S3 buckets should have the 'MFA Delete' feature enabled

s3
이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.

Rationale

Adding MFA DELETE to an S3 bucket requires additional authentication when you change the version state of your bucket or when you delete an object version, which adds another layer of security in the event your security credentials are compromised or unauthorized access is granted.

Remediation

MFA-protected Amazon S3 buckets ensure S3 objects cannot be accidentally or intentionally deleted by AWS users who have access to your bucket.

From the console

MFA DELETE cannot be enabled in the AWS Console. See the CLI remediation below for configuration instructions.

From the command line

Run put-bucket-versioning with your bucket name, versioning configuration, and MFA configuration.

aws s3api put-bucket-versioning --profile my-root-profile --bucket
Bucket_Name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa
“arn:aws:iam::aws_account_id:mfa/root-account-mfa-device passcode”

References

  1. https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html#MultiFactorAuthenticationDelete
  2. https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMFADelete.html
  3. https://aws.amazon.com/blogs/security/securing-access-to-aws-using-mfa-part-3/
  4. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_lost-or-broken.html