S3 Bucket MFA Delete Not Enabled

Overview

This check identifies Amazon S3 buckets that do not have MFA Delete protection enabled. MFA Delete adds a second layer of security by requiring multi-factor authentication to permanently delete object versions or change versioning settings on a bucket.

Risk

Without MFA Delete enabled, anyone with sufficient permissions can permanently delete object versions or disable versioning. This creates serious risks:

• Ransomware attacks: Attackers who gain access can delete all your backups and data
• Accidental deletion: Mistakes by authorized users become irreversible
• Insider threats: Malicious actors with credentials can destroy data without additional verification
• Compliance failures: Many regulations require protection against unauthorized data destruction

Remediation Steps

Prerequisites

• Root account access: MFA Delete can only be enabled by the AWS account root user (not IAM users or roles)
• MFA device: The root user must have an MFA device configured
• AWS CLI: You need the AWS CLI installed to enable MFA Delete (it cannot be done through the console)

Setting up the AWS CLI for root user

1. Install the AWS CLI if not already installed:

   # macOS
   brew install awscli
   
   # Linux
   curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
   unzip awscliv2.zip
   sudo ./aws/install
   
   # Windows
   # Download and run the installer from https://aws.amazon.com/cli/

2. Configure credentials for the root user:

   aws configure
   # Enter the root user's access key ID and secret access key
   # Set default region to: us-east-1

Important: Root user access keys are highly sensitive. After enabling MFA Delete, consider deleting the root access keys for security.

AWS Console Method

MFA Delete cannot be enabled through the AWS Console. You must use the AWS CLI. However, you can use the console to:

1. Verify your root user has MFA configured:

   • Sign in to the AWS Console as the root user
   • Click your account name in the top-right corner
   • Select Security credentials
   • Under Multi-factor authentication (MFA), ensure an MFA device is assigned
   • If not, click Assign MFA device and follow the prompts

2. Identify buckets needing MFA Delete:

   • Go to the S3 Console
   • Click on each bucket
   • Go to the Properties tab
   • Under Bucket Versioning, check if MFA Delete shows "Disabled"

AWS CLI Method (Required)

Important: This command must be run using root user credentials, not IAM user credentials.

Enable MFA Delete on a bucket

aws s3api put-bucket-versioning \
  --bucket <your-bucket-name> \
  --versioning-configuration Status=Enabled,MFADelete=Enabled \
  --mfa "<mfa-device-arn> <mfa-code>" \
  --region us-east-1

Parameters:

• <your-bucket-name>: Replace with your S3 bucket name
• <mfa-device-arn>: The ARN of your root user's MFA device (e.g., arn:aws:iam::123456789012:mfa/root-account-mfa-device)
• <mfa-code>: The current 6-digit code from your MFA device

Example:

aws s3api put-bucket-versioning \
  --bucket my-important-data-bucket \
  --versioning-configuration Status=Enabled,MFADelete=Enabled \
  --mfa "arn:aws:iam::123456789012:mfa/root-account-mfa-device 123456" \
  --region us-east-1

Find your root MFA device ARN

aws iam list-mfa-devices --region us-east-1

Look for the device associated with the root user (no IAM user path in the ARN).

CloudFormation (Limited Support)

Important: CloudFormation cannot enable MFA Delete directly because it requires root user MFA authentication at the time of the API call. However, you can use CloudFormation to enable versioning and then manually enable MFA Delete afterward.

AWSTemplateFormatVersion: '2010-09-09'
Description: S3 bucket with versioning enabled (MFA Delete must be enabled manually)

Resources:
  SecureBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub 'secure-bucket-${AWS::AccountId}'
      VersioningConfiguration:
        Status: Enabled
      # Note: MFADelete cannot be set via CloudFormation
      # You must use the AWS CLI as root user to enable it

Outputs:
  BucketName:
    Description: Name of the bucket (enable MFA Delete manually via CLI)
    Value: !Ref SecureBucket

After deploying this template, enable MFA Delete using the CLI command shown above.

Terraform (Limited Support)

Important: Like CloudFormation, Terraform cannot enable MFA Delete because it requires root user MFA authentication. Use Terraform to create the bucket with versioning, then enable MFA Delete manually.

resource "aws_s3_bucket" "secure_bucket" {
  bucket = "my-secure-bucket-${data.aws_caller_identity.current.account_id}"
}

resource "aws_s3_bucket_versioning" "secure_bucket_versioning" {
  bucket = aws_s3_bucket.secure_bucket.id

  versioning_configuration {
    status = "Enabled"
    # mfa_delete cannot be enabled via Terraform
    # Must be enabled manually via AWS CLI as root user
  }
}

data "aws_caller_identity" "current" {}

output "bucket_name" {
  description = "Bucket name - enable MFA Delete manually via CLI"
  value       = aws_s3_bucket.secure_bucket.id
}

After applying this configuration, enable MFA Delete using the CLI command shown above.

Verification

After enabling MFA Delete, verify it is active:

1. In the AWS Console:
   • Go to S3 and select your bucket
   • Click the Properties tab
   • Under Bucket Versioning, MFA Delete should show "Enabled"

CLI Verification

aws s3api get-bucket-versioning \
  --bucket <your-bucket-name> \
  --region us-east-1

Expected output when MFA Delete is enabled:

{
    "Status": "Enabled",
    "MFADelete": "Enabled"
}

To check all buckets in your account:

for bucket in $(aws s3api list-buckets --query 'Buckets[].Name' --output text --region us-east-1); do
  echo "Bucket: $bucket"
  aws s3api get-bucket-versioning --bucket "$bucket" --region us-east-1
  echo "---"
done

Additional Resources

• AWS Documentation: Using MFA Delete
• AWS Documentation: Multi-Factor Authentication Delete
• AWS Documentation: Configuring MFA for the Root User
• AWS Documentation: S3 Versioning

Notes

• Root user requirement: This is a critical limitation. MFA Delete can only be enabled or disabled by the root user, not by IAM users or roles, even with full administrative permissions.

• Cannot be automated: Because MFA Delete requires interactive MFA input from the root user, it cannot be fully automated through CI/CD pipelines or infrastructure-as-code tools.

• Disabling MFA Delete: To disable MFA Delete (not recommended for production buckets), you also need root user credentials and MFA:

  aws s3api put-bucket-versioning \
    --bucket <your-bucket-name> \
    --versioning-configuration Status=Enabled,MFADelete=Disabled \
    --mfa "<mfa-device-arn> <mfa-code>" \
    --region us-east-1

• Consider S3 Object Lock: For additional protection, consider using S3 Object Lock in Governance or Compliance mode, which can be managed through IAM policies and provides similar protection against deletion.

• Lifecycle policies: MFA Delete does not prevent lifecycle policies from deleting objects. If you have lifecycle rules that delete versions, those will still execute. Review your lifecycle policies when implementing MFA Delete.