Ensure that your AWS CloudTrail logging bucket use Multi-Factor Authentication (MFA) Delete feature in order to prevent the deletion of any versioned log files.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Using an MFA-protected bucket for AWS CloudTrail will enable the ultimate layer of protection to ensure that your versioned log files cannot be accidentally deleted or intentionally deleted in case your access credentials are compromised.
Note: Only the S3 bucket owner (the AWS root account) can enable MFA Delete feature and perform DELETE actions for the CloudTrail logging bucket.
To determine if your CloudTrail logging bucket has MFA Delete enabled, perform the following:
To enable MFA Delete protection for your CloudTrail logging bucket via AWS CLI, perform the following:Note: enabling it via AWS Management Console is not currently supported