S3 buckets should have the 'MFA Delete' feature enabled

Description

Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.

Rationale

Adding MFA DELETE to an S3 bucket requires additional authentication when you change the version state of your bucket or when you delete an object version, which adds another layer of security in the event your security credentials are compromised or unauthorized access is granted.

Remediation

MFA-protected Amazon S3 buckets ensure S3 objects cannot be accidentally or intentionally deleted by AWS users who have access to your bucket.

From the console

MFA DELETE cannot be enabled in the AWS Console. See the CLI remediation below for configuration instructions.

From the command line

Run put-bucket-versioning with your bucket name, versioning configuration, and MFA configuration.

aws s3api put-bucket-versioning --profile my-root-profile --bucket
Bucket_Name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa
“arn:aws:iam::aws_account_id:mfa/root-account-mfa-device passcode”

References

  1. https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html#MultiFactorAuthenticationDelete
  2. https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMFADelete.html
  3. https://aws.amazon.com/blogs/security/securing-access-to-aws-using-mfa-part-3/
  4. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_lost-or-broken.html