π AWS S3 Bucket MFA Delete is not enabled π π’
- Contextual name: π Bucket MFA Delete is not enabled π π’
- ID:
/ce/ca/aws/s3/bucket-mfa-delete - Located in: π AWS S3
Flagsβ
- π’ Policy with categories
- π Policy with internal.md
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
BEST_PRACTICE - Policy Category:
SECURITY
Similar Policiesβ
- Cloud Conformity
- Internal
dec-z-bb731292
Similar Internal Rulesβ
| Rule | Policies | Flags |
|---|---|---|
| βοΈ dec-z-bb731292 | 1 |
Logicβ
- π§ prod.logic.yaml π’
- π AWS S3 Bucket
- π AWS S3 Bucket - object.extracts.yaml
- π§ͺ test.data.json
Internal Notes π β
Notesβ
There are different implementations of this policy by different vendors.
The differences:
- Some only checks if MFA Delete has status enabled and doesn't acknowledge the lifecycle configuration.
- Others checks if MFA Delete is enabled and lifecycle configuration has status enabled but doesn't take into consideration that if the status is disabled then you still can't enable MFA. You need to remove the lifecycle rules completely in order to be able to activate MFA delete.
Concerns that competitors do not advise:
- Amazon specifies that versioning is the security best practice but MFA Delete is just another optional layer of security.
- How do we determine which objects should have MFA delete enabled? It doesn't make sense to activate MFA delete for every object
- What's a good practice to enable MFA Delete and what's not.
- This should be a best practice that you can implement for some objects and not a policy which violations you need to resolve
... see more
Descriptionβ
Descriptionβ
Amazon S3 provides an MFA Delete feature to add an extra layer of security when deleting objects from your S3 buckets. This feature requires additional authentication via MFA before allowing the deletion of objects, thereby reducing the risk of accidental or unauthorized deletions.
Rationaleβ
Not all S3 buckets need to have MFA Delete enabled. Typically, you might want to enable MFA Delete for buckets with critical or sensitive objects that require an additional layer of protection.
Consider enabling MFA Delete for buckets with such objects asβ
- Critical Configuration Files
- Sensitive Customer Data
- Legal or Compliance Documents
- Highly Valuable Assets
Buckets with less critical or easily replaceable objects may not need MFA Delete enabled, but this decision should be based on your specific security and compliance requirements.
Impactβ
Enabling MFA delete on an S3 bucket could required additional administrator oversight. Enabling MFA delete may impact other services that automate the creation and/or deletion of S3 buckets.
... see more
Remediationβ
Remediationβ
Prerequisitesβ
Required Configurationβ
- Activate an MFA device for the root user.
- Configure the AWS CLI with the root credentials (access key and secret key)
Important Notesβ
- Only the bucket owner that is logged in as an AWS root account can enable MFA Delete feature.
From Command Lineβ
Enable MFA Deleteβ
The following example enables S3 Versioning and MFA delete on a bucket. Replace
{{your-bucket-name}}with the actual name of the bucket. Replace{{mfa-device-ARN}}and{{6-digit-mfa-device-code}}with the root account MFA device ARN and authentication code:aws s3api put-bucket-versioning --bucket {{your-bucket-name}} --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "{{mfa-device-ARN}} {{6-digit-mfa-device-code}}"Test MFA Deleteβ
Ensure that MFA Delete is configured correctly by attempting to delete an object using the AWS CLI. Replace
{{object-key}}with the key of the object you want to delete:aws s3api delete-object --bucket {{your-bucket-name}} --key {{object-key}} --mfa "{{mfa-device-ARN}} {{6-digit-mfa-device-code}}"
... [see more](remediation.md)