Open menu
-->

Enable MFA Delete for AWS S3 Buckets

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Low (generally tolerable level of risk)

Ensure that your AWS S3 buckets are using Multi-Factor Authentication (MFA) Delete feature in order to prevent the deletion of any versioned S3 objects (files).

This rule resolution is part of the Cloud Conformity Security Package

Using MFA-protected S3 buckets will enable an extra layer of protection to ensure that the S3 objects (files) cannot be accidentally or intentionally deleted by the AWS users that have access to the buckets. Note: Only the bucket owner that is logged in as AWS root account can enable MFA Delete feature and perform DELETE actions on S3 buckets.

Audit

To determine if your S3 buckets have MFA Delete feature enabled, perform the following:

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) to list all existing S3 buckets within your account:

aws s3api list-buckets
	--query 'Buckets[*].Name'

02 The command output should return the name of each S3 bucket available across all AWS regions:

[
    "webapp-status-reports"
]

03 Run get-bucket-versioning command (OSX/Linux/UNIX) using the name of the bucket that you want to examine, to determine if the selected S3 bucket has object versioning enabled. Versioning is a method of keeping multiple variations of an S3 object in the same bucket. Since MFA Delete requires bucket versioning as dependency, you cannot use the feature without the versioning flag enabled. If the following command does not return any output, the object versioning is not active, hence the MFA Delete is not enabled for selected bucket:

aws s3api get-bucket-versioning
	--bucket webapp-status-reports

04 Repeat step no. 3 for each S3 bucket that you want to examine, available in your AWS account.

Remediation / Resolution

To enable MFA Delete protection for your S3 buckets via AWS CLI (enabling it via AWS Management Console is not currently supported), perform the following:

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) to list all S3 buckets available in your AWS account:

aws s3api list-buckets
	--query 'Buckets[*].Name'



			

02 The command output should return the name of each S3 bucket available in your AWS account:

[
    "webapp-status-reports"
]

03 Since MFA Delete requires the object versioning as dependency, the best practice is to enable these two S3 features at the same time. Run put-bucket-versioning command (OSX/Linux/UNIX) to enable versioning and MFA delete for the selected bucket (use the MFA device activated for your AWS root account and replace the highlighted details with your own access details):

aws s3api put-bucket-versioning
	--bucket webapp-status-reports
	--versioning-configuration '{"MFADelete":"Enabled","Status":"Enabled"}'
	--mfa 'arn:aws:iam::aws_account_id:mfa/root-account-mfa-device passcode'

04 Run get-bucket-versioning command (OSX/Linux/UNIX) using the bucket name to determine if S3 object versioning and MFA delete feature have been successfully enabled:

aws s3api get-bucket-versioning
	--bucket webapp-status-reports

05 If enabled, the command output should look like the following:

{
  "MFADelete": "Enabled",
  "Status": "Enabled"
}

06 Once the MFA Delete feature is enabled, for each DELETE request you must provide your MFA token: the MFA serial number (the full ARN associated with the device) and the generated passcode (the access code generated by the MFA device). To test this feature, try to delete an S3 object version with and without the MFA token:

  1. Run list-object-versions command (OSX/Linux/UNIX) to return version information for an S3 object (file) called my-webapp-report-05032016.pdf available in the selected bucket:
    aws s3api list-object-versions
    	--bucket webapp-status-reports
    	--key my-webapp-report-05032016.pdf
    
  2. The command output should return each version ID of the selected object. The following output example expose the metadata for an object version:
    {
        "LastModified": "2016-05-10T11:54:08.000Z",
        "VersionId": "ubErddyQBw1v7y68Z42UBSEWZodwGQLD",
        "ETag": "\"04b921ba540251657f5c01eb38e1f035\"",
        "StorageClass": "STANDARD",
        "Key": "my-webapp-report-05032016.pdf",
        "Owner": {
            "DisplayName": "john.doe",
            "ID": "658f3e58089ec3bd00296f84056525e
                   67415fd5e56dcfda3f8309358e99898"
        },
        "IsLatest": false,
        "Size": 14355
    }
    
  3. Run s3api delete-object command (OSX/Linux/UNIX) without MFA authentication and try to delete the selected S3 object version:
    aws s3api delete-object
    	--bucket webapp-status-reports
    	--version-id 'ubErddyQBw1v7y68Z42UBSEWZodwGQLD'
    	--key my-webapp-report-05032016.pdf
    
  4. Without MFA authentication, the command output should return an access denied error message:
    A client error (AccessDenied) occurred: Mfa Authentication must be used for this request. You can see that it will not let you delete an object version without MFA authentication.
    
  5. Now run s3api delete-object command (OSX/Linux/UNIX) with MFA authentication to delete the selected S3 object version (replace the highlighted details with your own access details):
    aws aws s3api delete-object
    	--bucket webapp-status-reports
    	--mfa 'arn:aws:iam::aws_account_id:mfa/root-account-mfa-device passcode'
    	--version-id 'ubErddyQBw1v7y68Z42UBSEWZodwGQLD'
    	--key my-webapp-report-05032016.pdf
    
  6. With MFA authentication, the command output should return the version ID of the delete marker:
    {
      "VersionId": 'ubErddyQBw1v7y68Z42UBSEWZodwGQLD',
      "DeleteMarker": true
    }
    

07 Repeat steps no. 3 – 6 to enable and test MFA Delete feature for each S3 bucket available in your AWS account.

References

Publication date May 10, 2016