How to Enable MFA Delete for S3 Bucket

In my previous blog , I have explained how you can enable versioning on the S3 buckets and configure cross region replication for the buckets , Check here

In this guide , We are going to use the versioning feature and configure MFA delete on the S3 buckets.

Note:

MFA delete can be only implemented by the root AWS account.

And also It can be enabled and disabled only by the root user.

What is MFA Delete?

Securing objects from accidental deletion is one of the major concern.

To avoid such scenarios , AWS has a feature which we can implement on the S3 buckets by applying MFA.

MFA (multi factor authentication) adds a layer of security for the following reasons.

Change the versioning state of the objects

Permanent delete of the versioned objects

Authentication required for MFA delete

While configuring MFA delete on the buckets , There should be two level of authentication required.

By using security credentials

Six digit code from the approved authentication device such as Google authenticator

Enable MFA on S3 Bucket

You can Create S3 buckets and objects using AWS CLI , Refer here

Once you have the S3 bucket and the versioning enabled on it.Versioning be either enabled using the command line interface or using AWS console.

To enable versioning using AWS console , Open the S3 console , Select the bucket.

Then select Properties

Click versioning and then Enable versioning and Click Save

Enabling versioning on the S3 buckets can be done using IAM users But activating and de-activating MFA delete can only be done using Root account.

Install Google Authenticator

Install Google Authenticator in your mobile and then configure MFA for the Root account , As we are going to use this MFA code to enable and disable MFA delete.

You can check this article for MFA configuration.

Once the MFA is configured , Now its time to configure MFA delete on the S3 buckets.

Why do we need Versioning?

In AWS S3, The versioning is enabled in the Bucket level to keep the multiple versions of the same objects.

PreRequisites

Make sure AWS CLI is configured on the local system and have access for managing S3 buckets.
Root Account with MFA Enabled.

We need to collect these things first.

S3 bucket in a Region

MFA Secret for the Root account. To do that , Login to IAM console.

You should see the following screen.

Then Click Activate MFA on the Root Account

And then click Manage MFA

Under MFA , You can find the Serial Number which we will use while enabling MFA delete on S3 , So make a note of it.

Access Key and Secret Key for Root Account

Under Access keys , Click Create New Access key

And then download the key file.

To get the lists of Available buckets in the Account ,

aws s3api list-buckets

You can also run the below command.

aws s3 ls

To check whether the versioning is enabled in a particular bucket.

aws s3api get-bucket-versioning --bucket BucketName

if It doesn’t reply anything which means versioning is not enabled in this bucket.

Having the details of the MFA Serial and the MFA code , We are going to enable the MFA delete for the buckets.

Running the below command.

aws s3api put-bucket-versioning --profile my-root-profile --bucket my-bucket-name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa “arn:aws:iam::00000000:mfa/root-account-mfa-device 123456”

From the above command , This is what we are doing.

put-bucket-versioning – We are going to apply versioning

–profile – Is your aws cli profile , By default the profile is default and you can check the profile under .aws folder and credentials file

–bucket – mention your bucket name here

–mfa – provide the Serial Number of the Root MFA

Finally , The six digit code from the Google Authenticator.

Now We have successfully applied MFA delete on the S3 bucket.

Verifying the MFA Delete

We can verify whether the versioning and the MFA Delete is enabled for the bucket using the below command.

aws s3api get-bucket-versioning --bucket bucketname

As you can see the Versioning and MFADelete is Enabled.

Workaround

The MFA delete is only for the versioned objects.If you delete the actual file It will delete it but it will keep all the versions of the file.

Deleting a File

In my bucket I have an object named Screenshot from 2020-05-26 12-07-04.png

I am going to delete it using the below command.

aws s3api delete-object --bucket testbucketforcors01 --key "Screenshot from 2020-05-26 12-07-04.png"

As you can see the main file is deleted without the need of the MFA.

If the above action is performed using the AWS console , It will still delete the actual file but it will retain all the versions of that file.

Deleting Version of a File without MFA

For testing this , I have createda file named test1 and uploaded it to S3 bucket.

Then I made some changes to the file and re-uploaded it to the bucket and it is added as a version (Latest version) of that file.

If you click the Latest version , Then you will get the version ID of that file

Using the below command , Lets try to delete the version of a file without MFA.

aws s3api delete-object --bucket bucketname --key test1 --version-id cWHSLEi09A8iDXPOUPtbqvRgFihMCIB_

From the screenshot below , You can see it throws an Authentication error.Even It is root user , Without MFA the version of the object cannot be deleted.

Deleting version of File using MFA

Lets try to delete the same version of the file using MFA.

aws s3api delete-object --profile default --bucket bucketname --key test1 --version-id cWHSLEi09A8iDXPOUPtbqvRgFihMCIB_ --mfa "arn:aws:iam::0000555500:mfa/root-account-mfa-device 983951"

From the screenshot You can see that the version of the object is deleted with the help of MFA.

Disable MFA Delete

Lets say you want to the keep the versioning , But want to delete the MFADelete on the S3 bucket.

You can achieve this using the below command.

aws s3api put-bucket-versioning --profile default --bucket bucketname --versioning-configuration Status=Enabled,MFADelete=Disabled --mfa "arn:aws:iam::0000050505:mfa/root-account-mfa-device 880365"