<  Back to rules search

S3 bucket MFA Delete feature is enabled

s3

Classification:

compliance

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Description

Set up the Multi-Factor Authentication (MFA) delete feature to prevent deletion of Amazon S3 objects.

Rationale

Remediation

MFA-protected Amazon S3 buckets ensure S3 objects cannot be accidentally or intentionally deleted by AWS users who have access to your bucket.

Console

MFA DELETE cannot be enabled in the AWS Console. See the CLI remediation below for configuration instructions.

CLI

  1. Run put-bucket-versioning with your bucket name, versioning configuration, and MFA configuration.

put-bucket-acl.sh

  aws s3api put-bucket-versioning
    --bucket your-s3-bucket-name
    --versioning-configuration '{"MFADelete":"Enabled","Status":"Enabled"}'
    --mfa 'arn:aws:iam::aws_account_id:mfa/root-account-mfa-device'