Ensure that your AWS S3 buckets are using Multi-Factor Authentication (MFA) Delete feature in order to prevent the deletion of any versioned S3 objects (files).
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Using MFA-protected S3 buckets will enable an extra layer of protection to ensure that the S3 objects (files) cannot be accidentally or intentionally deleted by the AWS users that have access to the buckets.
Note: Only the bucket owner that is logged in as AWS root account can enable MFA Delete feature and perform DELETE actions on S3 buckets.
To determine if your S3 buckets have MFA Delete feature enabled, perform the following:
To enable MFA Delete protection for your S3 buckets via AWS CLI (enabling it via AWS Management Console is not currently supported), perform the following: