/UNIX) to return version information for a CloudTrail log file called my-cloudtrail-log.json.gz available in the selected bucket:
    aws s3api list-object-versions
    	--bucket cloudtrail-global-logging
    	--key my-cloudtrail-log.json.gz
    
  2. The command output should return each version ID for the log file:
    {
        "LastModified": "2016-04-14T10:51:05.000Z",
        "VersionId": "lftlddyQBw1v7y68Z42UBSEWZodwGQBQ",
        "ETag": "\"07b921ba540251657f5c01eb38e1f074\"",
        "StorageClass": "STANDARD",
        "Key": "my-cloudtrail-log.json.gz",
        "Owner": {
            "DisplayName": "john.doe",
            "ID": "718f3e58089ec3bd00296f84056525d
                   78415fd5e56dcfda3f8309358e99896"
        },
        "IsLatest": false,
        "Size": 4386
    }
    
  3. Run s3api delete-object command (OSX/Linux/UNIX) without MFA authentication and try to delete the selected log file version:
    aws s3api delete-object
    	--bucket cloudtrail-global-logging
    	--version-id '9ULMaOOrT_KhwC04uIS4ognIj0GOrhsL'
    	--key my-cloudtrail-log.json.gz
    
  4. Without MFA authentication, the command output should return an error message (access denied error) like the following:
    A client error (AccessDenied) occurred: Mfa Authentication must be used for this request. 
    You can see that it will not let you delete an object version without MFA authentication.
  5. Now run s3api delete-object command (OSX/Linux/UNIX) with MFA authentication to delete the selected CloudTrail log file version (replace the highlighted details with your own details):
    aws aws s3api delete-object
    	--bucket cloudtrail-global-logging 
    	--mfa 'arn:aws:iam::123456789012:mfa/root-account-mfa-device 058452' 
    	--version-id '9ULMaOOrT_KhwC04uIS4ognIj0GOrhsL' 
    	--key my-cloudtrail-log.json.gz
    
  6. With MFA authentication, the command output should return the version ID of the delete marker:
    {
      "VersionId": "9ULMaOOrT_KhwC04uIS4ognIj0GOrhsL",
      "DeleteMarker": true
    }
    

References

Publication date Apr 14, 2016