Remediation
Prerequisitesβ
Required Configurationβ
- Activate an MFA device for the root user.
- Configure the AWS CLI with the root credentials (access key and secret key).
Important Notesβ
- Only the bucket owner that is logged in as an AWS root account can enable the MFA Delete feature.
From Command Lineβ
Enable MFA Deleteβ
The following example enables S3 Versioning and MFA Delete on a bucket. Replace {{your-bucket-name}} with the actual name of the bucket. Replace {{mfa-device-ARN}} and {{6-digit-mfa-device-code}} with the root account MFA device ARN and authentication code:
aws s3api put-bucket-versioning \
--bucket {{your-bucket-name}} \
--versioning-configuration Status=Enabled,MFADelete=Enabled \
--mfa "{{mfa-device-ARN}} {{6-digit-mfa-device-code}}"
Test MFA Deleteβ
Ensure that MFA Delete is configured correctly by attempting to delete an object using the AWS CLI. Replace {{object-key}} with the key of the object you want to delete:
aws s3api delete-object \
--bucket {{your-bucket-name}} \
--key {{object-key}} \
--mfa "{{mfa-device-ARN}} {{6-digit-mfa-device-code}}"